Professional Documents
Culture Documents
M o b ile
P la tfo r m s M o d u le 1 6
CEH
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S ecurity New s
CEH
Mobile Malware Cases Nearly Triple in First Half of 2012, Says NetQin
July 3 1 ,2 0 1 2 0 9 :4 0 A M ET
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
In total, NetQin detected 17,676 mobile malware programs during 2012's first half, up 42% from the previous six months in 2011. About a quarter of the detected malware came from China, which led among the world's countries, while 17% came from Russia, and 16.5% from the U.S. In China, malware is mainly spread through forums, ROM updates, and third-party app stores, according to NetQin. So-called "remote control" Trojan malware that sends spam ads infected almost 4.7 million phones in China. NetQin also detected almost 3.9 million phones in China being infected with money-stealing malware that sends out text messages to trigger fee-based mobile services. The high number of infections would likely translate into the malware's creators netting $616,533 each day. The surge in mobile malware has occurred at the same time that China has become the world's largest smartphone market by shipments. Android smartphone sales lead with a 68% market share, according to research firm Canalys. The country's Guangdong and Jiangsu provinces, along with Beijing, were ranked as the three highest areas in China for mobile malware.
By Michael Kan
h ttp ://w w w .c 0 m p u te rw 0 rld .c 0 m /s/a rtic le /9 2 2 9 8 Q 2 /M 0 b ile h a lf of 2012 says N etQ in m alw a re cases n early trip le in first
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
M o d u le O b je c tiv e s
r----j j j j
j M o b i l e A t t a c k V e c to r s M o b i l e P la t f o r m V u ln e r a b i l it ie s a n d R isks A n d r o i d OS A r c h it e c t u r e A n d r o i d V u ln e r a b ilit ie s A n d r o i d T r o ja n s S e c u rin g A n d r o i d D e v ic e s J a ilb r e a k in g iO S G u id e lin e s f o r S e c u r in g iO S D e v ic e s W i n d o w s P h o n e 8 A r c h it e c t u r e
U
CEH
G u id e lin e s f o r S e c u r in g W i n d o w s OS D e v ic e s
J J
B la c k b e r r y A t t a c k V e c to r s G u id e lin e s f o r S e c u r in g B la c k B e r r y D e v ic e s
J J
M o b i l e D e v ic e M a n a g e m e n t ( M D M ) G e n e r a l G u id e lin e s f o r M o b i l e P la t f o r m S e c u r ity
j
j
j j
J J
M o b i l e P r o t e c t io n T o o ls M o b i l e P e n T e s tin g
M o d u le O b je c tiv e s
T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o e d u c a t e y o u a b o u t t h e p o t e n t i a l t h r e a t s o f m o b ile p la tfo rm s and how to use th e m o b ile d e v ic e s s e c u re ly . T h is m o d u le m akes you
9 9
9 9
9 9 9 9 9 9
9 9
9
9 9
Module 16 Page 2 3 9 6
M o d u le F lo w
l
F o r b e t t e r u n d e r s t a n d i n g , t h i s m o d u l e is d i v i d e d i n t o v a r i o u s s e c t i o n s a n d e a c h s e c t i o n
'
Hacking BlackBerry
||
Hacking iOS
T h is
s e c tio n
in tro d u c e s
you
to
th e
v a rio u s
m o b ile
a tta c k
v e c to rs
and
th e
a ss o c ia te d
v u l n e r a b i l i t i e s a n d risk s. T h is s e c t i o n a l s o h i g h l i g h t s t h e s e c u r i t y is s u e s a r i s i n g f r o m a p p s t o r e s .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
M o b ile T h re at R e p o r t Q2 2012
M o b ile T h re at b y T y p e Q2 2012
( 5 ) J2M E
Tro jan
2011
2011
2011
2011
2012
2012
A dw are
h t t p : / / ww w.f-secure.com
M o b ile T h re a t R e p o rt Q 2
2012
Source: http://www.f-secure.com In the report, malware attacks on Android phones continue to dominate the other mobile platforms. The most attacks were found in the third quarter of 2011. And in 2012, Q2 came in at 40%.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
2011
2011
2011
2011
2012
2012
FIG U R E 1 6 .1 : M o b ile T h r e a t R e p o r t Q 2 2 0 1 2
Note: T h e t h r e a t s t a t i s t i c s u s e d in t h e m o b i l e t h r e a t r e p o r t Q 2 2 0 1 2 a r e m a d e u p o f f a m i l i e s
a n d v a r ia n ts in s te a d o f u n iq u e file s .
M o b ile T h re a t b y T y p e Q 2 2012
S o urce : h t t p : / / w w w . h o t f o r s e c u r it v . c o m A tta c k s o n m o b ile p h o n e s w e r e m o s tly d u e t o th e T ro ja n s , w h ic h a c c o rd in g t o t h e M o b ile
T r o ja n
M o n it o r in g Tool
R is k w a r e
A p p li c a t i o n
A d w a re
FIGURE 1 6 .2 : M o b ile T h r e a t b y T y p e Q 2 2 0 1 2
Module 16 P ag e 2399
Ethical Hacking a n d C o u n te rm e a s u re s
Term inology
Stock ROM
CEH
I t is t h e d e f a u l t R O M ( o p e r a t i n g s y s t e m ) o f a n A n d r o i d d e v ic e s u p p lie d b y t h e m a n u f a c tu r e r
CyanogenMod
I t is a m o d i f i e d d e v i c e R O M w i t h o u t t h e r e s t r i c t i o n s i m p o s e d b y d e v ic e s o r ig in a l R O M
T e rm in o lo g y
T h e f o l l o w i n g is t h e b a s ic t e r m i n o l o g y a s s o c i a t e d w i t h m o b i l e p l a t f o r m h a c k i n g :
Stock ROM: It is t h e d e f a u l t R O M ( o p e r a t i n g s y s t e m ) o f a n a n d r o i d d e v i c e s u p p l i e d b y
th e m a n u fa c tu re r
CyanogenMod: It is a m o d i f i e d d e v i c e R O M w i t h o u t t h e r e s t r i c t i o n s i m p o s e d b y d e v i c e 's
o rig in a l R O M
Module 16 Page 2 4 0 0
e m a tt s c r a p *
P r in t s c re e n
0f backup
U S B ^ e V a n d ' ss
copvto
Wpcati0nvU n a p P r0 '
M o b ile A tta c k V e c to rs
S im ila r t o t r a d it io n a l c o m p u t e r s y s te m s , m o s t m o d e r n m o b ile d e v ic e s a re a lso p r o n e t o a tta c k s . M o b ile d e v ic e s h a v e m a n y p o te n t ia l a tta c k v e c to r s u s in g w h ic h th e a tt a c k e r tr ie s t o g a i n u n a u t h o r i z e d a c c e s s t o t h e m o b i l e d e v i c e s a n d t h e d a t a s t o r e d in o r t r a n s f e r r e d b y t h e d e v i c e . T h e s e m o b i l e a t t a c k v e c t o r s a l l o w a t t a c k e r s t o e x p l o i t t h e v u l n e r a b i l i t i e s p r e s e n t in o p e r a t in g s y s te m s o r a p p lic a t io n s use d by t h e m o b ile d e v ic e . T h e a t t a c k e r can a lso e x p lo it th e h u m a n f a c t o r . T h e v a rio u s m o b ile a t t a c k v e c to r s in c lu d e : M a lw a re : 9 9 6 V ir u s a n d r o o t k i t A p p lic a tio n m o d ific a tio n OS m o d i f i c a t i o n
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
o b ile
P la t f o r m
V u ln e r a b ilit ie s
a n d
R is k s
M o b ile A p p lic a tio n V u ln e r a b ilitie s 7
A p p S to re s 1 M o b ile M a lw a r e
A p p S a n d b o x in g 3 D e v ic e a n d A p p E n c ry p tio n 4 O S a n d A p p U p d a te s V
D ata S e c u rity
'
E xce ssive P e rm is s io n s
1 0
1 1 ' 1 2
c
6 ] J a ilb r e a k in g a n d R o o tin g
M o b ile P la tfo rm
V u ln e ra b ilitie s a n d
R is k s
M o b i l e p l a t f o r m v u l n e r a b i l i t i e s a n d ris k s a r e t h e c h a l l e n g e s f a c e d b y m o b i l e u s e r s d u e t o t h e f u n c t i o n a l i t y a n d i n c r e a s i n g u s e o f m o b i l e d e v i c e s a t w o r k a n d in o t h e r d a i l y a c t i v i t i e s . T h e n e w f u n c t i o n a l i t i e s a m p l i f y t h e a t t r a c t i o n o f t h e p l a t f o r m s u s e d in m o b i l e d e v i c e s , w h i c h p ro v id e an easy p a th f o r a tta c k e rs t o la u n c h a tta c k s a n d e x p lo ita tio n . A tta c k e rs use d iffe r e n t t e c h n o l o g i e s s u c h as A n d r o i d s a n d o t h e r m u l t i p l e i n s t a n c e s t o i n s e r t m a l i c i o u s a p p l i c a t i o n s w i t h h id d e n f u n c t io n a l it y t h a t s te a lth ily g a th e r a u s e r's s e n s itiv e i n f o r m a t io n . T h e c o m p a n ie s th a t a re in to d e v e lo p in g m o b ile a p p lic a tio n s a re m ore c o n ce rn e d a b o u t s e c u rity because
T h u s , l e v e ls o f s e c u r i t y a n d d a t a by m o b ile
T h e f o l l o w i n g a r e s o m e o f t h e ris k s a n d v u l n e r a b i l i t i e s a s s o c i a t e d w i t h m o b i l e p l a t f o r m s : 0 Q A p p S to re s M o b ile M a lw a re A p p S a n d b o x in g D e v ic e a n d A p p E n c r y p t i o n OS a n d A p p U p d a t e s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
e e e Q e e e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u r it y A p p
I s s u e s
A r is in g
fr o m
S to re s
CEH
In s u ffic ie n t o r n o v e t t in g o f a p p s le a d s t o m a lic io u s a n d fa k e a p p s e n t e r in g a p p m a r k e tp la c e
A p p s to re s a re c o m m o n ta r g e t f o r a tta c k e r s t o d is t r ib u t e m a lw a r e a n d m a lic io u s a p p s
a n d d a ta , a n d s e n d y o u r s e n s itiv e d a ta t o a tta c k e r s
A p p S to re
11 n
11
M o b ile A p p
N o V e ttin g
......>
.......
S e c u rity Is s u e s A ris in g
------An a u th e n tic a te d
fro m
A p p
S to re s
a p p lic a tio n s fo r m o b ile
d e v e lo p e r o f a c o m p a n y cre a te s m o b ile
u s e rs . In o r d e r t o a l l o w t h e m o b i l e u s e r s t o c o n v e n i e n t l y b r o w s e a n d i n s t a l l t h e s e m o b i l e a p p s , p la tfo r m v e n d o rs have c re a te d c e n tra liz e d m a rk e tp la c e s , b u t s e c u rity c o n c e rn s h a ve re s u lte d . U s u a lly m o b ile a p p lic a tio n s th a t a re d e v e lo p e d by d e v e lo p e rs a re s u b m itte d to th e s e
m a rk e tp la c e s
(o ffic ia l a p p
s to re s
s to re s ) w i t h o u t s c re e n in g o r v e ttin g ,
a tta c k e r w it h o u t th e
u s e r 's
k n o w le d g e .
U s in g t h e
a tta c k e r can
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
C a ll lo g s / p h o t o / v id e o s / s e n s it iv e d o c s
FIG U R E 1 6 .3 : S e c u r ity Is s u e s A r is in g f r o m A p p S to re s
Module 16 P ag e 2 4 0 6
CEH
T h re a ts o f M o b ile M a lw a re
In r e c e n t y e a r s , m a n y s y s t e m u s e r s a r e m o v i n g a w a y f r o m u s in g p e r s o n n e l c o m p u t e r s to w a rd s m a rtp h o n e s and t a b l e t s . T h is in c re a s e d a d o p tio n o f m o b ile d e v ic e s by u sers fo r
b u s in e s s a n d p e rs o n a l p u rp o s e s a n d c o m p a r a t iv e ly
le sse r s e c u r ity c o n tr o ls
has s h ifte d th e
fo c u s o f a tta c k e r s a n d m a lw a r e w r it e r s f o r la u n c h in g a tta c k s o n m o b ile d e v ic e s . A t t a c k e r s a re a t t a c k i n g m o b i l e d e v i c e s b e c a u s e m o r e s e n s i t i v e i n f o r m a t i o n is s t o r e d o n t h e m . S M S s p o o f i n g , to ll fr a u d s , e tc . a re a tta c k s p e r f o r m e d b y a tta c k e r s o n m o b ile d e vice s. M o b i le m a lw a r e in c lu d e v iru s e s , S M S -s e n d in g m a lw a r e , m o b ile b o tn e t s , s p y w a r e , d e s tr u c tiv e T ro ja n s , e tc . T h e m a lw a r e is e i t h e r a p p l i c a t i o n o r fu n c tio n a lity h id d e n w ith in o th e r a p p lic a tio n . For in fe c tin g m o b ile
d e v ic e s , th e m a lw a r e w r i t e r o r a tt a c k e r d e v e lo p s a m a lic io u s a p p lic a tio n a n d p u b lis h e s th is a p p lic a tio n t o a m a jo r a p p lic a tio n s to r e a n d w a it s u n til users in s ta ll th e s e m a lic io u s m o b ile a p p lic a tio n s o n t h e ir m o b ile d e v ic e s . O n c e t h e u s e r in s ta lls th e a p p lic a tio n h o s te d by th e
a t t a c k e r , as a r e s u l t , t h e a t t a c k e r t a k e s c o n t r o l o v e r t h e u s e r ' s m o b i l e d e v i c e . D u e t o m o b i l e m a l w a r e t h r e a t s , t h e r e m a y b e lo ss a n d t h e f t , d a t a c o m m u n i c a t i o n i n t e r r u p t i o n , e x p l o i t a t i o n a n d m is c o n d u c t, a n d d ire c t a tta c k s . A c c o r d in g t o th e t h r e a t s r e p o r t , t h e s e c u r ity th r e a ts t o m o b ile d e v ic e s a re in c re a s in g d a y by d a y . In 2 0 0 4 , m a l w a r e t h r e a t s a g a i n s t m o b i l e d e v i c e s w e r e f e w e r w h e n c o m p a r e d t o r e c e n t ye ars. T h e f r e q u e n c y in c re a s e d . of m a lw a re th re a ts to m o b ile d e v ic e s in th e year 2012 d ra s tic a lly
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
FIG U R E 1 6 .4 : T h r e a ts o f M o b ile M a lw a r e
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
A p p
S a n d b o x in g
Is s u e s
Sandboxing separates the running program with the help of a security mechanism. It helps protect systems and users by limiting the resources the app can access in the mobile platform; however, malicious applications may exploit vulnerabilities and bypass the sandbox. Sandboxing is clearly explained by comparing a computer and a smartphone. In normal computers, a program can access any of the system resources such as entire RAM i.e. not protected, hard drive information, and more can be read easily by anyone, unless and until it is locked. So if any individual downloads malicious software believing it as genuine, then that software can read the keystrokes that are typed in your system, scan the entire hard drive for useful file types, and then send that data back through the network. The same occurs in mobile devices; if an application is not given a working environment, it accesses all the user data and all the system resources. If the user downloads a malicious application, then that application can access all the data and resources and can gain complete control over the user's mobile device.
S e cu re s a n d b o x e n v ir o n m e n t
In a secure sandbox environment, each individual application is given its own working environments. As a result, the application is restricted to access the other user data and system resources. This provides protection to mobile devices against malware threats.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
O th e r U s e r D ata
s
A N D B
U se r D ata
*
App
No A ccess
Unrestricted Access
O
S y stem R esources
rriw iiif
S y stem R esources
FIG U R E 1 6 .5 : S e c u re s a n d b o x e n v ir o n m e n t
V u ln e r a b le S a n d b o x E n v ir o n m e n t In v u l n e r a b l e s a n d b o x e n v i r o n m e n t , t h e m a l i c i o u s a p p l i c a t i o n e x p l o i t s l o o p h o l e s o r w e a k n e s s e s f o r b y p a s s i n g t h e s a n d b o x . As a r e s u l t , t h e a p p l i c a t i o n c a n a c c e s s o t h e r u s e r d a t a a n d s y s t e m re so u rce s t h a t a re re s tric te d .
U se r D ata
1 nr
B ypass
s A
M
U se r D ata
A ccess
the
S y stem R esources S an dbox
FIG U R E 1 6 .6 : V u ln e r a b le S a n d b o x E n v ir o n m e n t
Module 16 P ag e 2 4 1 0
U t t i f t o d I U k j I l U c h M
c EH
1 1 e H
.
