Full Report
West Coast in the house, well actually more like an African visiting Seattle for Blackhat’s West Coast Trainings. We’ve had a great year delivering the latest course in our amazing Hacking by Numbers training series: Mobile. What’s cool about this course, is like the others, we teach a hacking methodology rather than punting a tool or a magic, do it all solutions. Mobile was created to match the continuous growth in mobile phone usage, with a specific focus on showing you how you would go about testing the mobile platforms and installed applications, to ensure they have been developed in a secure manner. HBN Mobile provides a complete and practical window into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms. This course is structured to cater to penetration testers who are new to the mobile area and who need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.
Analysis Summary
This article describes a specialized training course ("Hacking by Numbers: Mobile") focused on teaching a **methodology for testing and auditing mobile applications and platforms** across various operating systems (Android, iOS, RIM, Windows 8).
Since the article is an advertisement/description of a training course rather than a direct publication of vulnerability findings or prescriptive security standards, the recommendations below are inferred from the *topics* and *areas of focus* covered by a comprehensive mobile security audit methodology.
# Best Practices: Mobile Application and Platform Security Auditing
## Overview
These practices focus on establishing a security methodology for testing mobile platforms and analyzing installed applications to ensure secure development and deployment across diverse mobile operating systems (e.g., Android, iOS, legacy platforms). The goal is to adopt a repeatable process for identifying common security flaws.
## Key Recommendations
### Immediate Actions
1. **Establish a Dedicated Mobile Security Scope:** Prioritize the definition of necessary testing coverage for mobile applications, documenting which platforms (Android/iOS/etc.) are in scope for initial security reviews.
2. **Acquire Physical Testing Devices:** Immediately procure and configure physical mobile devices (not solely relying on emulators) to ensure testing accurately reflects real-world execution environments.
3. **Review In-Scope Application Source Code:** For critical applications, begin a preliminary review of the code related to authentication, session management, and data validation components as a baseline for static analysis.
### Short-term Improvements (1-3 months)
1. **Implement Structured Static Analysis:** Integrate static analysis tools into the development pipeline to proactively scan source code for common injection flaws, improper cryptographic usage, and insecure data storage before compilation.
2. **Audit Communication Protocols:** Verify that all data transmitted between the mobile application and backend services strictly enforces **Transport Layer Security (TLS)**, ensuring proper certificate validation (no hardcoded trust anchors or insecure skipping of validation).
3. **Validate Authentication and Authorization Flows:** Perform penetration tests specifically targeting mismatches between client-side and server-side enforcement of access controls, ensuring users cannot bypass logic checks to access unauthorized features or data.
### Long-term Strategy (3+ months)
1. **Develop Cross-Platform Penetration Testing Methodology:** Standardize the documented methodology derived from threat modeling and testing activities, ensuring it can be applied consistently across all mobile platforms (Android, iOS, etc.) utilized by the organization.
2. **Integrate Security Training for Developers:** Mandate foundational security training for development teams covering secure coding practices relevant to mobile platforms, focusing specifically on secure data validation and session management patterns.
3. **Establish Comprehensive Mobile Penetration Testing Lab:** Formally document and maintain a secure, isolated "penetration testing lab" environment, complete with necessary runtime analysis tools and target application builds, available for recurring security audits.
## Implementation Guidance
### For Small Organizations
- **Focus on the Basics:** Prioritize configuration checks for the two most commonly used platforms (likely Android and iOS).
- **Tool Proficiency:** Focus efforts on deeply understanding the output of a few versatile analysis tools rather than acquiring a large suite of niche tooling.
- **External Augmentation:** If internal expertise is limited, budget for a single, focused external security audit covering authentication and data storage vulnerabilities.
### For Medium Organizations
- **Formalize Methodology:** Document the testing steps performed (based on the platform-agnostic methodology) and build internal templates for reporting findings from static and dynamic analysis.
- **Implement Device Control:** Begin inventorying physical devices used for development and testing to ensure they are patched and configured securely (e.g., rooted/jailbroken devices used for testing must be strictly segregated).
- **Address Transport Security:** Conduct a broad review across the application portfolio to identify and remediate any instances of insecure communication protocols or outdated TLS versions.
### For Large Enterprises
- **Platform Deep Dive:** Develop specialized testing modules for each distinct mobile OS utilized internally (Android, iOS, etc.), acknowledging platform-specific security features and weaknesses.
- **Automated Integration:** Integrate static analysis (SAST) tools directly into the CI/CD pipeline, automatically failing builds that introduce critical vulnerabilities related to data handling or communication.
- **Ongoing Re-Testing:** Schedule routine, platform-specific penetration tests (at least annually) that test both the application logic and the underlying platform security configurations to ensure regression has not occurred.
## Configuration Examples
*(The source material describes security domains but does not provide specific configuration commands or code snippets. Therefore, this section is derived from the domains mentioned as required areas of investigation.)*
**Example Configuration Focus Area: Transport Layer Security Implementation**
1. **Configuration Check:** Ensure the mobile application enforces Certificate Pinning or strict hostname verification against only the known, trusted back-end server certificate(s).
2. **Verification Action:** Attempt to intercept traffic using a proxy tool with an untrusted or self-signed certificate; the application must fail to connect.
**Example Configuration Focus Area: Secure Data Storage**
1. **Configuration Check:** Verify that sensitive data (tokens, credentials, Personally Identifiable Information) is stored exclusively using platform-provided secure storage mechanisms (e.g., Android Keystore, iOS Keychain) and is never written to plain text files or shared preferences without proper encryption.
2. **Verification Action:** After installation, examine accessible directories on a compromised (rooted/jailbroken) device to confirm sensitive data cannot be trivially read.
## Compliance Alignment
The practices outlined align with foundational security principles necessary for compliance with standards covering software assurance and vulnerability management:
- **NIST SP 800-53 / NIST CSF:** Aligns with System and Information Integrity (SI) and Personnel Security (PS) objectives, particularly around security configuration and secure coding.
- **ISO/IEC 27001/27002:** Relates strongly to A.14 (System Acquisition, Development, and Maintenance) concerning secure development practices and application testing.
- **OWASP Mobile Application Security Verification Standard (MASVS):** The focus on authentication, session management, data validation, and transport security directly maps to core MASVS requirements.
## Common Pitfalls to Avoid
- **Over-reliance on Emulators:** Treating emulator results as definitive proof of security; real-world device-specific behaviors (e.g., memory handling, environmental checks) must be tested on physical hardware.
- **Focusing Only on OWASP Top 10 (Web):** Failing to address mobile-specific vulnerabilities related to platform integration, insecure inter-process communication (IPC), and platform-level authorization controls.
- **Neglecting Backend Validation:** Assuming client-side security alone is sufficient; all critical security controls (authentication, authorization, data validation) must have corresponding, robust server-side enforcement.
- **Ignoring Non-Standard Platforms:** Assuming security testing methodology is identical for all OSes; ignoring proprietary platform security features (e.g., specific sandbox environments) can lead to overlooked weaknesses.
## Resources
* **Methodology Framework:** A structured, platform-agnostic hacking methodology (as taught in HBN Mobile).
* **Targeted Testing Areas:** Focus areas include **Static Analysis**, **Authentication and Authorization**, **Data Validation**, **Session Management**, and **Transport Layer Security**.
* **Tooling Requirement:** Utilize a variety of tools for analysis, emphasizing the need for dynamic testing on physical devices.