CEHv12-17 - Mobile Platform Hacking

Mobile security basics

Mobile devices have multiple entry points for attackers due to their extensive functionality and connectivity.

Surfaces

1. Operating Systems: vulnerable to outdated patches. Regular updates are essential to address security flaws.
2. Applications: third-party or malicious apps can exploit devices. Even official app stores occasionally host compromised apps.
3. Bluetooth: susceptible to attacks like Bluejacking, Bluesnarfing, Bluebugging, and BlueBorne. Older specifications lack encryption and authentication.
4. Wi-Fi: subject to common wireless threats (e.g., Evil Twin, Honeypot attacks). Devices on public Wi-Fi are particularly vulnerable.
5. Telco (Cellular Networks): outdated protocols like SS7 allow attackers to eavesdrop on calls, intercept messages, and perform billing fraud.
6. Web Browsing: exposed to client-side attacks like Cross-Site Scripting (XSS), drive-by downloads, and clickjacking.

Threats and Vulnerabilities

• Malware:

  • Overview: malware targets all devices, including mobile.
  • Examples: malicious APKs, spyware apps.
  • Prevention: regular updates, antivirus tools, and avoiding third-party app stores.

• SIM hijacking:

  • Mechanism:
    • Attackers hijack SIMs to intercept 2FA messages and calls.
    • Insider threats may involve telecom employees.
  • Impact: Compromises sensitive accounts and communication.

• App Store threats:

  • Official stores: even trusted platforms like Google Play and Apple App Store can host malicious apps.
  • Third-party stores: apps from third-party sources like FDroid require careful vetting.
  • Mitigation: stick to official app stores and minimize app installs.

• Encryption weaknesses:

  • Unencrypted communication: SMS and certain apps lack encryption.
  • Weak Encryption: devices using outdated protocols are vulnerable.
  • Recommendations: use apps with end-to-end encryption like Signal or WhatsApp. Ensure devices utilize strong encryption protocols.

• Theft and physical access:

• Risks: unlocked or poorly secured devices can lead to unauthorized access.

• Mitigation: enable auto-lock features with strong passwords or biometrics. Use remote wipe capabilities.

OWASP Mobile Top 10 Risks:
The OWASP Mobile Top 10 outlines common mobile security risks:

1. Improper Platform Usage: Misuse of OS features.
2. Insecure Data Storage: Storing sensitive data unencrypted.
3. Insecure Communication: Lack of encrypted channels.
4. Insecure Authentication: Weak login mechanisms.
5. Insufficient Cryptography: Poor implementation of encryption.
6. Insecure Authorization: Allowing unauthorized access.
7. Client Code Quality Issues: Vulnerable application code.
8. Code Tampering: Modified or malicious apps.
9. Reverse Engineering: Attackers decompiling apps to exploit vulnerabilities.
10. Extraneous Functionality: Exposing debug or test features in production.

General security guidelines

1. Keep devices updated: install patches and updates promptly.
2. Use antivirus software: detect and mitigate malware.
3. Enable encryption: encrypt device storage and external media.
4. Minimize app installs: only install necessary and verified apps.
5. Disable unused features: turn off Bluetooth, Wi-Fi, and location services when not needed.
6. Secure communication: use apps with end-to-end encryption.
7. Be cautious of public networks: avoid public Wi-Fi or use VPNs for secure connections.
8. Monitor device activity: look for suspicious behavior and unauthorized access.

Additional risks and considerations:

• Sandbox bypass: Mobile devices may be susceptible to sandbox bypass or escape, allowing malicious actors to evade security measures and compromise device integrity.
• Sim hijacking: Attackers can hijack SIM cards to intercept SMS messages, phone calls, and two-factor authentication (2FA) codes, compromising device security.
• Mobile spam and phishing: Mobile users are vulnerable to spam and phishing attacks via SMS (smishing) and voice calls (vishing), which aim to deceive users into disclosing sensitive information.
• NSO group and Pegasus: Organizations like the NSO Group develop sophisticated malware like Pegasus, targeting mobile devices to infiltrate communications and compromise device security.