M o d u le F lo w
w So f a r , w e h a v e d i s c u s s e d v a r i o u s p o t e n t i a l a t t a c k v e c t o r s o f m o b i l e p l a t f o r m s . N o w
w e w i l l d is c u s s h a c k i n g t h e A n d r o i d OS.
flB S i
v-------/
H a c k i n g A n d r o i d iO S
Hacking iOS
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T h is s e c t i o n
in tro d u c e s yo u
to
th e A n d ro id
OS a n d
i ts a r c h i t e c t u r e , v a r i o u s v u l n e r a b i l i t i e s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Android OS
A n d r o i d is a s o f t w a r e e n v i r o n m e n t d e v e l o p e d b y G o o g l e f o r m o b i l e d e v i c e s t h a t in clu d es a n o p e ra tin g s y s te m , m id d le w a re , a n d key a p p lic a tio n s
CEH
Features
A p p lic a t io n f r a m e w o r k e n a b lin g r e u s e a n d r e p la c e m e n t o f c o m p o n e n ts
D a lv ik v ir t u a l m a c h in e o p t im iz e d f o r m o b ile d e v ic e s
I n te g r a t e d b r o w s e r b a s e d o n t h e o p e n s o u r c e W e b K it e n g in e
S Q L ite f o r s t r u c t u r e d d a ta s to ra g e
http://developer.android.com
Copyright by E&Cauac!. All Rights Reserved. Reproduction is Strictly Prohibited.
A n d ro id
O S
A n d r o i d is a s o f t w a r e s t a c k d e v e l o p e d b y G o o g l e s p e c i f i c a l l y f o r m o b i l e d e v i c e s s u c h as s m a r t p h o n e s a n d t a b l e t c o m p u t e r s . It is c o m p r i s e d o f a n o p e r a t i n g s y s t e m , m i d d l e w a r e , a n d k e y a p p l i c a t i o n s . A n d r o i d ' s m o b i l e o p e r a t i n g s y s t e m is b a s e d o n t h e L i n u x k e r n e l . T h e A n d r o i d a p p l i c a t i o n r u n s in a s a n d b o x . T h e s a n d b o x s e c u r i t y m e c h a n i s m is e x p l a i n e d o n a p r e v i o u s s l id e . A n tiv iru s s o ftw a re such as Lookout M o b ile S e c u rity , AVG T e c h n o lo g ie s , and M c A fe e a re
r e l e a s e d b y s e c u r i t y f i r m s f o r A n d r o i d d e v i c e s . H o w e v e r , t h e s a n d b o x is a l s o a p p l i c a b l e t o t h e a n tiv iru s s o ftw a re . As a re s u lt, t h o u g h th is a n tiv iru s s o ftw a re has t h e a b ility to scan th e
c o m p l e t e s y s t e m , i t is l i m i t e d t o s c a n n i n g u p t o a c e r t a i n e n v i r o n m e n t . T h e fe a tu re s o f a n d r o id o p e r a tin g s y s te m in c lu d e : 0 0 0 A p p lic a tio n f r a m e w o r k e n a b lin g re u s e a n d re p la c e m e n t o f c o m p o n e n ts D a lv ik v ir tu a l m a c h in e o p tim iz e d f o r m o b ile d e v ic e s In te g ra te d b ro w s e r based on th e o p e n s o u rc e W e b K it e n g in e S Q L ite f o r s t r u c t u r e d d a t a s t o r a g e M e d i a s u p p o r t f o r c o m m o n a u d i o , v i d e o , a n d s ti l l i m a g e f o r m a t s ( M P E G 4 , H . 2 6 4 , M P 3 , A A C , A M R , JPG, P N G , GIF)
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
R ich
d e v e lo p m e n t
e n v iro n m e n t
in c lu d in g
d e v ic e
e m u la to r,
to o ls
fo r
d e b u g g in g ,
m e m o r y a n d p e r f o r m a n c e p r o f i l i n g , a n d a p l u g i n f o r t h e E c lip s e IDE
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Android OS Architecture
APPLICATION
C o n ta c t s Phone
( r t i f w d it k it jl
CEH
APPLICATION FRAMEWORK
A c t iv ity M a n a g e r Package M a n a g e r T e le p h o n y M anager R eso urce M anager L o c a tio n M a n a g e r N o tific a tio n M anager W in d o w M a n a g e r C o n te n t P ro vid e rs
S u rfa c e M a n a g e r
M e d ia F r a m e w o r k
ANDROID RUNTIME
C o re L ib ra rie s
LIBRARIES
O p en G L | ES
D a lv ik V ir tu a l M a c h in e SG I
LINUX KERNEL
D is p la y D riv e r C a m a ra D riv e r Flash M e m o r y D rive r B in d e r (IPC) D riv e r
K e y p a d D riv e r
W iF i D riv e r
A u d io D riv e r
P o w er M anagem ent
A n d ro id
O S A rc h ite c tu re
A n d r o i d is a L i n u x - b a s e d o p e r a t i n g s y s t e m e s p e c i a l l y d e s i g n e d f o r p o r t a b l e d e v i c e s s u c h as s m a r t p h o n e s , t a b l e t s , e t c . T h e p i c t o r i a l r e p r e s e n t a t i o n t h a t f o l l o w s s h o w s t h e d i f f e r e n t l a y e r s s u c h as a p p l i c a t i o n , a p p l i c a t i o n f r a m e w o r k , l i b r a r i e s , a n d r o i d r u n t i m e , a n d L i n u x k e r n e l , w h ic h m a k e u p th e A n d ro id o p e ra tin g s ys te m .
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Hom e
C o n ta c ts
APPLICATION FRAMEWORK
A c tiv ity M a n a g e r Package M a n a g e r T e le p h o n y Reso urce Locatio n M a n a g e r W in d o w M a n a g e r
Content Providers
V ie w S ystem
Notification
M anager
Manager
M anager
S urface M a n a g e r
M e d ia F ra m e w o rk
S Q lite
ANDROID RUNTIME
C o re Libraries
LIBRARIES
O pen G L | ES
Fre eT y p e
W e b K it
D a lvik V ir tu a l M a c h in e SGL
SSL
libc
LINUX KERNEL
D isplay D riv e r C am ara D riv e r Flash M e m o r y D riv e r B in d e r (IPC) D riv e r
Keypad D riv e r
W iF i D riv e r
A u d io D riv e r
Pow er M an ag em en t
Applications: The applications provided by Android include an email client, SMS, calendar, maps, Browser, contacts, etc. These applications are written using the Java programming language. Application Framework Q As Android is an open development platform, developers have full that is used in the core applications access tothe API
The View System can be used to develop lists, grids, text boxes,buttons, application
etc. in the
Q The Content Provider permits applications to access data from other applications in order to share their own data The Resource Manager allocates the non-code resources like localized strings, graphics, etc. Q The Notification Manager helps applications to show custom messages in the status bar Q The Activity Manager controls the lifecycle of applications
Libraries Libraries comprise each and every code that provides the main features of an Android OS. For example, database support is provided by the SQLite library so that an application can utilize it for storing data and functionalities for the web browser provided by the Web Kit library. The
M o d u le 16 P ag e 2 4 1 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Android core library includes Surface Manager, Media Framework, SQLite, OpenGL | ES, FreeType, WebKit, SGL, SSL, libc, SQLite (database engine), and LibWebCore (web browser engine). Android Runtime Android Runtime includes core libraries and the Dalvik virtual machine. The set of core libraries allows developers to write the Android applications using the Java programming language. Dalvik virtual machine is helpful in executing Android applications. Dalvik can run multiple VMs efficiently. Linux Kernel The Android operating system was built based on the Linux kernel. This layer is made up of all the low-level device drivers such as Display Driver, Camara Driver, Flash Memory Driver, Binder (IPC) Driver, Keypad Driver, WiFi Driver, Audio Driver, and Power Management for various hardware components of an Android device.
M o d u le 16 P ag e 2417
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P o lic ie s s u p p o r t e d b y t h e D e v ic e A d m in is t r a t io n A P I
Password enabled M inim um password length Alphanumeric password required Complex password required M inim um letters required in password M inim um lowercase letters required in password M inim um non-letter characters required in password M inim um numerical digits required in password M inim um symbols required in password
I*
Password expiration timeout Password history restriction 9 a Maximum failed password attempts Maximum inactivity time lock
Description Requires that devices ask for PIN or passwords. Set the required number of characters for the password. For example, you can require PIN or passwords to have at least six characters. Requires that passwords have a combination of letters and numbers. They may include symbolic characters.
M o d u le 16 P ag e 2418
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Complex password required Minimum letters required in password Minimum lowercase letters required in password Minimum non-letter characters required in password Minimum numerical digits required in password Minimum symbols required in password Minimum uppercase letters required in password Password expiration timeout Password history restriction
Requires that passwords must contain at least a letter, a numerical digit, and a special symbol. Introduced in Android 3.0. The minimum number of letters required in the password for all admins or a particular one. Introduced in Android 3.0. The minimum number of lowercase letters required in the password for all admins or a particular one. Introduced in Android 3.0. The minimum number of non-letter characters required in the password for all admins or a particular one. Introduced in Android 3.0. The minimum number of numerical digits required in the password for all admins or a particular one. Introduced in Android 3.0. The minimum number of symbols required in the password for all admins or a particular one. Introduced in Android 3.0. The minimum number of uppercase letters required in the password for all admins or a particular one. Introduced in Android 3.0. When the password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. Introduced in Android 3.0. This policy prevents users from reusing the last unique passwords. This policy is typically used in conjunction with setPasswordExpirationTimeout(), which forces users to update their passwords after a specified amount of time has elapsed. Introduced in Android 3.0. Specifies how many times a user can enter the wrong password before the device wipes its data. The Device Administration API also allows administrators to remotely reset the device to factory defaults. This secures data in case the device is lost or stolen. Sets the length of time since the user last touched the screen or pressed a button before the device locks the screen. When this happens, users need to enter their PIN or passwords again before they can use their devices and access data. The value can be between 1 and 60 minutes. Specifies that the storage area should be encrypted, if the device supports it. Introduced in Android 3.0. Specifies that the camera should be disabled. Note that this doesn't have to be a permanent disabling. The camera can be enabled/disabled dynamically based on context, time, and so on. Introduced in Android 4.0.
T A B L E 1 6 .1: A n d r o id D e v ic e A d m in is tr a tio n API
M o d u le 16 P ag e 2419
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
I
A p p /D e v ic e A d m in
S M o 2:0977]
M o d u le 16 P ag e 2 4 2 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A ndroid Rooting
J J
CEH
R o o tin g a llo w s A n d r o id u s e rs t o a t t a i n p r iv ile g e d c o n t r o l ( k n o w n as " r o o t a c c e s s ") w it h in A n d r o id 's s u b s y s te m R o o tin g p ro c e s s in v o lv e s e x p lo itin g s e c u r ity v u ln e r a b ilitie s in t h e d e v ic e f ir m w a r e , a n d c o p y in g t h e s u b in a r y t o a lo c a tio n in t h e c u r r e n t p ro c e s s 's PATH (e .g . / s y s t e m / x b in / s u ) a n d g r a n t in g it e x e c u ta b le p e r m is s io n s w it h t h e chm od com m and
R e m o vin g c arrie r- o r m a n u fa c tu re rin stalle d a p p lic a tio n s (b lo a tw a re ) Low -level access t o th e h a rd w a re t h a t a re ty p ic a lly u n a v a ila b le t o th e devices in th e ir d e fa u lt c o n fig u ra tio n Im p ro v e d p e rfo rm a n c e W i-F i a nd B lu e to o th te th e rin g In stall a p p lic a tio n s on SD card B e tte r user in te rfa c e a nd k eyboard
Android Rooting
Rooting is the process of removing the limitations and allowing full access. It allows Android users to attain "super user" privileged control (known as "root access") and permission within Android's subsystem. After rooting the Android phone, an Android user will have control over SETTINGS, FEATURES, and PERFORMANCE of his or her phone and can even install software that is not supported by the device. The root users will have "super -user" privileges using which they can easily alter or modify the software code on the device. Rooting is basically hacking Android devices and is equivalent to "jailbreaking" in iPhone. Rooting exploits a security vulnerability in the device firmware, and copying the su binary to a location in the current process's PATH (e.g. /system/xbin/su) and granting it executable permissions with the chmod command. Rooting enables all the user-installed applications to run privileged commands such as: 9 Modifying or deleting system files, module, ROMs (stock firmware), and kernels
Q Removing carrier- or manufacturer-installed applications (bloatware) Q Low-level access to the hardware that are typically unavailable to the devices in their default configuration Improved performance
M o d u le 16 P ag e 2421
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Wi-Fi and Bluetooth tethering Install applications on SD card Better user interface and keyboard
Rooting also comes with many security and other risks to your device including: Voids your phone's warranty Poor performance Malware infection Bricking the device
M o d u le 16 P ag e 2422
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
t
P lu g in a n d c o n n e c t y o u r a n d r o i d d e v ic e t o y o u r c o m p u t e r v i a USB
PC Mode Windows Media Sync USB Mass Storage Charge Only O O Q
D e b u g m o d e* w h e n u s e(o a m o m
Stay awa ke S erf n will n eve* slee p * h ile (t w p n g
USB debugging
J J
G o t o S e tt in g s >A p p li c a t i o n s > D e v e lo p m e n t a n d e n a b le U S B D e b u g g in g t o p u t y o u r a n d r o i d i n t o U S B D e b u g g in g m o d e
J J J
S u p er u ser R eq u e st A pp: drocap2 (10104) pAckdga: ca m g u v * n ig . Jtudrcx4()3 R eq u ested U1D: root(O) C om nw ltd: /sy s 1 1n bl1Vsh
!5 ]
J J
N o w c h e c k o u t t h e i n s t a l le d a p p s in y o u r p h o n e S u p e r u s e r ic o n m e a n s y o u n o w h a v e r o o t a c c e s s ( r e b o o t t h e p h o n e i f y o u d o n o t s e e it )
R cm em ber
J
Copyright by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le 16 P ag e 2423
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Li
USB connection
USB debugging
o o o o
VOKfmju
Stay awake
Saeen will never sleep while charging
m m
m
Cancel
M arket
Superuser Request
The follow ing ap p is requesting superuser access: A p p : d rocap2 (10104)
M o d u le 16 P ag e 2424
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
. ------
ft
J J al
P u t y o u r A n d r o id p h o n e in b o o t lo a d e r m o d e
D e p e n d in g o n y o u r c o m p u t e r 's O S , d o o n e o f th e f o llo w in g : W i n d o w s : D o u b le click " in s ta ll- s u p e r b o o t w in d o w s .b a t" M a c : O p e n a te r m in a l w in d o w t o t h e d ir e c to r y c o n ta in in g t h e files, a n d ty p e " c h m o d +x in sta lls u p e r b o o t- m a c .s h " f o llo w e d b y " ./in s ta lls u p e r b o o t- m a c .s h " L in u x : O p e n a te r m in a l w in d o w to t h e d ir e c to r y
T u rn o ff th e p h o n e , re m o v e t h e b a tte r y , a n d p l u g i n t h e USB c a b l e W h e n t h e b a t t e r y ic o n a p p e a r s o n s c r e e n , p o p t h e b a t t e r y b a c k in N o w t a p t h e P o w e r b u t t o n w h i l e h o ld i n g d o w n t h e C a m e r a k ey
F o r A n d r o id p h o n e s w i t h a t r a c k b a l L T u r n o ff t h e p h o n e , p r e s s a n d h o ld t h e tr a c k b a ll, th e n tu rn th e p h o n e b a c k o n
c o n ta in in g t h e files, a n d ty p e " c h m o d +x in sta lls u p e r b o o t- lin u x .s h " fo llo w e d b y 1 './in s ta lls u p e r b o o t- l in u x .s h "
r~ 1 j .
Step 3: Depending on your computer's OS, do one of the following: Windows: Double-click install-superboot-windows.bat. Mac: Open a terminal window to the directory containing the files, and type chmod +x install-superboot-mac.sh" followed by ./install-superboot-mac.sh.
M o d u le 16 P ag e 2425
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Linux: Open a terminal window to the directory containing the files, and type chmod +x install-superboot-linux.sh" followed by ./install-superboot-linux.sh.
M o d u le 16 P ag e 2 4 2 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
(DB
a am a 9 :15am
un re v o k e d
tho tutron to root your phono Wo don't antiripa!!
?!
y r Universal Androot
Do you want to install this application? Allow this application to: A Storage
modify/delete SD card contents
UnlockRoot.com
a t
Phone calls
read phone state and identity
in i
A System tools
ctange W i-Fi state, prevent phone from
sleeping
O
R e c o v e r y F la s h e r
S h o w a ll
C O
In addition to SuperOneClick and Superboot, there are many other tools that can be used for rooting Android phones:
M o d u le 16 P ag e 2427
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
AH S
gfflj 12:56*
i & B D 0 9:15 AM
un re v o k e d
P r e s s t h e b u tt o n t o r o o t y o u r p h o n e . W e d o n 't a n tic ip a te o r e a ld n g y o u r p r io n * , b u t w e 'r e n o i lia b le if It (t o o t O n Ev y o u l h a r e t o d o th i5 e a c h tim e y o u r e b o o t . H a v e fu n !
, \u Universal Androot
UntocfcRoot v2 0
UnlockRoot.com
Phone c a lls
read phone state and identity
i n
1
_
.
