12 Februar 2021
According to the “Digital 2020” study by Hootsuite and We Are Social, globally, “mobile devices account for more than half of the time spent online this year”. There are 2.4% more smartphone users on the planet this year than in 2019: that’s 124 million more people… and just as many mobiles to secure.
While they contain a large amount of sensitive data, smartphones are more exposed to cyber risks than computers. Most of the time, operating systems are not updated by users.
It is also important to know that there is a latency time between Android updates and those proposed by manufacturers and operators, who must adapt them to their model. This can sometimes take between two and three months. Thus, a phone will always be less up-to-date than a PC. Moreover, after three or four years of use, some patches are simply no longer supported by the devices, which remain until a new smartphone is purchased, devoid of the latest security features.
It’s a fact: users tend to secure their mobile much less than their PC. PINs and passwords are still relatively simple, and password templates are still too easy to enter. Also, users tend to install applications without really being vigilant and accept too many authorizations.
Aware of this problem, manufacturers are trying to compensate by increasing the security of the smartphones they sell. Today’s phone models are very well secured and therefore difficult to break into. The users are the main challenge.
Typically, companies ask us to test the applications they develop and the phones in their mobile fleet.
A pentest on a mobile app looks very much like a very heavy client: there is a local part (file stock, logs, installed binary*, execution, memory usage…) and a web part. For the web part, we use classical tools such as proxies or network traffic analyzers, reverse engineering used for the local part to disassemble and understand the binary of the application.
For the specific iOS or Android part, there are tools dedicated to mobile penetration tests, including software for dynamic patching. These are “on the fly” modifications of an app’s behavior: we target the local part and modify it while running. This allows us to bypass the security set up by the developer.
When we audit a smartphone, we need to find the PIN or push the user to install a malicious app to get remote access. Sometimes we use social engineering techniques, but only if it is adapted to the client’s needs and if he has previously agreed to use such methods.
The most important thing for a pentester – and therefore, a cybercriminal – is to retrieve the phone’s password. Without this first step, it is tough to access the data on a smartphone. Once we have entered the phone, we can, for example, log in to email, retrieve emails, where there is a considerable amount of important information.
In general, whether we are auditing a cell phone or an application, we start with a minimum of information. We need to know the specifics of each version. For example, between iOS 12 and iOS 13, there are significant differences.
To train for pentest on mobile, it is advisable to have a basic understanding of application security and to have a good knowledge of the Android and iOS security models, first in theory and then quickly move on to the practical application. To do this, there are some very well done test applications made: once installed, the goal is to attack them successfully.
As the versions evolve very quickly, the Internet remains a gold mine for self-training or updating.
Too many users are unaware of the attacks they may be subjected to on their cell phone or the security techniques to protect themselves against them. Here are a few tips:
*binary: file is written in “machine language”. This is what the operating system reads and executes. Since it is not humanly readable (symbols and special characters), the reverse engineering process allows to bring it back to a tangible format (such as source code, for example) to analyze and understand it.