Android security

Android basic features:

• Popularity:
  • Android powers approximately three out of four mobile devices worldwide.
  • Dominates the smartphone and tablet markets due to its open-source nature and affordability.
• Development:
  • Created by Google and based on Linux.
  • Open-source and customizable, allowing manufacturers to adapt the OS for various devices.
• Device administration:
  • Android supports app development via tools like Android Studio.
  • Deprecation of some administrative policies; developers should keep up-to-date with Android API changes.

Rooting

• Definition:
  • Rooting grants administrative (root) access, bypassing built-in security restrictions.
  • Similar to jailbreaking on iOS, but specific to Android.
• Benefits:
  • Bypass restrictions: Install apps from external sources and enable tethering.
  • Remove bloatware: Delete pre-installed apps that consume resources.
  • Customization: Modify the OS and install custom ROMs.
• Risks:
  • Security vulnerabilities: Increased risk of malware through third-party apps.
  • Warranty void: Rooting typically voids the manufacturer’s warranty.
  • Bricking: Improper rooting can render the device inoperable.

Rooting tools

• Popular tools:
  • Kingo root
  • King root
  • Towel root
  • One-click root: known for its ease of use.
• Requirements: enable USB Debugging Mode on the device, and follow tutorials specific to the device model.

Hacking Tools

• Drozer: vulnerability scanner.
• zanti-zscan: mobile penetration testing toolkit by Zimperium.
• Kali NetHunter: a mobile penetration testing platform that doesn’t require rooting.
• DroidSheep: intercept unprotected web sessions (requires rooting).
• C-Sploit: a Metasploit-like tool for Android.
• ADB (Android Debug Bridge): enables shell access for debugging and app management.

Security measures

1. Avoid rooting: retain built-in security protections.
2. Use strong screen locks: secure devices with PINs, passwords, or biometrics.
3. Install apps from trusted sources: only download from Google Play to avoid malicious APKs.
4. Install antivirus and anti-malware: e.g. AVG, Avast, Norton, Bitdefender.
5. Keep the OS updated: regular updates fix vulnerabilities and improve security.
6. Avoid public WiFi: use VPNs for secure connections when necessary.
7. Enable location services: helps track and recover lost devices.
8. Beware of smishing: treat suspicious text messages with caution and avoid clicking unknown links.
9. Disable unused features: turn off WiFi, Bluetooth, and location services when not in use.

iOS security

Developed by Apple, iOS powers iPhones and iPad. It was released in 2007, initiating the smartphone revolution. Renowned for its smooth performance, advanced hardware, and secure ecosystem. Among it’s security features are:

• Secure boot: ensures only authorized boot processes occur.
• Biometric authentication: Face ID, Touch ID.
• Passcodes: adds another layer of security.
• Code signing: requires apps to pass stringent Apple code reviews.
• Sandboxing: isolates apps to prevent unauthorized access to system resources.

Jailbreaking

• Definition: bypassing iOS restrictions to gain root-level access and remove sandboxing. It is similar to rooting on Android devices.

• Advantages:

  • Install third-party or unsigned apps.
  • Full customization of the device.

• Disadvantages:

  • Increased risk of malware and malicious apps.
  • Voids warranty and may brick the device.
  • Compromises built-in security measures.

• Types:

  1. Tethered: requires the device to be connected to a computer to boot in a jailbroken state.
  2. Semi-Tethered: boots normally but requires a computer to reapply the jailbreak for functionality.
  3. Untethered: device remains jailbroken even after reboots.
  4. Semi-Untethered: similar to semi-tethered but allows patching directly from the device without a computer.

• Tools:

  • Hexxa/Hexxa Plus: Popular jailbreaking tools.
  • Numerous tutorials and tools are available online for jailbreaking.

iOS-Specific Security Threats

1. Trust jacking:
   • Exploits the “Trust This Device” feature during iTunes sync over WiFi.
   • Allows attackers remote access to sensitive data.
2. iOS malware:
   • Includes threats like Pegasus and spyware tools.
   • Targets high-profile users and exploits zero-day vulnerabilities.
3. Hacking Tools:
   • Apps like Network Analyzer Pro can gather network information.
   • Tools like Elcomsoft Phone Breaker can access encrypted backups and iCloud data.