S ystem to o ls
change W i-Ft state, prevent phone from sleeping
Root
Contort devic wtfh U S 8 coblo and
M o d u le 16 P ag e 2428
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
2:02 pm
C o n n e c t e d t o -*
Sp o o f i n g I P: 19 2.168.0.1
. . ^
[http7/www.facebook...
http://www.google.co.in
IP=192.168.0.100 ID: 1239002684
http://xsltcache.alexa.com
IP=192.168.0.100 ID: 1120334729
http://api.mywot.com
IP-192.168.0.100 ID: 166224861
http://apis.google.com
IP=192.168 0.100 ID: -561222905
http://www.blogger.com
IP=192.168.0.100 ID: 70447663
in
http://platform.linkedin.com
IP 192.168.0.100 ID: 2082712684
n
A U ser Attacker intercepts client's request for a web page ARP Spoofing *. A In te rn e t Attacker modifies the session IDs and relay them to web server
http://platform .twitter.com
IP-192.168.0.100 ID: 1933430236 http://s7.addthis.com IP-192.168 0.100 ID: 1667993814
http://www.stumbleupon.com
IP-192.168.0.100 ID: 1486882064
o
A tta c k e r
M o d u le 16 P ag e 2429
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
User
ARP
A A
S p o o f in g
A t t a c k e r m o d if ie s t h e s e s s io n ID s a n d r e la y t h e m * to W e b s e rv e r
Internet
Attacker
FIGURE 16.11: Session Hijacking Using DroidSheep
M o d u le 16 P ag e 2 4 3 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
rid
2:0 2 PM
[http://www.facebook....
IP=192.168.0.100 Anil Sardiwal [http://ww...
http://www.google.co.in
IP=192.168.0.100 ID: 1239002684
http://xsltcache.alexa.com
IP=192.168.0.100 ID: 1120334729
http://api.mywot.com
IP=192.168.0.100 ID: 166224861
http://apis.google.com
IP=192.168.0.100 ID: -561222905
http://www.blogger.com
IP=192.168.0.100 ID: -70447663
http://platform.linkedin.com
IP=192.168.0.100 ID: -2082712684
http://platform.twitter.com
IP=192.168.0.100 ID: -1933430236
http://s7.addthis.com
IP=192.168.0.100 ID: -1667993814
http://www.stumbleupon.com
IP=192.168.0.100 ID: -1486882064
Ma i
ARP-Spoofing
Generic mode
M o d u le 16 P ag e 2431
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
|
Vibration
V ib rate w h e n n ew praM e is fo u td
r t* S o t
Filter services
S e le c l w tn ch t w v ic t t y o u w an t to b e sh o w n
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the Wi-Fi that your mobile is connected to. It is possible to hijack sessions only when Wi-Fi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK). Note: If webuser uses SSL this application won't work.
M o d u le 16 P ag e 2432
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
L _ J
STOP
m
Fitter services
V ibration
Vibrate w t * n new proMe it found
am azon.com
f71f| bponury
pubel
am azon.co uk
bponury
Intel Corporate (30.88.b4:
Filter serv ic es
Setecl which services you want to be hew n
am azon.de
BartoszTestowy
10 0 00 6(
tuenti.com
nk.pl
tw itte r.c o m
tu m b lr.c o m
m einvz.net
& Unlock ap p Request n ew key %
Go to w ebsite
studivz.net
Settings
b lo n o e r c o m
M o d u le 16 P ag e 2433
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
r cu !z ?
Ml
Car Home Contacts
Custom local*
Dev T ool!
Car Home
onucn
c *
lA ra U
^ 5 Zertifikat
H m
Email Galery Mnugng r m
* 4
Q
M usic
7725486193
M o d u le 16 P ag e 2434
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
SBD
1 0 :5 3
am
Car H om e
Contacts
Custom Locale
DevTools
Gallery
Messaging
M usk
Phone
Settings
Spare Parts
Speech Recorder
M o d u le 16 P ag e 2435
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
GingerBreak v l.l
Options
GingerBreak
Do you w a n t to in s ta ll t h is application?
Q ) GingerBreak
Please m ake sure o f the fo llo w in g before rooting: - You have an SD card inserted a n d m o unted - USB debugging is enabled
M o d u le 16 P ag e 2 4 3 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G in g e rB re a k
GingerBreak v1.1
APK: C hainfire Exploit: The Android Exploid Crei
|PS GingerBreak
Do you want to install this application?
O p tio n s________________
System to ols
r e a d s y ste m log files
M o d u le 16 P ag e 2 4 3 7
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnGil All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
C aw itt
C aw itt.A o p e r a t e s s ile n tly in t h e b a c k g r o u n d , g a t h e r i n g d e v i c e in f o r m a ti o n w h ic h it la te r f o r w a r d s to a r e m o t e s e r v e r C o llected in f o r m a tio n in c lu d e s d e v i c e ID, I n te r n a tio n a l M o b ile E q u ip m e n t Id e n tity (IM EI) n u m b e r , p h o n e n u m b e r , B o t ID, a n d m o d u le s
8:06 AM a n a 8:06 AM
Quote!!! Slim
Be social! plugin
32.C0KB v R ), E xam ple w a llp a p e rs
ookb
1 6 0 0 K R
se n d SM S r n e s u g e s
Cawitt
Cawitt operates silently in the background, gathering device information which it later forwards to a remote server. Collected information includes device ID, International Mobile Equipment Identity (IMEI) number, phone number, Bot ID, and modules. This Trojan doesn't place any launcher icon in the application menu in order to avoid being detected by the device user.
tr iR & G
8:06 A M
Manage applications
Application Info
Permissions
H
w T)
Be s o c ia l! plugin
32.00KB
Your m essages
re c e iv e SMS
A A A
N e tw o rk co m m u n ica tio n
full In te r n e t a c c e s s
Storage
m o d ify /d e le te SO c a rd c o n te n ts
Phone calls
r e a d p h o n e s ta te a n d id en tity
M o d u le 16 P ag e 2439
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
to ftN MI tk M J lI lM h M
c EH
Gamex
-I G a m e x .A h i d e s its m a l i c i o u s c o m p o n e n t s i n s i d e t h e p a c k a g e f ile _J O n c e it is g r a n t e d a r o o t a c c e s s b y t h e u s e r , it c o n n e c t s t o a c o m m a n d a n d c o n t r o l (C & C ) s e r v e r t o d o w n l o a d m o r e a p p l i c a t i o n s a n d t o f o r w a r d t h e d e v i c e IM EI a n d IMSI n u m b e r s J It a l s o e s t a b l i s h e s a c o n n e c t i o n t o a n e x t e r n a l lin k w h ic h c o n t a i n s a r e p a c k a g e d A PK f ile , a n d p r o c e e d s t o d o w n l o a d i n g a n d i n s t a l l i n g t h e file
Frogonal is a repackaged version of an original application where extra functionalities used for malicious intent have been added into the new package. It harvests the following information from the compromised mobile devices: 9 Identification of the Trojanized application: 9 9 9 9 9 9 9 Package name Version code
Phone number IMEI number IMSI number SIM serial number Device model Operating system version Root availability
M o d u le 16 P ag e 2 4 4 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
@My G am es
Your messages
receive SMS
ft
Storage
modify/delete SO card contents
Hardware controls
take pictures and videos
Phone calls
read ohone state and identity
*s
G am ex
Gamex is an Android Trojan that downloads and installs the files on a compromised mobile device. It hides the malicious content inside the file that is to be installed; once it is granted a root access by the device owner, it connects to a command and control (C&C) server to download more applications and to forward the device's IMEI and IMSI numbers. It also establishes a connection to an external link that contains a repackaged APK file, and proceeds to download and install the file.
* m
Manage applications
12:21 PM
Application info
Q 8 B i< 3 12:22 PM
com.android.gesture. builder
32.00KB
Example Wallpapers
20.00KB
A A
N e tw o rk c o m m u n ic a tio n
fu l Internet access
Phone calls
read phone state and identity
M o d u le 16 P ag e 2441
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Mania
J M a n ia .A is a n S M S - s e n d in g m a lw a r e t h a t s e n d s o u t m e s s a g e s w ith t h e c o n t e n t " te l" o r " q u iz " to th e n u m b e r 8 4 2 4 2 J A n y re p ly f r o m th is n u m b e r is r e d i r e c t e d t o a n o t h e r d e v ic e to p r e v e n t u s e r fr o m b e c o m in g s u s p ic io u s M an ia .A is k n o w n f o r u s in g t h e tr o ja n iz a tio n te c h n iq u e , w h e r e it is r e p a c k a g e d w ith a n o t h e r o rig in a l a p p lic a tio n in o r d e r to d u p e v ic tim s
rtflD a*26A M
y ! S B 6:2* AM
| c e h wa au p jp jp e cn n ^ t1M * e w 1 1 p m t* n
H c o m . a n d r o l d . g e s t u r e .b u l l d e r W m 3*.00KB
KabStamper is an Android Trojan that modifies images found in the target mobile device by overwriting them with a predefined image. It is distributed via Trojanized applications that deliver news and videos about the AKB48 group. It is very destructive and destroys images found in the sdcard/DCIM/camera folder that stores images taken with the device's camera.
M o d u le 16 P ag e 2442
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
6 S4 AM
6 :5 4 AM
r r-
704 1 * 2 K B
RV
com.android.gesture.builder
3 2 .0 0 K B
20.00KB
E x a m p le W a llp a p e r s
S t/
S a m p le S o ft K e y b o a r d
3 6 .0 0 K B
M a n ia
Mania is an Android Trojan that pretends to perform license checking to cover up its SMS-sending activities in the background. It is SMS-sending malware that sends out messages with the content "tel" or "quiz" to the number 84242. Any reply from this number is redirected to another device to prevent the device owner from becoming suspicious. While running, Mania appears to be performing license checking, but this process always fails and never seems to be completed. The license checking is a coverup for the SMS sending activities that are taking place in the background.
a n e 6 :2 6 A M y b S G 6 :2 8 AM
M o d u le 16 P ag e 2443
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
SmsSpy
J SmsSpy.F poses as an Android Security Suite application that records received SMS messages into a secsuite.db Thismalwaretargetsbankingconsumers in Spain where it is spammed via a message indicatingthat an extra Security Protection program that protects the device is availablefor download
C o n te n t: 6 9 2 0 4 6 169 BG Q C b 5 T 3 w 3. N u m b e r: 3381
ft *
< 1
C o n te n t: 6 9 2 0 4 6 169 BG Q C b 5 T 3 w
q (<
f e W.K
/ &*r.y
ft Snlun
P h o n e
PremiumSMS is an Android Trojan that reaps profit from its SMS-sending activities. It has a configuration file that contains data on the content of the SMS messages and the recipient numbers. Example of send messages: 1. Number: 1151 Content: 692046 169 BG QCb5T3w 2. Number: 1161 Content: 692046 169 BG QCb5T3w 3. Number: 3381 Content: 692046 169 BG QCb5T3w 4. Number: 1005 Content: kutkut clsamg 6758150 5. Number: 5373
M o d u le 16 P ag e 2444 Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Content: kutkut clsamg 6758150 6. Number: 7250 Content: kutkut clsamg 6758150
S m sS py
SmsSpy is an Android Trojan that poses as an Android Security Suite application that actually does nothing in ensuring the device's security. However, it records received SMS messages into secsuite.db instead. It targets banking consumers in Spain, posing as an Android Security Suite application.
M o d u le 16 P ag e 2445
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
UpdtKiller
U p d tK ille r.A c o n n e c ts t o a c o m m a n d a n d c o n t r o l (C & C ) s e r v e r , w h e r e it f o r w a r d s u s e r s ' d a ta t o a n d re c e iv e s f u r t h e r c o m m a n d s f r o m T h is m a lw a r e is a ls o c a p a b le o f k illin g a n t iv ir u s p r o c e s s e s in o r d e r t o a v o id b e in g d e te c te d
Text Messages
A
U n(M1 llrowv*
O M O iM tO r
4P
Cillfnnni
ShutdownReceiver
Contact* Dv loolt
I m*l
&8 fe
WakeLockReceiver
D e v ic e A d m in
(P fll
DroidLive SMS is an Android Trojan masquerading as a Google Library; it attempts to utilize a device administration API. It attempts to install itself as a device administration app, and is capable of tapping into personal data and performing a mixture of nefarious activities on Android mobile devices. It attempts to disguise itself as a Google library, and receives commands from a Command and Control (C&C) server, allowing it to perform functions including sending text messages to premium numbers, initiating phone calls, and collecting personal data.
M o d u le 16 P ag e 2 4 4 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B o o tR eceiver
Send T e x t M essages
A
LiveR eceiver Add D evice A d m in
S h u td o w n R e ceive r
SmsMessageReceiver
V
Call Phone W a ke L o c kR e ce iv er N um bers
DeviceAdmin
A n d ro id T ro ja n : U p d tK ille r
UpdtKiller is an Android Trojan that terminates processes belonging to antivirus products in order to avoid detection. It connects to a command and control (C&C) server, where it forwards harvested user data to and receives further command from.
7:51 AM
Alarm Clock
Browser
1$
Calculator
2
C alendar
C am era
Contacts
D ev Tools
$!7 5
G allery Gestures Builder
P
Messaging
&
Music
Phone Settings
Sparc Parts
# E
M o d u le 16 P ag e 2447
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A n d r o id
T r o ja n : F a k e T o k e n
C E H
Crt1fW 4 ttfciul Uckw
F a k e T o k e n s t e a ls b o t h b a n k i n g a u t h e n t i c a t i o n f a c t o r s ( I n t e r n e t p a s s w o r d a n d m T A N ) d i r e c t l y f r o m t h e m o b i l e d e v ic e
Permissions
D is t r ib u t io n
T e c h n iq u e s
Through phishing emails pretending to be sent by the targeted bank Injecting web pages from infected computers, simulating a fake security app that presumably avoids the interception of SMS messages by generating a unique digital certificate based on the phone number of the device Injecting a phishing web page that redirects users to a website pretending to be a security vendor that offers the "eBanking SMS Guard" as protection against "SMS message interception and mobile Phone SIM card cloning" A
Y our m essag es
receive SMS
Y our m e ssa g e s
receive SMS
N e tw o r k c o m m u n i c a t i o n
full Internet access
N e tw o r k c o m m u n i c a t i o n
full Internet access
Y o u r p e rs o n a l in fo rm a tio n
read contact data
S to r a g e
modify/delete SD card contents
S S to r a g e
modify/delete SD card contents
P h o n e c a lls
read phone state and Identity
P h o n e c a lls
read phone state and Identity
S e r v ic e s t h a t c o s t y o u m oney
send SMS messages
S e r v ic e s t h a t c o s t y o u m oney
send SMS messages
NEW VERSION
FakeToken steals both authentication factors (Internet password and mTAN) directly from the mobile device. Distribution Techniques: Through phishing emails pretending to be sent by the targeted bank Injecting web pages from infected computers, simulating a fake security app that presumably avoids the interception of SMS messages by generating a unique digital certificate based on the phone number of the device Injecting a phishing web page that redirects users to a website pretending to be a security vendor that offers the "eBanking SMS Guard" as protection against "SMS message interception and mobile Phone SIM card cloning"
M o d u le 16 P ag e 2448
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Permissions
Permissions
Your messages
receive SMS
Your messages
receive SMS
Network communication
full Internet access
Network communication
full Internet access
Storage
modify/delete SD card contents
Storage
modify/delete SD card contents
Phone calls
read phone state and Identity
Phone calls
read phone state and Identity
NEW VERSION
M o d u le 16 P ag e 2449
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le 16 P ag e 2 4 5 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
G o o g le
A p p s
D e v ic e
P o lic y
C E H
Google Apps Device Policy app allows Google Apps domain admin to set security policies for your Android device It is a device administration app for Google Apps for Business, Education, and Government accountsthat makes your Android device more secure for enterprise use
This app allows IT administratorto enforce security policies and remotely wipe your device Additionally, this app allows you to ring, lock, or locate your Android devices through the My Devices page:
h t t p s : //w w w . g o o g le . c o m /a p p s /m y d e v ic e s
A c c o u rt r j 1ster<d
h ttp s ://p lo y .g o o g le .c o m
M o d u le 16 P ag e 2451
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Device administered under rpogle I com Dama r administrators can set policies and remotely wipe the device.
Successfully synced with server Successfully synced with server Successfully synced with server.
Domain administrators can v retails about your device IVvict Model ft alary Ncnic
H sid w o rcID
0vtce ID Phont Numb?' T Mobk Ocvicc O S; Android 4.0.4 Buld Numbe!
'4 * 6 8 4
IM M /b H
2012rtWQ316:IS a: S7cJJ4rtft
9 O2:2.
ocate your device at m & J l m x i . google com/apps/mydevices google.com/apps/mydevices Successfully synced with server at Succe!
Successfully synced with server. Successfully synced with server. Account registered.
3 08-fll4feC9 Kernel version Basftv.no Version IS?S O XXI A? Iasi Sync: kUCAddess
Jmegistei
M o d u le 16 P ag e 2452
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
If users have Google Sync installed on a supported mobile device or an Android device with the Google Apps Device Policy app, they can use the Google Apps control panel to remotely wipe the device
T o r e m o t e w ip e a lo s t o r s to le n d e v ic e :
S ign in t o y o u r G o o g le A p p s c o n t r o l p a n e l. C lic k S e ttin g s >M o b ile . In t h e D e v ic e s t a b , h o v e r y o u r c u r s o r o v e r t h e u s e r w h o s e d e v ic e y o u w a n t t o w ip e . C lic k R e m o te W ip e in t h e b o x t h a t a p p e a rs . A s e c o n d b o x a p p e a rs a s k in g y o u t o c o n f ir m t h a t y o u w a n t t o r e m o te ly w ip e t h e d e v ic e . I f y o u a r e s u r e y o u r w a n t t o w ip e t h e d e v ic e , c lic k W ip e D e v ic e .
M o d u le 16 P ag e 2453
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o b ile s e tt in g s
d .c
A!
vxr.r,
B 'o c k
R e m o tt
E*pcrtAI
Mt f .XUPm
AppLJSSMQ Acot..0K33NR
)utreiirtmftnn^aaliMcotn
P h o n e 3G Phone 3G ,Prone 4
OS 55
i OS
Type Google Syne Coogle Sync Google Sync Google Sync Google Sync Android Google Sync Google Sync Google Sync Google Sync Google Sync Google Sync Google Sync Google Sync Google Sync Android Google Sync Android Google Sync
Last Sync.
