Re: IT Audits/PT's of Smartphones

On Thu, Aug 4, 2011 at 7:22 AM, Sheran Gunasekera <sheran@xxxxxxxxxxxxxx> wrote:
I'm assuming you mean application vulnerability scanners?  As far as
I'm aware this is an area that needs improvement.  I've done several

An automated app crawler would be possible for Android using the SDK
emulator and Eclipse DDMS.

However, for iOS and BBOS, the apps appear to be much more difficult
as there is no full emulator for testing (only simulators that do not
have all of the necessary functional testing approaches/components).

pentests for applications developed by third-party vendors for my
clients.  I generally follow this approach:

1. Get a copy of the app (usually I get it through the developer; if
its live, you could download it) and reverse engineer it.  During this
stage I check for:

It is much more efficient to get a copy of the build environment or
steps necessary (with source code and commercial third-party
components included) to re-create a successful build. This is true
even with regards to Android.

The arguments are clearly stated here --
-- "With source code for the client-side app, a security tester can
execute and debug the app within an IDE. The application still runs
on an actual device or emulator/simulator, but the application's flow
of execution can be tightly controlled through the IDE. Methodically
debugging in Eclipse or Xcode is much more efficient than other
methods of testing. Having the luxury to set breakpoints at key areas
within the application can give a skilled tester the ability to do
magical things".

a. Storing sensitive data (like login credentials) without adequate
protection - like encryption > b. Hardcoded encryption keys > c. Algorithms that encode data (e.g. base64) rather than encrypt data

Temporary storage in memory or swap is also problematic, no only for
the process of the app, but also other processes (especially logging).

For the iPhone, I have my own jailbroken device that I can ssh to.
Once there, I can use the standard tools like gdb to debig and otool
to disassemble.

You should do a write-up on the procedures you take to do this. I
would be very interested, and know many others that are interested as
well. In the meantime, check out --

For the BlackBerry, I've written my own decompiler so that I can
decompile .cod files.  I just use that to read off the standard Java

Can you please put your code up on GitHub and send us the link? If you
don't want to release at this time, could you at least point people in
the direction of what libraries, system calls, or other software
components you used to build the decompiler? I know that the iSec
Partners "Mobile Application Security" book covers the concepts, but
it's wonderful to contribute to the community, especially early-on ;>

2. Often, enterprise apps (like mobile banking, stock trading, etc)
will always connect to a server.  So I check the communication between
client and server.  I use the Mallory proxy together with my ubuntu
box and usb-wifi adapter to 'break' ssl and look at the plain text
traffic.  Sometimes, from step (1) above, you can also collect clues
as to how the client app will communicate with the server app.

Often, I find that the server app is merely a Web Service and does not
appreciate normal HTTP/TLS without XML.

Sadly, there is a shortage of skilled enterprise app developers.  In
almost all my pentests, the apps have been nothing more than a
BrowserField (BlackBerry) or UIWebView (iOS) that just displays
HTML/CSS/JS content on the mobile device.  It is nothing more than a
web application running on the device.  So in cases like these, I just
end up focusing a lot on the server and it ends up in a web app
pentest instead.

It is my guess that iPad apps like will become the standard:
A) Because of the dominance of the iPad and the App Store
B) Because of the licensing restrictions for content, advertising, app
capabilities, App Store app reviews/stipulations, etc imposed by Apple

In other words, apps will not even do much except open a Safari
instance to a series of HTML5 web applications that are riddled with

OWASP iGoat and OWASP GoatDroid will be good starting points for
anyone interested in this kind of research or work.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

Relevant Pages

  • Re: Setting up JBOSS 5 Server on my local computer
    ... Run on Server" deployment options in Eclipse to deploy the app to the JBoss instance, or to use JBoss's own deployment tools to deploy the WAR or EAR files you build with Eclipse. ...
  • Re: Selling the boss on a "publish to the web" Access app?
    ... Go to, this free small business edition is only available to North America customers right now however. ... Are the users app specific where certains users can log into that app or have rights to it but not others? ... The person coming in the door that wants to sell new carpets or new desks or a new paint job on the walls or even a new computer has to justify that they're going to save the company money. ... I suppose you could bring in a whole bunch of IT people, and go through all enormous expenses and dangers of security of setting up a web host server. ...
  • Re: Homegrown synchronization
    ... to check for update files in the Import DropBox for the server. ... similar to the import code used to update a remote backend). ... code to close the "sync" app. ... synch app, but only one at a time would be able to do synchs. ...
  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
  • Re: Ruby Enterprise App Design Advice
    ... Load balanced to send user to best server. ... FastCGI or SCGI - We would like to replace FastCGI with something ... certain instance and want to have a single session server (if I understand ... deals with login and logout and assigns an app server. ...