Security Measures for iOS Devices

1. Avoid jailbreaking: retain built-in security protections.
2. Enable screen locks: use Face ID, Touch ID, or strong PINs.
3. Install trusted apps: avoid sideloading apps or downloading from unverified sources.
4. Regular updates: apply patches and updates as soon as they are available.
5. Use VPNs: encrypt data during network transmission.
6. Disable unused features: turn off WiFi, Bluetooth, and location services when not in use.
7. Enable “Find my iPhone”: track your device if lost or stolen.
8. Use a password manager: avoid weak or reused passwords.
9. Install mobile security suites: e.g. Trend Micro, Norton, or Bitdefender.
10. Avoid public WiFi: minimize exposure to untrusted networks.

iOS Hacking Tools

• Network Analyzer Pro: for information gathering.
• Trustjacking: exploiting the trusted device feature to access the device remotely (juicejacking is done via compromised cable on port).
• Malware Examples: Pegasus, developed by the NSO Group, used for espionage.

Mobile device management

Mobile Device Management (MDM)

• Definition: software solution allowing administrators to manage and secure mobile devices across various operating systems (e.g., Android, iOS, Windows, Chrome OS).
• Capabilities:
  • Authentication enforcement: require passcodes or biometric authentication.
  • Remote actions: lock or wipe lost/stolen devices.
  • Root/Jailbreak detection: flag compromised devices for security.
  • Policy enforcement: apply security rules (e.g., app restrictions, password policies).
  • Inventory tracking: monitor devices as part of organizational assets.
  • Real-Time monitoring: generate alerts for compliance and security issues.
• Examples of MDM Solutions:
  • ManageEngine Mobile Device Manager Plus: supports cloud or on-premises deployment which manages devices running Android, iOS, macOS, Windows, and Chrome OS.
  • IBM Maas360 with Watson: cloud-based mobility management solution, which integrates with AI-driven insights for enhanced device security.

Bring Your Own Device (BYOD)

• Definition: employees use personal devices for work-related tasks.
• Benefits:
  • Increased productivity: employees can work on familiar devices.
  • Flexibility: access business resources anytime, anywhere.
  • Cost savings: reduces organizational expenditure on devices.
  • Employee satisfaction: allows use of preferred devices.
• Risks:
  • Diverse cevices: increased attack surface for IT and security teams.
  • Data co-mingling: personal and business data coexist, complicating security.
  • Unsecured networks: users may connect to insecure Wi-Fi.
  • Device disposal: improper disposal could expose sensitive data.
  • Lost/Stolen devices: high potential for data breaches.
  • Policy circumvention: users may bypass corporate restrictions (e.g., use cellular networks to access restricted sites).

BYOD Policies

1. Secure environment: require secure passwords and full-disk encryption. Implement device health checks before granting access.
2. Standardized technology: approve a list of supported hardware, software, and apps.
3. Policy documentation: publish and disseminate clear guidelines on acceptable use.
4. Local storage and removable media control: define what data can be stored locally or on external drives.
5. Network Access Control (NAC): use NAC to assess and allow device connections based on compliance.
6. Web and messaging security: enforce secure communication and browsing practices.
7. Data Loss Prevention (DLP): apply measures to prevent unauthorized data sharing or exfiltration.

General Security Guidelines for Mobile Devices

1. Use antivirus and anti-spyware: e.g. Norton, Bitdefender, or Trend Micro.
2. Restrict app installs: avoid unnecessary or suspicious apps.
3. No sideloading, jailbreaking, or rooting: prevent actions that compromise built-in security.
4. Remote wipe capabilities: ensure sensitive data can be securely deleted from lost devices.
5. Enable disk encryption: protect data in case of device theft.
6. Apply regular updates and patches: keep the OS and apps current to mitigate vulnerabilities.
7. Secure network connections: avoid public Wi-Fi or use VPNs for encrypted access.
8. Educate users: train employees on secure usage and recognizing phishing (e.g., smishing).