Status
1 1 / 4 / 1 1 1 1 / 4 / 1 1 11/4/11 11/2/11 10F2*11 10/26/11 10/28/11 10/20/11 10/20/11 10/20/11 10/15/11 10/18/11 10/14/11 10/13/11 1013/11
am
Em rroZun?
Bustos Dormxa
<nm4&jru^*ll0Ktr*lc0n txniaufcanocq-aacatiMcom
*r A p p ro v ed
Approved Approved
On mouseover hovercards
*aaosltalcom 6-. 36cS 878ac0 A00LB9KA4I Ab07..BWMP AdpI 2TTA4T ABfiLDUMT Am U EX M I And JCSA4T Afifif.PniMS Acd EYD3NS AP0L.50XA4T
7 iPhone 3G News S
Approved Aporoved Aporoved Aperovod Approved Approved Approved Approved Approved Approved Approved Approved Biocaod Approved
kLWSSi
Suw*iM1rl1
l l l i w i M l* 1 a M 1
IS IS IS IS
00V< ID 38c60Sd ID 86743096674 309 FT t Sync 4/1(111 926 PM Last Sync 1 (y2 * 1 1 208 PM
H a rd w a re
c
C
Block
Remote Woe
View Details IS 1 A. IS Phone 3Gs iPhone 4 Oqtad MT Phone 4 Ixjiad UT iPad 2 O S4 3 iOS 4.3 Andro!d235 !os
4
Gervaslo Montonwro am nlom on 4Kt1Mcom Erik Lontito( B<wtr /Vllofbo Ptofro Monaid Silas Haslam etklomot >aastfatcom beatimasfbo - altos trat com ptMiememrdialostialcoai stoslmlamaaaostiatcom
3 c S O Ie7a0
Ado WQ8A4T
1 0 / 8 / 1 1
1 < y 7 / 1 1
3 3 36 & 04a6d
A0PLZPDFHW
Android 2 3 5 O S4 3
1 0 / 6 / 1 1
M o d u le 16 P ag e 2 4 5 4
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
. ^ 1* 20 :) 51< * 27.12.2011
m -
. /
ne!o* , , M , MAC
M o d u le 16 P ag e 2455
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
*SS
T
Status: R unning
<3 2 0 :0 0
4K ^^^TL r r -
1 1 1 m il
S O M E O N E S E E M S T O B E H IJ A C K IN G U S IN G A R P S P O O F IN G O N T H IS N E T W O R K !
\ /
D isable W iF i on alert
\ f
Notify in system
Sa/ean d h id e
M o d u le 16 P ag e 2 4 5 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
CEH
1 X I <
Wunderbar
It presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device
jO
7 1 ^
JtW V V
Gingerbr^nk t Ml rrvVy/M Jm V
WH
X-Ray is automatically updated with the ability to scan for new vulnerabilitiesas they are discovered and disclosed
Zim peilkh
____________________
CEH
On each run, Anti w ill map your network, scan for active devices and vulnerabilities, and w ill display the information accordingly: Green led signals an Active device, Y ellowled signals Available ports, and Red led signals Vulnerabilityfound
J Each device w ill have an icon representing the type of the device J W hen finished scanning, A nti w ill produce an automatic report specifying which vulnerabilities you have or bad practices used, and howto fixeach one of them
M o d u le 16 P ag e 2458
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
t 9 t * IDHQ.3 ft Scar
v 1 4 IN 4 | f M X Local Target!
1000JV 24
1 ;
10001
M M 1HW lHW iM M U M M l \ R I
C ennM i
100
w ; ip 100.0J 02
m
V 1!
IM M J.T
1 00.0s
19 006
1 0
A ltxk
m ! m ^ W
A 0
M o d u le 16 P ag e 2459
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
(rtifwd
CEH
ilk. (41 UthM
to!4D 7 1 1w
Security Settings
p r e y
Find M y Phone
http://findmyphone. mangobird. com
Prey A n ti-T h e ft
http://preyproject. com
A n d ro id A n ti T h e ft S e cu rity
http://w w w .5nuko.com
W heres M y D roid
http://where5mydroid. com
Total Equipment
Pr te c tio n
Btctup my ptauw fromQniMvKi
a p p
o
iH ound
https://ww w . ihoundsoftware. com
Total E q u ip m e n t P ro te c tio n A pp
https://protection. sprint, com
A n d ro id L o s t.c o m
http ://www. android lost, com
Source: http://findmyphone.mangobird.com Find My Phone is an Android phone app that helps you find your lost, stolen, or misplaced phone. When you lose your phone, just send it a text msg (SMS) and the phone will reply with its current location. You can also make your phone ring loudly if you lose it somewhere close, like inside your home.
M o d u le 16 P ag e 2 4 6 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
P r e y A n ti-T h e ft
Source: http://preyproject.com Prey lets you keep track of your laptop, phone, or tablet if it is stolen or missing. It supports geolocation. It's lightweight, open source software that gives you full and remote control, 24/7.
A n d ro id A n ti-T h e ft S e c u r ity
Source: http://www.snuko.com
The Android anti-theft security tool Snuko is anti-theft software that allows you to use it on multiple platforms protecting thousands of PCs, mobile phones, laptops, etc. It offers a complete online back-up solution; as part of the anti-theft package Snuko subscribers' files can be stored safely and securely in the cloud. This can generate important tracking information and security for your data by using its Mobile Dashboard. If the mobile device is lost, then the device is locked to prevent any unauthorized access. If the device's SIM card is replaced without
M o d u le 16 P ag e 2461
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
your knowledge, the new SIM card number, phone number, and the IMEI/IMSI numbers will be recorded. The phone cannot be used until the correct PIN code is entered.
1
M .
0 a o n
b|fSf*r>
ANDROID ANTI-THEFT
O tv K lo c a tio n y I y * # -* \ A c c u c y to iM h n 0 r c n o f t o c j d o n C k t 1 r u f o r r M r w T V t n \j p V .
-_ '*
W h e re s M y D ro id
Source: http://wheresmydroid.com Where's My Droid is an Android device tracking tool that allows you to track your phone from anywhere, either with a text messaged attention word or with an online Commander. The app can also get the GPS coordinates with a link to Google Maps; if you're not near enough to your phone to hear the ringer, it can turn the ringer volume up and make your phone ring. One of the features is Activity Log, which enables you to see what the app does, when it does it, and who is using it.
% ! > )< -
iH o u n d
--------
Source: https://www.ihoundsoftware.com
M o d u le 16 P ag e 2462
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0l1nCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
iHound is an Android device tracking tool that allows you to track your mobile using its GPS and WiFi, 3G, or Edge signals built into your devices to determine its location. Using its tracking website, you can track the location of your device, remotely lock your phone, and remotely erase important personal information such as: SMS messages, contacts, phone call logs, photos, videos, and/or SD storage data. You can also set Geofencing location alerts by its intuitive mobile website optimized for iPhone, iPod Touch, and Android phones. You can track multiple devices on multiple platforms and set up Geofences.
G a d g e tT r a k M o b ile S e c u rity
Source: http://www.gadgettrak.com GadgetTrak Mobile Security tool helps you to moderate the risk of mobile device loss or theft. It allows you to track its location, back up data, and even wipes the data in the device remotely. With the combination of GPS, Wi-Fi positioning, and cell tower triangulation, you can easily track the location of your device. If your device is lost or stolen, you can remotely enable a piercing alarm, even if it's in silent mode. Once tracking is activated, the software settings cannot be modified unless deactivated.
' B f f f l U l 2 2 4 PM
II w a n e t o b e a b e t o w ip e m y p ic t u r e s
I Backup n y pictures frorr th s device
o
FIGURE 1 6 .3 6 : G a d g e tT r a k M o b ile S e c u r ity
M o d u le 16 P ag e 2463
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
T o ta l E q u ip m e n t P r o te c tio n A p p
-----
Source: https://protection.sprint.com
Total Equipment Protection App is an Android device tracking tool that allows you to find, repair, and replace your phone, whether it is dead or lost. It also comes with online features that protect your existing handset. When you lose the phone, you can map the exact location with directions on how to get there. It sounds the alarm when the phone is misplaced by its alarm even when it is on silent mode. You can choose to remotely lock a misplaced phone or erase your contacts and you can even synchronize and restore the lost phone after its recovery or can get a new phone.
Total E q u ip m e n t
P r
te c tio n
app
a su n o n
A n d r o id L o s t.c o m
Source: http://www.androidlost.com
AndroidLost.com is an online service that allows you to find your lost phone. You don't need to install the AndroidLost on the phone but you can push the AndroidLost app to your phone from Google Market and initiate the connection to Google servers by sending an SMS with the message "Androidlost register" to your phone when its lost to find its location and tracking. Sound alerts can be enabled even when the phone is in silent mode from your PC. You can control more than one phone from your account.
M o d u le 16 P ag e 2464
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
9 ! ^ * / ( : u i n www.Androidlost.com
IM k U
Dm s n pp (M l M you rwnott coMrol yaw Jfton* from *form 4nar04O(t.(0m UtcfUl m c fOu pul your im M c on ite it and lew n unwMr. of In cm (o *cm iooa ntwt your prion* ir*Mfy r#f f m fo o t* vo trwy can vmd to you Non I |v> to wwrw mdroOott com 411*0 to wnottcantroi your phone.
8 0
I 0 1
M o d u le 16 P ag e 2465
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M odu.le Flow ft r ls M
Mobile Platform Attack Vectors
Uttiftod
c EH
IU kjI lUchM
ft
.
ft r
Hacking BlackBerry
Module Flow
iOS is a mobile operating system developed by Apple. Apple does not license iOS for installation on non-Apple hardware. The increasing use of Apple devices for many purposes has grabbed the attention of attackers. Attackers are concentrating on hacking iOS so that they can gain access to Apple devices at the root level.
(^ 6 )
Hacking BlackBerry
Hacking iOS
M o d u le 16 P ag e 2 4 6 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
This section introduces you to the Apple iOS and focuses on hacking iOS. This section describes iOS attack vectors such as jailbreaking and types of jailbreaking, and also covers the guidelines to be followed in order to secure iOS devices.
M o d u le 16 P ag e 2467
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Security News
CEH
H om e
A b o u t Us
P ortfolio | T ec h N e w s | S e r v ic e
24-Sep-2012
^
A h ..... I
:"2 1
a n d iP o d T o u c h d e v ic e s . U sing th e m a lic io u s c o d e in a w e b s ite w o u ld e n a b le a c y b e rc rim in a l t o bypass th e s e c u rity m e c h a n is m s in S a fa ri t o g a in access t o th e p h o n e 's d a ta . h ttp ://w w w .c o m p u te rw o rld .in
Security N ews
R e s e a r c h e r s H a c k iP h o n e R u n n in g L a t e s t A p p le iO S , S te a l D a ta
Source: http://www.computerworld.in White-hat hackers broke into the developer version of iOS 6, meaning Apple's new iPhone 5 could be vulnerable. Researchers have broken into an iPhone 4S running the latest version of Apple iOS, making it possible to exploit the same vulnerability in the iPhone 5. The white-hat hackers Joost Pol and Daan Keuper showed how they were able to steal contacts, browsing history, photos and videos to win $30,000 in the mobile Pwn20wn contest Wednesday at EUSecWest in Amsterdam, IT World reports. Because the hacked iPhone was running a developer version of iOS 6, it's likely the same vulnerability could be used to break into an iPhone 5 or the latest iPad and iPod Touch devices. The WebKit browser exploit took only a few weeks to make, the researchers told IT World. Using the malicious code in a website would enable a cybercriminal to bypass the security mechanisms in Safari to gain access to the phone's data.
M o d u le 16 P ag e 2468
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
WebKit is a layout engine used by browsers to render Web pages. The open source technology is used in the Safari Web browser in iOS and in Google's Chrome, which recently became the default browser for Android. The Dutch researchers are not the first penetrate the iPhone's defenses through WebKit, said Chenxi Wang, an analyst for Forrester Research. Hackers typically target WebKit because Apple does not use a number of standard security practices in using the engine. Apple has not said why, but it could be related to phone performance and battery life. In addition, Apple doesn't vet code executed on the browser, like it does apps before allowing them to be offered to iPhone users. "This opens doors to remote exploitation," Wang said. "But to [Apple's] credit, we haven't seen a lot of that going on, which is actually quite impressive." Wang does not believe the risk of the latest vulnerability is very high. That's because a cybercriminal would have to find a way to get iPhone users to a compromised site. A hacker could inject malicious code into a popular Web site, but this would also be difficult. "It's certainly possible and certainly is a threat, but I don't see it becoming a massively popular way of attacking iPhone users," he said. The Dutch researchers held back some of the details of their work, in order to prevent giving cybercriminals a hacking roadmap to the iPhone. "Apple will have to come up with an update and then people need to upgrade as fast as possible," Pol told IT World. Speed in plugging the hole is key to reducing risk, said Peter Bybee, president and chief executive of cloud security provider Security On-Demand. "Whether you're likely to be attacked depends on how long the gap will be between when Apple fixes the problem and attackers repeat the researcher's success," Bybee said. "Just because the exploit is shared only with the vendor doesn't mean that it won't get out into the open market. There was enough detail in how they found the exploit and used it that it could be replicated by an experienced malware creator." Other participants in the hacker contest demonstrated breaking into the Samsung Galaxy S3 via its near field communication (NFC) technology. The researchers from security company MWR Labs were able to beam an exploit from one Galaxy S3 to another. Once the malicious app is installed in the receiving phone, a hacker would have full access to the phone's data, Tyrone Erasmus, a security researcher at MWR told IT World. The app runs in the background, making it invisible to the phone's user. The exploit targets vulnerability in the document viewer application that comes as a default app in the Galaxy S2, S3 and some HTC phones. The flaw enables a hacker to steal text messages, emails, contact information and other data. The researchers said the vulnerability, which also exists in the Galaxy S2, could be exploited by malware sent via email, the MWR team said. The researchers also won $30,000 for the hack.
M o d u le 16 P ag e 2469
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Zero Data Initiative by Hewlett-Packard's DVLabs organized the competition. DVLabs will send details of the hacks to Apple and Samsung, respectively.
http://www.computerworld.in/news/researchers-hack-iphone-running-latest-apple-ios-stealdata-29822012
M o d u le 16 P ag e 2 4 7 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Apple iOS
J
J iOS is A p p l e 's m o b i l e o p e r a t i n g system, which supports Apple devices such as iPhone, iPod touch, iPad, and Apple TV
CEH
!
J The user interface is based on the concept of d i r e c t m a n i p u l a t i o n , using m u l t i - t o u c h gestures
Core Services
Core OS
iOS is the Apple mobile's operating system established for its iPhones. It maintains and sustains other Apple devices such as iPod Touch, iPad, and Apple TV. Using the Mac OS X, the iOS operating system is fabricated. The user interface is based on the concept of direct manipulation, using multi-touch gestures. This has many other options and features using which daily work becomes easy and this can be updated on your iPhone, iPad, or iPod Touch using Wi-Fi and other wireless networks.
Apple iO S
FIGURE 1 6 .3 9 : A p p le lo s S c r e e n s h o t
M o d u le 16 P ag e 2471
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UI1Cil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Jailbreaking iOS
J
(rtifw d
CEH
ith iu l UtkM
Jailbreaking is defined as the process of installing a modified set of kernel patches that allows users to run third-party applications not signed by the O Svendor Jailbreaking provides root access to the operating system and permits downloading of third-party applications, themes, extensions on an iO Sdevices Jailbreaking removes sandbox restrictions, which enables malicious apps to access restricted mobile resources and information
J a ilb r e a k in g , lik e r o o t in g , a ls o c o m e s w it h m a n y s e c u r i t y a n d o t h e r r i s k s t o y o u r d e v i c e in c l u d in g ?
V o id s y o u r p h o n e 's w a rra n ty
M a lw a r e in fe c tio n
P o o r p e r fo r m a n c e
B ric k in g t h e d e v ic e
Jailbreaking iO S
Jailbreaking is a method of getting control of the iOS operating system that is used on Apple devices. It relaxes the device from the barriers of dependencies on exclusive Apple source applications and allows the user to use third-party apps unavailable at the official app store. It is accomplished by installing a modified set of kernel patches that allow you to run third-party applications not signed by the OS vendor. It is used to add more functionality to standard Apple gadgets. It can also provide root access to the operating system and permits download of third-party applications, themes, extensions, etc. This removes sandbox restrictions, which enables malicious apps to access restricted mobile resources and information. Jailbreaking, like rooting, also comes along with many security and other risks to your device including: Voids your phone's warranty Poor performance
M o d u le 16 P ag e 2472
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Types o f Jailbreaking
U serland Exploit
J
CEH
A userland jailbreak allows user-level access but does not allow iboot-level access
w r 1\ m )
L,
Bootrom Exploit
J A bootrom jailbreak allows user-level access and iboot-level access
*
v
UJ
J
Types of Jailbreaking
When the device starts booting, it loads Apple's own iOS at start, but to get more apps from third parties, the device must then be broken and have the kernel patched each time it is turned on. There are three types of jailbreaking methods used: Userland Exploit: A userland jailbreak allows user-level access but doesn't allow iboot-level access. This type of exploit cannot be tethered as it cannot have recovery mode loops. These can be patched by Apple. The userland exploits use a loophole in the system application to gain control of that application. This exploit can only give control to the filesystem. This type of exploit can access non-vital code in the application and is user friendly and platform independent. iBoot Exploits: An iBoot jailbreak allows file system and iboot level access. This type of exploit can be semi-tethered ifthe device has a new bootrom. This is mostly used to reduce low-level iOS controls. This exploit method takes the help of the hole in iBoot to delink the code signing appliance and then the customer can download required applications. Using this method users configure the mobile to accept custom firmware and probably jailbreak more. Bootrom Exploits: A bootrom jailbreak can break all the low-level authentications such as providing filesystem, iBoot, and NOR access (custom boot logos). This process finds a hole in the application to discard the signature checks. It can't be corrected by Apple. A bootrom jailbreak allows user-level access and iBoot-level access. These cannot be patched by Apple.
M o d u le 16 P ag e 2473 Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Jailbreaking Techniques
A I
W i th a t e t h e r e d j a i l b r e a k , if t h e d e v i c e s t a r t s b a c k u p o n it s o w n , i t w ill n o l o n g e r h a v e a p a t c h e d k e r n e l , a n d it m a y g e t s t u c k in a
UrtNM
CEH
^ ^ h e l d Jailbreaking^
Untethered Jailbreaking
A n u n te th e r e d ja ilb r e a k h a s th e p r o p e r t y t h a t if t h e u s e r t u r n s t h e d e v ic e o ff a n d b a c k o n , t h e d e v ic e w ill s t a r t u p c o m p l e t e l y , a n d t h e k e r n e l w ill b e p a t c h e d w i t h o u t t h e h e l p o f a c o m p u t e r - in o t h e r w o r d s , it w ill b e j a i l b r o k e n a f t e r ea ch re b o o t
Jailbreaking Techniques
There are two jailbreaking techniques:
Untethered Jailbreaking
Untethered jailbreak is a method of rebooting the mobile device without connecting it to the system every time you boot. If the battery of the device is spoiled, after changing it boots as usual. Some jailbreak solutions are greenpoisOn, PwnageTool, limeraln, and snOwbreeze.
Tethered Jailbreaking
With a tethered jailbreak, if the device starts back up on its own, it will no longer have a patched kernel, and it may get stuck in a partially started state; in order for it to start completely and with a patched kernel, it essentially must be "re-jailbroken" with a computer (using the "boot tethered" feature of a jailbreaking tool) each time it is turned on.
M o d u le 16 P ag e 2474
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
A p p
E 11
lE ?
Extensions Ute'ul on iPad ^ *ctivatof cuMonae actors >
Cydia is a software application for iOS that enables a user to find and install software packages (including apps, interface customizations, and system extensions) on a jailbroken iPhone, iPod Touch, or iPad
>
saurik
Them
Zyi^SZLZ''
NO LOCKSCTW T **
>
J It is a graphical front end to Advanced Packaging Tool (APT) and the dpkg package management system, which means that the packages available in Cydia are provided by a decentralized system of repositories (also called sources) that list these packages
UpQ-adlnqard jailbreaMnq Help ntaplayOtit rt*rw craan IdTV > Mar P vb ig iour( ^ ruli6<r*en m p w tW r >
m rrnnc30
Ute' OUKMS
H in t
troaaatraod'ylocal> >
MyW I OnOemana --1 w > ) t s HhotoAtjum*. !wag* M n > Q PrcTcba paimcraYouTub > ho >
^ Paim Pm) , B
M o d u le 16 P ag e 2475
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
H D D
M o d u le 16 P ag e 2 4 7 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
J RedSnO wallows you to jailbreak your iPhone, iPod Touch, and iPad running a variety of firmware versions
........ redsnOw 0.9.12bl
J Ajailbreak solution for your iPhone, iPod, iPad, and A ppleTV brought to you by Chronic D ev Team
C h ro n ic -D e v A b s in th e - V e rs io n 2 .0
Welcome! This Is the latest version of redsnOw. Copyright 2007-2012 IPhone Dev-Team. All rights reserved. Not for commercial use. httD://bloa.lDhone-dev.ora
Welcome to Absinthe 105 5.1.1 untethered jailbreak1 Please make a backup of your device before using this tool. We donf expect any ssues. but we aren't responsible if anything happens. iPnone 4s with 10S 5.1.1 (9B206) detected. Click the button to begin.
Jailbreak Extras
Everything else.
Chronic-Dev Absinthe 2011-2012 Chronic-Dev Team S.1.x exploits by @pod2g. planetbeing, and @p1mskeks 5.0.x exploits by: @pod2g, @planetbeing, @saurik, @pimskeks, @p0s1xnmja, @MusdeNerd, and @xvolks. Artwork by @iOPK. GUI by Hangne Samara &@)pimskeks. Support us (PayPal) http://greenpo1s0n.com/
h ttp ://g re e n p o i5 0 n .c o m
Welcome' This is the latest version of redsnOw. Copyright 2007-2012 iPhone Dev-Team All rights reserved. Not for commercial use.
Into:/ / btoa. inhone-dev.ora
Jailbreak Extras
FIGURE 1 6 .4 1 : R e d s n O w S c r e e n s h o t
M o d u le 16 P ag e 2477
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Ethical Hacking a n d C o u n te rm e a s u re s
A b sin th e
S o u rce: h ttp ://g re e n p o is O n .c o m
A b s in th e Touch,
is a j a i l b r e a k and A p p le T V
s o lu tio n b ro u g h t
fo r to
y o u r A p p le you by
m o b ile
d e v ic e s , D ev
in c lu d in g th e ir
th e a im
iP h o n e , is to
iP a d ,
iP o d iO S
C h ro n ic
T eam ;
d e v e lo p
u n te th e r e d ja ilb r e a k to o lk its .
ft O
C hronic-D evA bsinthe - V ersion 2.0 W elcom etoA bsinthe !O SS.1 .1untetheredjailbreak1 P lease m ake a backupof your device before usingtins tool. W edon't expect anyIssues, but w e aren't responsible ifanythinghappens.
r
jailbreak C hronK -D evA bsintheC2011-2012 C hronic-O evT eam . 5.1.xexploits by 0 pod 2g. planet being, and $pim skeks S .O .xexploits by ppod2g. ftplanetbeing. (tiaunk. pptm skeks. ppO sixninja. $M usc1eN erd. and pxvolks. A rtw ork by01O P K .C U l byM an*neS am araA$p1m skeks. S upport us (P ay P al) http //greenpouO n.com /
Module 16 P ag e 2478
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
t h
r e
i l b
r e
i n
i O
. E H
i n
e d
S te p 3: C lick Ja ilb re a k
S te p 6: P u t y o u r d e v ic e back in to DFU m o d e
Just b o o t
C o p y r ig h t b y
E&Coihg I .
A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d
fs
f\
T e th e r e d J a ilb r e a k in g o f iO S
As m e n tio n e d L e t's p re v io u s ly , th e R edsnO w or s te p s can be
U sin g R edS nO w
fo r b o th te th e re d and u n te th e re d 6 u s in g
used in
ja ilb re a k in g . RedSnOw:
d is c u s s
process
in v o lv e d
te th e re d
ja ilb re a k in g
o f iO S
S te p
1: D o w n lo a d
RedSnOw
and
open DFU
it ( a ls o a v a i l a b l e m o d e
in C E H T o o ls D V D ) . and P o w e r fo r 1 0 seco n d s, a n d
S t e p 2 : P la c e y o u r iO S d e v ic e
in to
b y h o ld in g H o m e
re le a s in g
P o w e r w h i l e s till h o l d i n g
H o m e
fo r a n a d d itio n a l 1 0 s e c o n d s .
S t e p 3 : C lic k J a ilb r e a k .
S te p 4 : S e le c t In s ta ll C y d ia
u n d er th e
P le a s e s e le c t y o u r o p tio n s
p r o m p t a n d c lic k N e x t .
S te p 5: W a it fo r a p p ro x im a te ly 5 re d ire c te d to th e
m in u te s
u n til t h e ja il b r e a k in g
p r o c e s s is c o m p l e t e a n d y o u
are
H o m e screen.
S te p 6: P u t y o u r d e v ic e
b a c k in to
DFU
m o d e.
S te p 7: G o
back to th e
m a in
s e le c t E x tra s
>
S te p 8: Y ou w ill s e e C y d ia
on your H o m e
s c re e n o n c e y o u r d e v ic e
b o o ts
Module 16 P ag e 2479
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i l b
r e
i n
l s
r e
.--------------------
C o p y r ig h t b y
EfrCoincl. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
re s to re d to
your
iP o d
fo r
ja ilb ro k e n . baseband
It a l l o w s in th e
iP h o n e
u n lo c k e rs T h is g iv e s
u p d a te fu ll
la te s t f ir m w a r e over s iz e . your
w ith o u t
u p d a tin g
process.
you
c o n tro l
ja ilb re a k ,
a llo w in g
you
c u s to m iz e a d v a n c e d
o p tio n s su ch as y o u r r o o t p a rtitio n
Module 16 P ag e 2 4 8 0
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
0 - t f c j f Phono 3 G S
MB Q
\
G n s ra l In s ta lle r s
U U
n lo c k s
C ustom p o o k n fl *
^ C u s to m b o o t k tg o r V f B u i l d I P g Y O
P w n a g e T o o l
1 ------------ th u s Even fu tu re P w nage you is a to ja ilb re a k in g u p d a te is n 't yo u r to o l th a t a llo w s w h ile m ay you s till to u n lo c k and th e c re a te a c u s to m fo r IP S W ,
a llo w in g if y o u r
firm w a re you
p re s e rv in g to
baseband your
u n lo c k in g . in case a
baseband
u n lo c k a b le ,
w a n t M ac
p reserve
baseband
u n l o c k is f o u n d . T h i s t o o l is c o m p a t i b l e w i t h
OS.
Module 16 P ag e 2481
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i l b
r e
i n
l s
i m
l n C E H
i l b
r e
Ja ilb re a k m e
JailbreakMe
JaibreakMe is the easiest way 10 free your device Experience iOS as it could be, fully customizable themeable. and with every tweak you coukJ possibly imagine Safe and completely reversible (jus* restore in iTunes) jaibreaking gives you control over the device you own only lakes a minute or two and as always., it's completely free. Please make an !Tunes backup &
M o re Inform atio n T e ll * F rien d I
L im e R a ln
C y d ia
Jay Freeman (saurik) Jailbreak by comex.
C o m e b a c k o n y o u r iP h o n e , iP a d , o r iP o d t o u c h to u e e J a ilb r e a k M e o r u t e a d iffe re n t ja ilb r e a k o n y o u r c o m p u te r.
A
Bmeraln. 6 months In (he making IPhone 30S. IPod Touch 30. IPad. IPhone 4. iPod Touch 40 4J}-4.1 and beyond** limcraln is unputchublc untcthered thanks to jailbreakme *tar comex rckased today to get chronkdev to do the nght thin( brought 10 you by R^ohot Mac and Linux cumin# noun follow (he inxnicdons in the box. sadly limcraln Isn't oik click that *the price of tinpatchahillty as usual, donuuons appreciated but not required mil in beta, pardon my ragged cdfeA AppfcTV L* tcchnfcally *upponcd. bm thcres no apps yci zero pictures of my facc known hujjs 3GS new bootrom is broken, fix ponding sonx people need to restart to gel the Cydia icon to show up after nualling some people still don't have windows beat iOS versions aren't supported onr.stall tr. kmeraln app doew t work, you can ju delete the blackra In .app directory. 1 need rctresuon icson*
E&Cauaci. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
L im e R a ln fro m
is a j a i l b r e a k i n g
to o l
in v e n te d
by a G e o H o t
(p ro fe s s io n a l fe a tu re s
h acker) to
h a lt C h ro n ic
D ev
re le a s in g a b o o tr o m b e tw e e n
e x p lo it c a lle d m e th o d s
o f th is to o l e n a b le s y o u to and M a c OS X o p e ra tin g
s w itc h
ja ilb re a k in g
W in d o w s
s y s te m s .
FIGURE 1 6 .4 5 : L i m e R a ln S c r e e n s h o t
Module 16 P ag e 2482
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
Jailb reak m e
S o u rce: h ttp ://w w w .ja ilb r e a k m e .c o m J a ilb re a k M e is a to o l th a t a llo w s you to ja ilb r e a k yo u r iP h o n e , iP o d Touch, or iP a d th ro u g h
o n l i n e s e r v i c e s . I t is u s e d t o
p ro v id e a ja ilb r e a k fo r th e
iP a d 2 u n t e t h e r e d .
JarfbreaklAe
customable n to free you d w c e ExpcnenceiOSasitcoiJdbe and every iwe*k you could possibly mepne grves you
Sal and coir& m * reversO* restore m 1T10WS) cormct o m V <Je*ce you own I o r* takes a mrxte or two and as always it s bedne betore pitveakmg
C y d ia
Jay Freemen (eeurtk) Jaibreak by comax Coma back on your Phone. iPad, or touch to use J a M b raa kM a-o ru M a d !atlbraefc on your cowpular
Module 16 P ag e 2483
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i l b
r e
i n
l s
l a
l n C E H
i r i t
S p irit
Spirit
Jailb rea k
P le a s e c o n n e c t d e v ic e .
E&Cauaci. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
J a ilb r e a k in g T o o ls: B la c k r a ln B la c k ra ln
S o u rc e : h ttp ://b la c k r a ln .c o m B la c k ra ln iP a d on is a j a i l b r e a k i n g firm w a re s . T h is to o l t h a t a llo w s y o u can w o rk on b o th a ll
a n d S p irit
to ja ilb re a k
d e v ic e s h a v in g
such to
as an m ake
iP h o n e ,
iP o d ,
or in
d e v ic e s
w ith o u t and M a c
a d ju s tm e n ts by G e o h o t.
a d v a n c e in t h e
s o f t w a r e . It w o r k s o n
W in d o w s
O S . I t is d e s i g n e d
FIGURE 1 6 .4 7 : B l a c k r a l n S c r e e n s h o t
Module 16 P ag e 2484
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
S pirit Source: http://spiritjb.com Spirit is a jailbreaking tool t h a t allows you t o jailbreak devices t h a t are u n t e t h e r e d . It can jailbreak th e iPad, iPhone, and iPod touch on certain f irm w a re versions. It is not a carrier unlock.
Sp i r it j a i l b r c a k
iF a d .iliio n e .iP o d touch
Module 16 P ag e 2485
EC-C0U nCil
i d
l i n
f o
r i n
i O
S C E H
i c
Do n o t access w e b services on a c o m p ro m is e d n e tw o r k
I I
D isable Ja vascrip t and a dd -o n s fro m w e b b ro w s e r d a ta b a se
I
1
I I
Do n o t o pe n lin k s o r a tta c h m e n ts fro m u n k n o w n sources
I I
Change d e fa u lt p a s s w o rd o f iP hone's ro o t p a s s w o rd fr o m a lp in e
C o p y r ig h t b y
EfrCoincl. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u id e lin e s fo r S e c u rin g iO S D e v ic e s Guidelines for security iOS d e te rm in e t h e co urse of action t h a t helps in enhancing the security of iOS devices. These guidelines a re not m a n d a t o r y to apply, but help in protecting iOS devices from being attacked. The following are a few guidelines for security iOS: Use passcode lock feat ure for locking iPhone Disable JavaScript and ad d-ons from w e b browsers Use iOS devices on a secured and p rotected Wi-Fi network
Do not store sensitive data on a client-side d a ta ba s e Do not access w e b services on a c o m p r o m is e d netw ork Do not op en links or a t t a c h m e n t s from unknown sources Deploy only trust ed third-party applications on iOS devices Change default password of iPhone's root password from Alpine
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
i d
l i n
f o
r i n
i O
S C E H
i c
( c o m d )
Config Configure Find M y iPhone and utilize it to w ipe a lost o r stolen device
Enable Jailbreak d e te ctio n and also protect access to iTunes A p p le lD and Google accounts, w hich are tied to sensitive data
D isable iCIoud services so that sensitive enterprise data is not backed up to the cloud (Note th at cloud services can back up docum ents, account inform ation, settings, and messages)
Along w ith th is fo llo w th e com m on security g u id e lin es fo r all the m obile devices outlined in the later slides
C o p y r ig h t b y
E&CtlMGfl. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u i d e l i n e s f o r S e c u r i n g i O S D e v i c e s ( C o n t d ) Guidelines t h a t are to be followed by every user in or der to secure iOS devices against attacks include: Q Q Do not jailbreak or root your device if used within e nt e r pr is e e n v ir o n m e n t s Configure Find My iPhone and utilize it to wipe a lost or stolen device Enable Jailbreak detection and also protect access to iTunes ApplelD and Google accounts, which are tied to sensitive d a ta Disable iCIoud services so th a t sensitive enterprise data is not backed up to th e cloud (note th at cloud services can back up doc uments, account information, settings and messages) Along with this follow th e c o m m o n security guidelines for all th e mobile devices outlined in t h e later slides
Module 16 P ag e 2487
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i O
i c
i n
l s
11:02 AM
K>0N i
[ ID
iLocalh
1. 1-6
>
Section
Contact
poetcjpiy
.
Find M y iP ho n e iH o u n d G a d g etT ra k iOS S e c u rity iLocalis
M i;
C o p y r ig h t b y E C C a i n d . A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
iO S D e v ic e T r a c k in g T o o ls F in d M y iP h o n e Source: https ://itun es.a pp le.co m Find My iPhone iOS Device Tracking Tool allows you t o track a lost or misplaced mobile, iPhone, iPad, iPod touch, or Mac. This allows you to use a n o th e r iOS device t o find it and p r o te c t your data. To use this, you need to install t h e app on a n o th e r iOS device, ope n it, and sign in with your Apple ID. It helps you locate your missing device on a map, play a sound, and even display a message, remotely.
Module 16 P ag e 2488
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
iH o u n d Source: http s: //w w w .i ho un ds of tw a re .c om iHound is a iOS device tracking tool th at allows you to track your device by simply turning on iHound; minimize it and let it run. You can even delete it from t h e fast ap p switching bar. It can still locate your p h on e anytime, a nywhere.
.*942 AM
IfS
Wn! *M j
w w w iMttm
G a d g e t T r a k iO S S e c u rity Source: ht tp :// ww w. ga dg ett rak .c om GadgetTrak iOS Security is an iOS device tracking tool th at allows you to recover your iPhone, iPad, or iPod touch by using t h e ability to track your device by using GPS, Wi-Fi positioning, and
Module 16 P ag e 2489
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
cell to w e r triangulation to pin poin t location. Using t h e built-in cameras, you can collect crucial evidence to help catch th e thief. W he n tracking occurs, you'll receive an email with detailed information a bo ut its current location. Once tracking is activated th e so ftware settings c annot be modified unless deactivated. Whe n tracking data is being t r a n s m i t t e d from your device, a secure SSL connection is used. Only you can access your location reports and camer a. All images, network information, and location data are s e n t directly to you from your device.
G o dgefT rak
(
(M C M ta u u
G a d g e t
iL o calis Source: http://ilocalis.com iLocalis iOS device tracking tool allows you to control yo ur iPhone from your c o m p u t e r co nne cte d to t h e Internet. If your iPhone has be en stolen you can find it with th e track feat ure or even make a r e m o t e call or SMS to see t h e new nu m b e r if th e SIM has been changed. It has many feat ure s such as location tracking and sharing location with others, r e m o t e iPhone control, and SMS c o m m a n d s with backup and r e m o t e wipe of data. It has alert zone, push support, and r e m o t e audio recording with iPhone lock.
> >
Package D etails
ID
S ection
C o nta ct $ S po n sor
> 1 ex
V ( f)
C y i i U
t r c h
FIGURE 1 6 .5 2 : iL o ca lis S c r e e n s h o t
Module 16 P ag e 2 4 9 0
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
. l e
C
(rMwd
tu4i lUchM
i 4^
^
-
1 1 eH
.
^ :
C o p y r ig h t b y E ( M i I I iG i. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o d u le F lo w So far, we have discussed how to hack iOS. Now we will discuss hacking th e Windows Phone OS. Similar to Apple's iOS, Windows Phone OS is a n o th e r operating system in tended for mobile devices.
^ ' Y J l
H a c k in g B la c k B e rry
H a c k in g A n d r o i d iO S * IL Jl
M o b ile D e v ic e M a n a g e m e n t
9
^5
H a c k in g iO S
M o b i l e S e c u r ity G u id e lin e s a n d T o o ls
H a c k in g W in d o w s P h o n e OS
M o b ile P e n T e s tin g
This section introduces you to Windows Phone 8 and its architecture and secure bo ot process.
Module 16 P ag e 2491
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i n
( r t r f w di t f c K 4 lN M h M
Trusted shared Windows core and improved support for removable storage Core components from Windows 8, including kernel, file system, drivers, network stack, security components, media and graphics support Internet Explorer 10, Nokia map technology and background multitasking Supports Near field communication (NFC), including payment and content sharing with Windows Phone 8 and Windows 8 machines
Features improved app sandboxing and VoIP and video chat integration for any VoIP or video chat app
United Extensible Firmware Interface (UEFI) secure boot protocol and Firmware over the air for Windows Phone updates
Supports native code (C and C++), simplified porting from platforms such as Android, Symbian, and iOS
Native 128-bit Bitlocker encryption and remote device management of Windows Phone
Carrier control and branding of "wallet" element is possible via SIM or phone hardware
C o p y r ig h t b y
E&Caincl. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
W in d o w s P h o n e
Windows Phone 8 is th e second ge ne ration operating system developed by Microsoft for Windows Phone. A few i m p o r t a n t points a bo ut Windows Phone 8 are as follows: It allows devices with larger screens and multi-core processors up to 64 cores. Trusted s hared Windows core and im pr ove d s upp ort for r em ovable storage. Core co m p o n e n t s from Windows 8, including kernel, file system, drivers, network stack, security c o m po ne nt s , media and graphics s uppo rt. Internet Explorer 10, Nokia map technology, and background multitasking. Supports Near field co m m u n ic a t io n (NFC), including p a y m e n t and co n te n t sharing with Windows Phone 8 and Windows 8 machines. Supports native code (C and C++), simplified porting from platforms such as Android, Symbian, and iOS. Carrier control and branding of "wallet" e le m en t is possible via SIM or p ho ne hardware. Native 128-bit Bitlocker encryption and r e m o t e device m a n a g e m e n t of Windows Phone. United Extensible Firmware Interface (UEFI) secu re b o o t protocol and Firmware over th e air for Windows Phone updates.
Module 16 P ag e 2492
EC-C0U nCil
Features improved ap p sandboxing and VoIP and video chat integration for any VoIP or video chat app.
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
i n
r c
i t e
t u
r e
W in d o w s P h o n e - W in d o w s 8 N a tiv e API D if f e r e n c e s
neous ( W in R T )
CoreApplication (WinRT)
DirectX
1 1 .1
XAudio2 (COM)
(COM)
D*taS*vcr/
Connection
Manager (WinRT)
Sensors (WinRT)
Location (WinRT)
Bluetooth (WinRT)
Proximity (WinRT)
Camera (WinRT)
Contacts (WinRT)
Base
H
W in d o w s P h o n e
CR T(C /C + + ), T h r e a d i n g ( W in R T ) , M o C O M ( W in R T ) , B a s e T y p e s / W i n d o w s . F o u n d a t io n ( W in R T )
A rc h ite c tu re
FIGURE 1 6 .5 3 : W in d o w s P h o n e 8 A r c h ite c tu r e
Module 16 P ag e 2494
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
S e c u re B oot P ro c e s s Source: http://www.uefi.org The goal of th e SafeBoot feat ure of W in do w s P h o n e 8 is to design a SafeBoot process to achieve safe launching of th e OS t o g u a r a n t e e only t rus ted c o m p o n e n t s get loaded. The background of t h e information system incorporated here is each device gets a distinct key e m b e d d e d into a chip, along with c o m m o n keys from Microsoft and th e OEM and t h e n t h e fuse is soldered on th e chip. W hen you first switch on th e pow er th e firmware starts a Unified Extensible Firmware Interface (UEFI) background t h a t validates t h e hash of t h e s e keys c o m p a r e d to th e signatures on th e initial boot loaders to confirm t h e operating environment. In this stage t h e signatures are co mp ar ed on th e Windows Phone b o o t m a n a g e r t o permit t h e genuine and trust ed applications to start. Microsoft nee ds their own binaries along with OEM binaries and they should also have a digital signature signed by Microsoft, which is used to shield th e application and th e boot system from malware. No one can access all th e keys t h a t are required to start th e system run, and it is not possible t o build convenient ROMs and t h e signa tures as th ey may differ from th e original signatures.
Module 16 P ag e 2495
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
Microsoft has reduced th e OS footprints. All th e applications should be run on t h e sa me sandbox as third-party marketplace apps, which in turn extend t h e customization of OEM drivers. If any attacker tries t o mitigate th e application with malware it can only access th e c on te nt inside t h a t sandbox, preventing malware from gaining access to th e lower system level of t h e device.
P o w e r On
OS B o o t
U p d a te B o o t to OS B o o t
F la s h in g M ode
Module 16 P ag e 2 4 9 6
EC-C0U nCil
be ch anged th at are not man da to ry but e n h a n ce security if applied. The following are a few guidelines th at help in securing Windows OS devices: Download apps only from tr u s t e d sources like Zune Marketplace Keep your p ho ne u p da te d with WP8 security updates Make sure t o clear all your browsing history from Internet Explorer Use Zune desktop software t o backup your device data Try to avoid accessing password pro tec ted websites in your windows phone while you are in unsecured Wi-Fi networks Setup passwords for WP8 lock screen Protect your WP8 SIM (Subscriber Identity Module) with a PIN (personal identification number)
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
Itfc'ul IU<h
C o p y r ig h t b y
EtCouncfl. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o d u le F lo w BlackBerry is a brand of wireless handheld devices and service developed by In Motion (RIM). Attackers are also concentrating on BlackBerry devices.
R es e a rc h
(w ^ /
^ ' Y
H a c k in g B la c k B e rry
H a c k in g A n d r o i d iO S
I -------
M o b ile D e v ic e M a n a g e m e n t
H a c k in g iO S
M o b i l e S e c u r ity G u id e lin e s a n d T o o ls
3
H a c k in g W in d o w s P h o n e O S M o b ile P e n T e s tin g
This section introduces you to t h e BlackBerry operating system, BlackBerry enterprise solution architecture, and attack vectors. It also covers guidelines for securing BlackBerry devices.
Module 16 P ag e 2498
EC-C0U nCil
l a
t i n
t e
m c
( c t t i f w dI t k K J lI l M k M
B la c k B e r r y
OS
Ja v a B ased A p p lic a t io n
im p le m e n ts J2M E M o b ile In fo rm a tio n D evice P ro file v2 (M ID P 2 )a n d . C onnected Lim ited Device C o n fig u ra tio n (CLDC), as w e ll as a n u m b e r o f R IM sp ecific APIs
a: -
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
B la c k B e rry O p e ra tin g S y ste m BlackBerry OS is a proprietary mobile operating system developed by Research In Motion (RIM) for its BlackBerry line of sm a r tp h o n e s and handheld devices. It includes a Javabased third-party application fra m ew or k th at imp lements J2ME Mobile Information Device Profile v2 (MIDP2) and Connec ted Limited Device Configuration (CLDC), as well as a number of RIM specific APIs. Some of t h e fea tures of BlackBerry include: 9 Native su p p o rt for co rp or a te email BlackBerry Enterprise Server BlackBerry Messenger BlackBerry Internet Service BlackBerry email client
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
l a
r r y
t e
r p
r i s
l u
t i o
r c
i t e
t u
r e
C o p y r ig h t b y
E&Cauaci. A l l
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
B la c k B e rry E n te rp ris e S o lu tio n A rc h ite c tu re Blackberry Enterprise Solution allows mobile users to wirelessly access their organization emails and ot he r business-critical applications safely and securely. BlackBerry Enterprise Solution Architecture is comprised of six vital elements. They are BlackBerry Enterprise Server, BlackBerry Mobile Data System, BlackBerry Smartphones, Devices with BlackBerry Connect software, BlackBerry Alliance Program, and BlackBerry Solution Services. The enterprise server, to g e t h e r with e nt e rp ris e messaging and collaboration systems, provides email access t o mobile users, enterprise instant messaging, and personal information m a n a g e m e n t tools. Poorly c onfigured firewalls increase t h e risk of attacks. The Web, Database, and Application Server contain vulnerabilities. Ift he attacker detec ts t h o s e vulnerabilities, t h e n he or she can easily carry out an a ttack and t ake control over th e entire server.
Module 16 P ag e 2 5 0 0
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
BlackBerry Smartphones
Wireless Networks Instant Messaging Servers BlackBerry Solution Services BlackBerry Alliance Program
Module 16 P ag e 2501
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
l a
t o
I
r \
M e m o ry and P ro c e s s e s I E m a il
B la c k b e r r y M a lw a r e s
M a n ip u la tio n s
E x p lo its
r \
r \
r \
r \
JA D F ile E x p lo its
S h o rt M e s s a g e S e rv ic e (S M S ) E x p lo its
| 1
P IM D a ta A tta c k s
T e le p h o n y A tta c k s
if
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
B la c k B e rry A tta c k V ecto rs BlackBerry is prone to many attacks since t h e r e are many ne w tools and m et ho ds available for finding potential vulnerabilities pr esent on BlackBerry devices. Attack vectors such as luring and attracting users to download malicious s o ft w a r e on their mobiles, finding website vulnerabilities using tools, etc. are th e few techni qu es used by an att ack er for carrying out attacks on BlackBerry devices. Apart from t h e s e tech ni que s t h e r e a re many more attack vectors th at allow attackers to launch attacks on BlackBerrys th at include:
6
Malicious Code Signing Memory and Processes Manipulations Email Exploits TCP/IP Connections Vulnerabilities Blackberry Malwares JAD File Exploits Short Message Service (SMS) Exploits PIM Data Attacks Telephony Attacks
Q e e e
0
e Q
Module 16 P ag e 2502
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
A tta c k e r can o b ta in c o d e -s ig n in g keys a n o n y m o u s ly using p rep a id c re d it-c a rd s and fa ls e deta ils, sign a m alicious a p p lic a tio n and pub lish it on th e B la c k B e rry app w o r ld
I f a re q u ire d s ig n a tu re is m issin g o r th e a p p lica tio n is a lte re d a fte r sign in g, th e JVM w ill e ith e r r e fu s e /r e s tr ic t th e API access to th e a p p lic a tio n o r w ill fa il a t ru n -tim e w ith an e rro r m essage J
A tta c k e rs can also c o m p ro m is e a d e v e lo p e r's s y s te m to steal code signing keys and p a s s w o rd to d e c ry p t th e e n c ry p te d keys
|K gP |
Code Signing Service Malicious App
P u b lis h o n t h e a p p w o r ld
,o
v * * /:
U s e r d o w n lo a d s m a lic io u s a p p
A
C re a te m a lic io u s A p p
User
M a l i c i o u s a p p s e n d s a ll i n c o m i n g m e s s a g e s a n d s e n s it iv e d a t a
O b t a in c o d e - s ig n in g k e y s a n o n y m o u s ly u s in g p r e p a id c r e d it - c a r d s a n d f a l s e d e t a i l s
Attacker
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
........ 11
M a lic io u s C o d e S ig n in g
BlackBerry applications must be signed by RIM to get full access to th e operating system APIs. If a required signature is missing or the application is altered after signing, th e JVM will either refus e/r est ric t t h e API access t o t h e application or will fail at run-time with an error message. Attackers can obtain code-signing keys a n on ym ou s l y using prepaid credit cards and false details, sign a malicious application, and publish it on t h e BlackBerry a pp world. Attackers can also c o m p r o m is e a developer's system to steal code-signing keys and passwords t o decrypt th e encrypted keys. A pictorial rep resentation of malicious cod e signing follows:
Module 16 P ag e 2503
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
r . ^.4..................... >
P H g Publish on the app world
B la c k b e rry A p p W o rld M a lic io u s A p p A
....................... >
User downloads malicious app
O
U ser
O b ta in code-signing keys a n o n ym o u sly using prep a id cre d it-ca rd s and fa lse d e ta ils
A tta c k e r
Module 16 P ag e 2504
EC-C0U nCil
J A
i l e
l o
i t s
r y
/ c ( c i t i f w dI t k K J lN M k w E H
r o
i p
l a
t i o
1a
I II I I I I I I I I I I I I I I I I I
M e m o r y /P r o c e s s e s M a n ip u la tio n s
A ttacke rs can cre ate m alicious a pp lic a tio n s by c re a tin g an in fin ite lo o p , w ith a b rea k c o n d itio n in th e m id d le th a t w ill a lw a ys be false to bypass c o m p ile r v e rific a tio n I t w ill cause a d e n ia l-o f-s e rv ic e (DoS) a tta c k w h e n th e m aliciou s a p p lic a tio n is ru n re n d e rin g th e device u n re s p o n s iv e
C o p y r ig h t b y E f r C a i n c l . A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
JA D F ile E x p lo its a n d M e m o r y / P ro c e s s e s M a n ip u la tio n s JA D F ile E x p lo its JAD (Java Application Descriptors) files include th e attributes of a Java application, such as ap p description and vend or details and size, and provides th e URL w h e r e th e application can be do wnloa ded. It is used as a standar d way to provide Over The Air (OTA) installation of Java applications on J2ME mobile devices. Attackers can use specially crafted .jad files with spoofed information and trick users into installing malicious apps.
Attackers can c rea te malicious applications by creating an infinite loop, with a break condition in t h e middle t h a t will always be false to bypass compiler verification. It will cause a denial-of-service (DoS) attack when t h e malicious application is run, rendering th e device unresponsive.
M e m o ry /P ro c e s se s M a n ip u latio n s
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
r t
r v
i c
( S
l o
i t s
User dow n lo a ds and runs th e m aliciou s App A pp sends p re m iu m rate messages in th e background
&
......................
< .................................. > -.H J t j| User receives
If A pp is n o t signed
Service Provider
huge bill
If A pp is n ot signed
User
User d o w n lo a d and run th e m aliciou s A pp A tta cker opens TCP/IP connections
SM S B a c k d o o r
..... ^
ts n*s'^nec* >
User agrees
*
Attacker
* < ............................................................u
S hort M e s s a g e
S e rv ic e (S M S ) E x p lo its
P re m iu m R ate S c a m H Regular PC users are more likely to be t ar g e te d by premium rate "d ial ers /' applications th at connect a user's m o d e m to a premium rate t e l e p h o n e number, which results in more service provider bills than expected. The s a m e mechanism is enforced in BlackBerry but doe sn 't use prem ium rate SMSes. The working of th e application is illustrated in t h e figure t h a t follows:
U s e r d o w n lo a d a n d r u n t h e m a li c io u s A p p A p p s e n d s p r e m iu m ra te m e s s a g e s in t h e b a c k g r o u n d
- !
If A p p is n o t s ig n e d
A llo w N /W C onnection?
U s e r ag re e s
P re m iu m Rate Service
S e r v ic e P r o v id e r
SM S in tercep tio n Sending and receiving of m essages can be done easily by the unsigned application. The
Module 16 P ag e 2 5 0 6
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
messages from a c o m p r o m is e d BlackBerry can be s e n t and received by third parties easily using a malicious application. The malicious application works as sh ow n here:
U s e r q u it s t h e g a m e , b u t A p p r u n s s i l e n t l y in t h e b a c k g r o u n d U s e r d o w n lo a d a n d r u n t h e m a li c io u s A p p
^ I ^
.......................................... 0
A p p s e n d s a n o t if ic a t io n S M S a n d fo r w a r d s a ll in c o m in g m e s s a g e s
w
9 E E 1 K
If A p p is n o t s ig n e d .............................................>
A llo w N / W C o n n e c tio n ?
it B
A tta c k e r
.................................. U s e r a g re e s
Ifc f Yes No
SMS is basically used as a c o m m a n d and control channel by t h e signed malicious application for a backdoor. This malicious application has th e ability t o send and receive messages, steal or alter confidential or personal data, and ope n TCP/IP connections. The incoming SMS messages a re mon itore d thoroughly for finding out keywords or for impor tant ph one numbers. These messa ge are in terpreted by t h e attacker as c o m m a nd s for carrying out certain malicious activities.
User download and run the malicious App
SM S B ackdoor
e
[ 3
Attacker opens TCP/IP connections App sends all incoming messages and sensitive data
o XJ : '
User
>
*
, Attacker
Module 16 P ag e 2507
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
l o
i t
U r t r f W di t f c M j lN M h M
. c o d f i l e in s t a l l s i t s e l f as a s ta rt-u p p ro c e ss
m m
S en d s an e m a il t o a B la c k B e r r y u s e r
w i t h n o ic o n
11* * -
0
P ro m p ts to d o w n lo a d a n d K in s t a l l t h e .c o d f ile
Attacker
O
S i S 0 3
2
i ! 3 l
<
.c o d f i le e n u m e r a t e s t h e c o n t a c t li s t , a n d fo r w a r d s t h e e m a il to e v e r y o n e o n t h e lis t
Web Server
E m a il E x p lo its In BlackBerry mobile, all th e email is sent, received, and read through th e net.rim.blackberry.api.mail package and this package can be used only on signed applications. BlackBerry a t t a c h m e n t service supp ort s only files with extensions such as .doc, .pdf, .txt, .wpd, .xls, and .ppt, but it can send any kind of file via email. An a t t a c h m e n t with file type .cod is not s u pp ort ed by BlackBerry.
Module 16 P ag e 2 5 0 8
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
.c o d f i l e in s t a l ls it s e lf as a s ta rt-u p p ro c e ss w i t h n o Ic o n
S e n d s an e m a il to a B la c k B e r r y u s e r From: <maryJDcomoany.com> T o :' Bob Brickhaus* <bb wcomoony.com> Subject :Cool borne Hey, check out this cool newgamel P ro m p ts to d o w n lo a d a n d K in s t a l l t h e c o d f i le , l
&
! ^ d
Web Server
a r*30 13 12 ar* a r*
Users Contact List
.c o d f i l e e n u m e r a t e s t h e c o n t a c t lis t , a n d fo rw a rd s t h e e m a il to e v e r y o n e o n t h e lis t
Module 16 P ag e 2509
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
I M
t a
t t a
/ I P C E H
t i o
l n
r a
i l i t i e
P IM D a t a A t t a c k s
J P e rs o n a l I n f o r m a tio n M a n a g e m e n t (P IM ) d a ta in t h e P IM d a ta b a s e o f a B la c k B e rry d e v ic e in c lu d e s a d d re s s b o o k s , c a le n d a rs , ta s k s , a n d m e m o p a d s in f o r m a t io n J A tta c k e rs c a n c r e a te m a lic io u s s ig n e d a p p lic a t io n t h a t re a d a ll t h e P IM d a ta a n d s e n d i t t o a n a tta c k e r u s in g d if fe r e n t t r a n s p o r t m e c h a n is m s J T h e m a lic io u s a p p lic a t io n s ca n a ls o d e le t e o r m o d if y t h e P IM d a ta J J J
T C P /I P C o n n e c t io n s V u ln e r a b ilit ie s
If th e d e v ic e fir e w a ll is o ff, s ig n e d a p p s c a n o p e n TCP c o n n e c tio n s w it h o u t t h e u s e r b e in g p r o m p te d M a lic io u s a p p s in s ta lle d o n t h e d e v ic e c a n c r e a te a r e v e r s e c o n n e c tio n w it h t h e a tta c k e r e n a b lin g h im t o u tiliz e t h e in fe c te d d e v ic e as a TCP p r o x y a n d g a in a cce ss t o o r g a n iz a tio n 's in t e r n a l re s o u rc e s A tta c k e r s c a n a ls o e x p lo it t h e re v e rs e TCP c o n n e c tio n f o r b a c k d o o rs a n d p e r f o r m v a r io u s m a lic io u s i n f o r m a t io n g a t h e r in g a tta c k s
H a
y 5
C o p y r ig h t b y E C -C a u a c tl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
P IM
C o n n e c tio n s
Personal Information M a n a g e m e n t (PIM) data in t h e PIM d a ta b a s e of a BlackBerry device includes address books, calendars, tasks, and m e m o p a d s information. Attackers can create malicious signed applications th at read all t h e PIM d a ta and send it t o an attacker using th e different t r a n s p o r t m ech an ism s. The malicious applications can also de lete or modify th e PIM data.
T C P /IP C o n n e c tio n s V u ln e ra b ilitie s
If th e device firewall is off, signed apps can open TCP c o nn ect ion s w it ho ut t h e user being pr om pt e d. Malicious a pp s installed on t h e device can create a reverse connection with th e attacker enabling him or her t o utilize infected device as a TCP proxy and gaining access to organization's internal resources. Attackers can also exploit th e reverse TCP connection for backdoors and perform various malicious information gathe ring attacks.
Module 16 P ag e 2 5 1 0
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
B la c k b e rry
S p y w a r e : F in S p y M o b i l e
Name: rlc_channel_mode_updater V ersion: 4.1 V endor: TellCOM Systems LTD Size: 139.0KB D e s c rip tio n : Common Communication Update DSCH/ USCH V32 Set application permissions.
Download I Cancel
It p r o v id e s t h e r e m o t e u s e r w i t h :
<N> <M>
O O
t
<M>
O O <M>
C o v e rt C o m m u n ic a tio n s w it h H e a d q u a rte rs
B la c k b e rry S p y w are : F in S p y M o b ile FinSpy Mobile provides th e r e m o t e user with: Q e Q Q 9 Recording of c o m m o n communications such as voice calls, SMS/MMS, and emails Live surveillance th rough silent calls File download (contacts, calendar, pictures, files) Country tracing of targ et (GPS and cell ID) Full recording of all BlackBerry M e ss e n g e r c om m un ica tio ns Covert communications with he a d q u ar te rs
EC-C0U nCil
i d
l i n
f o
r i n
g C E H
l a
r r y
i c
P ro vid e tra in in g on s e c u rity a w a re n ess and a tta c k s on h an d h e ld devices o n B lackB erry E n te rp ris e N e tw o rk s
C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u id e lin e s for S e c u rin g B la c k B e rry D e v ic e s Every user must follow guidelines t o protect their BlackBerry devices against various attacks: Use c on te nt protection feat ure for protecting data on BlackBerry Enterprise Network
Q Use password encryption for protecting files on BlackBerry devices Q Use BlackBerry Protect or o t h e r security apps for securing confidential d a ta 0 9 Q Enable SD-card/media card encryption for protecting data Enterprises should follow a security policy for managing BlackBerry devices Maintain a monitoring mechanism for network infrastructure on BlackBerry Enterprise Network
Disable u n n e c es s a ry applications from BlackBerry Enterprise Network Q Provide training on security a w a r e n e s s and attacks on handheld devices on BlackBerry Enterprise Network
Module 16 Page 2 5 12
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
i U i t a lI U < h *
M o d u le F lo w So far, we have discussed various mobile platform attack vectors, how to hack Android OS, iOS, Windows Phone OS, and BlackBerry. Now, we will discuss Mobile Device M a n a g e m e n t (MDM), software th at secures, monitors, manage s, and su pports mobile devices.
* -W 1
H a c k in g B la c k B e rry
T
H a c k in g A n d r o i d iO S
M o b ile D e v ic e M a n a g e m e n t
H a c k in g iO S
H a c k in g W in d o w s P h o n e OS
M o b ile P e n T e s tin g
Module 16 P ag e 2513
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
This section introduces you to MDM and its logical architecture. It also covers various MDM solutions.
Module 16 P ag e 2514
EC-C0U nCil
M o b ile D e v ic e M a n a g e m e n t ( M D M )
M o b ile Device M a n a g e m e n t (M D M ) p ro vid e s p la tfo rm s fo r o v e r-th e -a ir o r w ire d d is tr ib u tio n o f a p p lic a tio n s , data and c o n fig u ra tio n se ttin g s fo r all typ e s o f m o b ile devices, in clu d in g m o b ile p hones, s m a rtp h o n e s , ta b le t c o m p u te rs , etc. M D M helps in im p le m e n tin g e n te rp ris e -w id e p o lic ie s to re du ce s u p p o rt costs, business d is c o n tin u ity , and s e c u rity risks
I t helps syste m a d m in is tra to rs to d e p lo y and m anage s o ftw a re a p p lic a tio n s across all e n te rp ris e m o b ile devices to secure, m o n ito r, m anage, and s u p p o rts m o b ile devices
Windows
SmartPhone
Symbian OS
Tablet PC
3
C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o b ile D e v ic e M a n a g e m e n t (M D M ) Mobile Device M a n a g e m e n t software is a vital c o m p o n e n t t h a t monitors, safeguards, manages, and su pports different typ es of mobile devices and tablets including iPhone, iPad, Android, and BlackBerry, along with th e applications th at run on th em . It mo nitors all mobile devices with different operating system such as Android, Windows, and Symbian mobile. Mobile Device M a n a g e m e n t (MDM) provides platforms for over-the-air or wired distribution of applications, data, and configuration settings for all types of mobile devices along with mobile pho nes, s m ar tph on es , tablet comp ute rs, etc. With th e help of MDM, enterprise-wire policies can be im pl em en ted easily to reduce s upp ort costs, time, and business and security threats. All th e compan y-o wne d, co ns um e r-o w ne d , as well as th e e m p l o y e e - o w n e d ( B Y O D ) devices across th e e n te r p ri s e can be easily mana ge d with th e help of it. The MDM can reduce support cost and can minimize business t h r e a t s just by sa feguarding and controlling all th e data and configuration setting of all t h e mobile devices in t h e network.
Module 16 Page 2 5 15
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
File System
MDM Server
FIG U R E 1 6 .6 1 : M o b ile D e v ic e M a n a g e m e n t ( M D M )
Module 16 P ag e 2 5 1 6
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
Message M ediation
Routing Transport
Publish Subscribe
Synchronous/ Asynchronous
Quality of
Service Integration
M a s te r D a ta M anagem ent S e rv ic e s
In fo r m a tio n In te g ra tio n S e rv ic e s
C o p y r ig h t b y
E&Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M D M
L o g ic al A rc h ite c tu re
E x te rn a l P a r t ic ip a n t s
P a it u e is
1 E x te r n a l D a ta P r o v id e r s
In te rn a l P a r t ic ip a n t s
t
M essage M e d ia t io n
t
R o u t in g T ra n s p o rt
t
P u b li s h S u b s c r ib e S y n c h ro n o u s / A sy n c h ro n o u s
$
Q u a l it y o f S e r v ic e SOA
$
S e r v ic e I n t e g r a t io n
%
C e n tra l M anagem ent S e r v ic e s
t
A n a ly t ic s S e r v ic e s
t
M a s te r D a ta
$
I n f o r m a t io n I n t e g r a t io n
t
E n t e r p r is e M e ta d a ta M anagem ent
< M >
M anagem ent S e r v ic e s
< w >
S e r v ic e s
I n itia l a n d I n c r e m e n t a l L o a d s
: ( B a t c h e x t r a c t , t r a n s f o r m , lo a c f f
Module 16 P ag e 2517
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
l u
t i o
i l e C E H
i c
( M
(rtifwd
ithiul UtkM
MaaS360 supports the com plete m o bile device m a n a g e m e n t(M D M ) lifecycle fo r sm artphones and tab le ts including iPhone, iPad, Android, W indow s Phone, BlackBerry, and Kindle Fire
As a fu lly in te g ra te d cloud p la tfo rm , MaaS360 sim plifies M D M w ith rapid deploym ent, and com prehensive visib ility and co n tro l th a t spans across m obile devices, applications, and docum ents
X Cancel Q Save
* Put*6*
h ttp : //w w w .m a a s 3 6 0 .c o m C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M D M
S o lu tio n : M a a S 3 6 0 M o b ile D e v ic e
M a n a g e m e n t (M D M ) Source: ht tp : // w w w .m aa s 3 6 0 .c o m MaaS360 Mobile Device M a n a g e m e n t (MDM) solution is a so ftware technology t h a t allows you to monitor and gov ern mobile devices arriving into th e organization, w h e t h e r th ey are provided by t h e co mp an y or part of a Bring Your Own Device (BYOD) program. This tec h n i q u e allows organizations to implement th e MDM lifecycle for devices such as s m a r tp ho ne s and tablets including iPhones, iPads, Androids, Windows Phones, BlackBerrys, and Kindle Fires. Using th e integrated cloud platform, t h e MaaS360 str e a m lin e s MDM with imp ro ve d visibility and control t h a t spans across mobile devices, applications, and doc um en ts .
Module 16 P ag e 2518
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
FIG U R E 1 6 .6 3 : M a a S 3 6 0 M o b ile D e v ic e M a n a g e m e n t ( M D M )
Module 16 P ag e 2519
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
l u
i o
C itrix X e n M o b ile M D M
http://www.zenpris e .com
G o o d M o b ile M a n a g e r
http://wwwl. good, com
A b s o lu te M a n a g e M D M
-1 http://www. abs olute.com
F ^ l
j g - _____
M o b ile lr o n
http://www. mobileiron,com
SAP A fa ria
http://www. sybase.com
Rule M o b ilit y
http://www. tangoe.com
D e vice M a n a g e m e n t C e n tre
http://www.sicap. com
TARMAC
http://www. tarmac-mdm. com
A irW a tc h
http://www. air-watch,com
ko m V_ _*
C o p y r ig h t b y
M e d ia C o n ta c t
http://www.device-management-software.com
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M D M
S o lu tio n s
w In addition to MaaS360 Mobile Device M a n a g e m e n t (MDM), software technologies th at offer integrated mechanisms of all mobile devices in an organization for MDM include: Q Q 0 Q Q 0 9 Citrix XenMobile MDM available at http://w ww .z en pri se. co m Absolute Manag e MDM available at http :// w w w .a bs ol ut e .c om SAP Afaria available at ht tp :// ww w. sy ba se .c om Device M a n a g e m e n t Centre available at ht tp: //www.sicap.com AirWatch available at http: //www .air-wa tch.c om Good Mobile Manager available at h t t p : / / w w w l . g o o d . c o m Mobilelron available at ht tp: //www .mobileiron.com Rule Mobility available at h ttp : // w w w . t a n g o e . c o m TARMAC available at ht tp : // w w w .t a r m a c - m d m . c o m MediaContact available at h ttp :// w w w .d e vi c e - m a n a g em e n t- s o ftw a r e .c o m
Module 16 Page 2 5 2 0
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i U i t a lI U < h *
M o d u le F lo w So far, we have discussed various topics such as mobile platform attack vectors, hacking m e t h o d s of Android OS, iOS, Windows Phon e OS, BlackBerry, and how t o m an ag e mobile devices. All t h e s e topics discussed so far help in testing mobile devices. Now, w e will discuss mobile security guidelines and tools t h a t help in securing t h e mobile devices.
-f
H a c k in g B la c k B e rry
%
v
H a c k i n g A n d r o i d iO S 1
M o b ile D e v ic e M a n a g e m e n t
___
H a c k in g iO S S '
H a c k in g W in d o w s P h o n e OS
M o b ile P e n T e s tin g
Module 16 P ag e 2521
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
Module 16 P ag e 2522
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
r a
i d
l i n
f o
i l e E H
l a
t f o
r m
r i t y
Do not load too many applications and avoid auto-upload of photos to social networks
Do not add location-based apps such as Google Maps unless there is GPS radio that supports the application Maintain configuration control and management
Do not share the information within GPS-enabled apps unless those are necessary 4
Install applications from trusted application stores Perform a Security Assessment of the Application Architecture Ensure that your Bluetooth is " o ff" by default. Turn it on when ever it is necessary.
C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
S ecu rity
Q Do not load to o many applications and avoid au to - u p l o ad of photos to social networks Perform a security as se s s m e nt of t h e application arc hitecture Q Maintain c onfiguration control and m a n a g e m e n t Q Install applications from tr u s te d application stores 0 Do not add location-based fe a t u re s such as Google Maps unless t h e r e is a c o m p o n e n t th at su pports th e application
Q Ensure t h a t your Bluetooth is off" by default; turn it on wh e n ever it is necessary Q Do not share information within GPS-enabled a p p s unless necessary Never connect tw o s e p ar a te networks such as Wi-Fi an d Bluetooth simultaneously
EC-C0U nCil
G P e l a n e t f o r a l G S u e i d c u e l i n r i t y e s f o r M o b i l e C r m ( C o n t d ) E H
U se Passcode e 9 Configure a strong passcodc with maximum possible length to gain access to your mobile devices Set an idle timeout to automatically lock the phone when not in use Enable lockout/wipe feature after a certain number of attempts
D o n o t a ll o w R o o tin g o r J a ilb r e a k in g e EnsureyourMDM solutions prevent or detect rooting/jailbreaking Include this clause in your mobile security policy
U p d a te O S a n d A p p s
e Use re m o te w ip e services such as Remote W ipe (Android) and Find M y iPhone o r FindMyPhone (Apple iOS) to loca te your device should it be lost o r stolen
&
E n a b le R e m o te M a n a g e m e n t In an enterprise environment, use Mobile Device Management (MDM) software to secure, monitor, manage, and support mobile devices deployed across the organization
I f s u p p o rte d , c o n fig u re y o u r m o b ile device to e n c ry p t its s to ra g e w ith h a rd w a re e n c ry p tio n
C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
S ec u rity
The following guidelines will help you to secure your mobile device from many type of attack:
1. U se a p a s s c o d e fo r m o b ile d e v ic e s e c u rity
Configure a stron g passc ode with maximum possible length t o gain access to your mobile devices Set an idle ti m eo u t t o automatically lock t h e ph one w h e n not in use Enable lo ck o u t /w ip e fea t u re after a certain n u m b e r of a t t e m p t s
OS and R e m o te a p p s re g u la rly M a n a g e m e n t
Q 2. 3.
U p d a te E n a b le
In an enterprise environment, use Mobile Device M a n a g e m e n t (MDM) software to secure, monitor, manage, and s up po rt mobile devices deployed across th e organization
ro o tin g o r ja ilb re a k in g
4.
D o n o t a llo w
Ensure your MDM solutions p r e v e n t or d e t e c t rooting/jailbreaking Include this clause in your mobile security policy
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
5.
Use r e m o t e wipe services such as Remote Wipe (Android) and Find My iPhone or FindMyPhone (Apple iOS) to locate your device should it be lost or stolen 6 . If supp orte d, configure your mobile device t o encrypt its storage with ha rdwa re encryption
Module 16 P ag e 2525
EC-C0U nCil
C o p y r ig h t b y
EC-Cauactl. A ll
R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
S ec u rity
Use a secure, ove r-the-air b a c ku p- a nd -re s to re tool th at performs periodic background synchronization
b a rrie rs
F ilte r e m a il- f o r w a r d in g
Filter emails by configuring server-side settings of t h e corp o ra te email system Use commercial data loss pr ev e n tio n filters
c e rtific a tio n ru le s
H ard e n
Harden browser permission rules according to company's security policies to avoid attacks
Module 16 P ag e 2 5 2 6
EC-C0U nCil
D e s ig n a n d
im p le m e n t m o b ile
d e v ic e
p o lic ie s
Set a policy t h a t defines th e accep ted usage, levels of support, type of information access on different devices
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
G P
e l a
e t f o
r a
G S
u e
i d c u
l i n r i t y
f o
i l e E H
r m
( c o n t d )
C o p y r ig h t b y
E&Ctincfl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
S ecu rity
Set Require Passcode to Immediately Thwart passcode guessing: Set Erase Data to ON Enable Auto-Lock and set t o on e minute Encrypt th e device and backups Control t h e location of backups Configure wireless to Ask t o Join Networks Software m a i n te n a n c e Data stays in th e data cen ter App/device control No USB key capability Encrypted backups Email not cached locally Application/data sandboxing
e e
Module 16 P ag e 2528
EC-C0U nCil
G P
e l a
e t f o
r a
G S
u e
i d c u
l i n r i t y
f o
i l e C E H
r m
( C o n t d )
D isable th e co lle ctio n o f D ia g n o s tic s and Usage D ata u n d e r S e ttin g s /G e n e ra l/ About M anaged a p p lic a tio n e n v iro n m e n t
I ^ , I
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
S ec u rity
( C o n t d )
Q Q Q Q 0 e Q Q 9
Disable t h e collection of Diagnostics and Usage Data und er Settings/General/About Apply software u p d a t e s w h e n new releases are available Logging and limited data on device Device encryption and application patching Managed operating environment Managed application environment Press t h e powe r button to lock t h e device w h e n e v e r it is not in use Verify t h e location of printers before printing sensitive do c u m e n ts Utilize a passcode lock t o protect access to t h e mobile device; consider t h e eight character non-simple passcode Report a lost or stolen device t o IT so th ey can disable certificates and o t h e r access m et h o d s associated with t h e device
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
G P
e l a
e t f o
r a
G S
u e
i d c u
l i n r i t y
f o
i l e r I E H
r m
( C o n t d )
( c i t i f w d 1 i t k K J lN m I m
%
Consider the privacy implications before enabling location-based services and limit usage to trusted applications
Keep sensitive data off of shared mobile devices. If enterprise information is locally stored on a device, it is recommended that this device not be openly shared
Ask your IT department how to use Citrix technologies to keep data in the datacenter and keep personal devices personal
If you must have sensitive data on a mobile device, use follow-me data and ShareFile as an enterprise-managed solution
(Android) Backup to Google Account so that sensitive enterprise data is not backed up to the cloud
Configure location services to disable location tracking for applications that you do not want to know your location information
Configure notifications to disable the ability to view notifications while the device is locked for applications that could display sensitive data
Configure AutoFill - Auto-fill Names and Passwords for browsers to reduce password loss via shoulder-surfing and surveillance (if desired and allowed by enterprise policy)
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
S ec u rity
Consider th e privacy implications before enabling location-based services and limit usage t o trust ed applications Ask your IT d e p a r t m e n t how to use Citrix tec hnol ogies to keep data in t h e d a ta c e n te r and keep personal devices personal (Android) Backup to Google Account so t h a t sensitive enterprise data is not backed up to t h e cloud Configure notifications t o disable th e ability t o view notifications while t h e device is locked for applications t h a t could display sensitive data Keep sensitive d a t a off of sh are d mobile devices. If en terprise information is locally stored on a device, it is r e c o m m e n d e d t h at this device not be openly shared If you must have sensitive data on a mobile device, use follow-me data and ShareFile as an e n ter pri se- m ana ge d solution Configure location services t o disable location tracking for applications t h a t you do not wa n t t o know your location information
Module 16 Page 2 5 3 0
EC-C0U nCil
Configure AutoFill; Auto-fill Names and Passwords for browsers to reduce password loss via shoulder-surfing and surveillance (if desired and allowed by enterprise policy)
Module 16 Page 2 5 3 1
Ethical Hacking and Countermeasures Copyright by EC-C0U nCil All Rights Reserved. Reproduction is Strictly Prohibited.
i l e
i c
r i t y C E H
i d
l i n
f o
i n
i s
t r a
t o
Publish an enterprise policy that specifies the acceptable usage of consumer grade devices and bring-your-own devices in the enterprise
II
III
Enable security measures such as antivirus to protect the data in the datacenter
Implement policy that specifies what levels of application and data access are allowable on consumer-grade devices, and which are prohibited
G u
Specify a session timeout through Access Gateway Specify whether the domain password can be cached on the device, or whether users must enter it every time they request access V II Determine the allowed Access Gateway authentication methods from the following:
M o b ile D e v ic e S e c u rity G u id e lin e s for A d m in is tra to r The administrator should follow th e guidelines listed here to i mp lem en t mobile device security: 1. Publish an e n te r p ri s e policy t h a t specifies t h e ac ceptable usage of c o n s u m e r grade devices and bring-your-own devices in t h e enterprise Publish an en terprise policy for cloud Enable security m e a s u r e s such as antivirus to protect th e data in t h e d a ta c e n te r Implement policy t h a t specifies w h a t levels of application and data access a re allowable on c o n s u m e r -g r a d e devices, and which are prohibited Specify a session t im e o u t thro ug h Access Ga te w a y
2. 3. 4.
5.
must e n te r it every time t he y r e q u e s t access 7. Determine th e allowed Access G a t e w a y authentication m et h o d s from th e following: No authentication Domain only
Module
16 Page 2532
Ethical Hacking and Countermeasures Copyright by EC -C 0U nC il All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking a n d C o u n te rm e a s u re s
Module 16 P ag e 2533
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i l e
r o
t e
t i o
l : E H
l l G
r d
i l e
r i t y
B u llG u a rd M o b ile S e cu rity d e liv e rs c o m p le te m o b ile p h o n e a n tiv iru s a g a in st all m o b ile p h o n e v iru s e s It tra c k s s to le n o r lo s t m o b ile via th e b u ilt-in GPS, locks it o r w ip e s th e d ata o ff it, to m ake su re n o -o n e can access y o u r p e rso n a l in fo rm a tio n , p a ss w o rd s, an d fin a n c ia l data
Antivirus
Last seamed 4 mwmtts ago
Your dewc* has been remote!? locked a* a secunty Twatue Enter >ou BullGuard Mobile Seomty swore to unloc your
Artitheft albws users to rerootelr serd ccmmands to devces usnc the Moble Security ManaQ*r(T anQw h i !!guard com)
j Basic Backup
I Backup dtvc data Wip (!vie RwTYt*ly(M* *II ! 1ranal 41
, Parental Control
Hartnui control $ enabled
Antitheft
Application and SD card scan Scan ha*nr* tm cafrplf4 Full devce scan
E tta u ic i. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
Source: http://www.bullguard.com BullGuard Mobile Security delivers c om pl e te mobile ph one antivirus against all mobile phone viruses. It tracks a stolen or lost mobile via th e built-in GPS, locks it, or wipe t h e data off it, t o make sure no one can access your personal information, passwords, and financial data.
Module 16 P ag e 2534
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
i l e
r o
t e
t i o
l :
L o o k o u t p r o t e c ts y o u r p h o n e f r o m m o b ile t h r e a ts
J Backup
e Provides safe, secure and seamless backup of your mobile data, automatically over the air
- I Missing Device Helps you find your phone if it's lost or stolen
J Management
6 Allows you to remotely manage your phone
C o p y r ig h t b y
E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
M o b ile P r o te c tio n T o o l: L o o k o u t Source: https: //w w w. lo oko ut. co m Lookout is a mobile protection tool th at allows you t o protect your mobile from mobile t hre ats . It helps you to avoid risky behavior such as connecting to an unsecu red Wi-Fi network, d o w nl oa di ng a malicious a pp or clicking on a f ra ud ul en t link in order to prevent identity theft, financial fraud and th e loss of your most personal da ta. This provides safe, secure, and seamless backup of your mobile data, automatically over t h e air, and allows you to find your ph on e if it's lost or stolen. The da shboard allows you t o remotely m an a g e your phone.
FIGURE 1 6 .6 5 : L o o k o u t S c r e e n s h o t
Module 16 P ag e 2535
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
M o b ile P r o te c tio n T o o l: W IS e lD Source: http://www.wiseid.mobi WISelD provides secure and easy-to-use identifiable information (Pll), PINs, credit WISelD allows you t o store your websites, your favorite websites through your mobile e n c ry p t e d sto ra g e for perso na l da ta, personal and loyalty cards, notes, an d ot her information. user names, and passwords and quickly log on to device.
Module 16 P ag e 2 5 3 6
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
.... SFR
18:19
*u.SFR 5
18:13
N ew
Ite m
P re m iu m F e atu re s
A c c o u n ts >
L a n gu a ge r D isp la y
> >
j
In fo rm a tio n ......
>
j
J ? ltcm%
* 3
Mote
a
Kam i
m
Secure Meg
</
tt
Mo#*
FIG U R E 1 6 .6 6 : W IS e lD S c r e e n s h o t
Module 16 P ag e 2537
EC -C 0l1nC il
Ethical Hacking a n d C o u n te rm e a s u re s
i o
l s
CEH
5 ?
M c A fe e M o b ile S e cu rity
https://www. mcafeemobiles ecurity.com
|J5U
S lip ] [ pq
^
^
C o p y r ig h t b y
EfrCaincl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly
P ro h ib ite d .
M o b ile P ro te c tio n T o o ls
In addition t o the tools including BullGuard Mobile Security, Lookout and WISelD, th er e are a nu m b e r of ot her tools available for mobile protection: Q Q 0 9 Q 0 Q 9 McAfee Mobile Security available at https ://ww w.mc afee mo biles ecu rity.c om AVG AntiVirus Pro for Android available at http: //w ww .a vg .c om avast! Mobile Security available at ht tp: //w w w. av as t.c om Norton Mobile Security available at http :// us .n or to n. c om ESET Mobile Security available at ht tp : // w w w .e s e t. c o m Kaspersky Mobile Security available at ht tp://www.kaspe rskv.com F-Secure Mobile Security available at http: //www .f-sec ure.c om Trend Micro Mobile Security available at ht tp :// w w w .t re nd m ic ro .c om W e br oo t Secure Anywhere Mobile available at h t tp : // w w w . w e b r o o t . c o m NetQin Mobile Security available a t h t tp : // w w w .n e ta i n. c o m
EC-C0U nCil
Ethical Hacking a n d C o u n te rm e a s u re s
I t f c ' u lI U < h
M o d u le F lo w With t h e increasing use of s m a r tp h o n e s for business and online transactions, attackers are concentrating on launching various kinds of attacks for financial gain. Therefore, as a smart mobile p h o ne user, you should check your mobile security against possible attacks. You can te s t t h e security with t h e help of mobile pen testing.______________________________
M o b ile P la tfo rm A tta c k V e c to rs H a c k in g B la c k B e rry
H a c k i n g A n d r o i d iO S * ---------
M o b ile D e v ic e M a n a g e m e n t
H a c k in g iO S
M o b i l e S e c u r ity G u id e lin e s a n d T o o ls
H a c k in g W in d o w s P h o n e OS
^ . /
M o b ile P e n T e s tin g
Module 16 P ag e 2539
EC-C0U nCil
A n d r o id P h o n e P e n T e s tin g
j R o o t a n A n d ro id P h o n e
CEH
(rtifWd IthKJl IU*kM
------------
START
V____
P e r f o r m DoS a n d D D oS A tta c k s
;--------------------
C h e c k f o r v u ln e r a b il iti e s in A n d r o id b r o w s e r
C heck w h e th e r c ro s s -a p p lic a tio n - s c r ip tin g e r ro r is p re s e n t in th e a n d ro id b ro w s e r w h ic h a llo w s hackers t o e a s ily h a ck th e A n d ro id d e v ic e a n d t r y to b re a k d o w n th e w e b b ro w s e r's s a n d b o x using in fe c te d ja v a s c rip t c o d e
C heck w h e th e r e m a il p a s s w o rd is s to re d as p la in te x t in t h e S Q Lite d a ta b a s e and a ls o c h e c k w h e th e r Skype o n A n d ro id uses u n e n c ry p te d SQ Iite d a ta b a s e t o s to re c o n ta c ts , p r o file in fo r m a tio n and in s ta n t m essage logs
V
C h e c k fo r v u ln e r a b i l i t i e s in I n te n ts
Try t o use in te n ts (s te a lin g , m o d ify o r re p la c e ) t o hack th e p h o n e and o b ta in th e u ser's p riv a c y in fo r m a tio n , and use C o m D ro id to o l t o d e te c t a p p lic a tio n 's c o m m u n ic a tio n v u ln e ra b ilitie s
D e t e c t c a p a b ility le a k s in A n d r o id d e v i c e s
M o d u le 16 P ag e 2 5 4 0
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Step 5: Check for vulnerabilities in Intents Try to use intents (steal, modify, or replace) to hack the phone and obtain the user's privacy information and use ComDroid tool to detect application's communication vulnerabilities Step 6: Detect capability leaks in Android devices Use tool Woodpecker to detect capability leaks in Android devices.
M o d u le 16 P ag e 2541
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
iP h o n e P e n T e s t i n g
START
CEH
S Try t o Jailbreak th e iP hone using to o ls such as RedsnOw, A b s in th e , SnOwbreeze, PwnageTool, e tc s Unlock th e iP hone using to o ls such as iP honeSim Free and anySIM S H old th e p o w e r b u tto n o f an iOS o p e ra tin g device t ill th e p o w e r o ff m essage appears. Close th e s m a rt cover till th e screen s huts and opens th e s m a rt cover a fte r fe w seconds. Press th e cancel b u tto n t o bypass th e passw ord code sec u rity
;> C h e c k f o r access p o in t
J a ilb re a k th e iP h o n e
: U n lo c k th e iP h o n e
Use th e M e ta s p lo it to o l t o e x p lo it th e v u ln e ra b ilitie s in iP hone. Try t o send n on -m aliciou s code as payload to th e device t o gain access to th e device
s C h e c k w h e th e r t h e m a lfo r m e d d a ta can b e s e n t t o t h e d e v ic e
P e rform m a n -in -th e -m id d le /S S L s trip p in g a ttack by in te rc e p tin g w ireless param eters o f iOS device on W iFi n e tw o rk . Send m alicious packets on W iFi n e tw o rk using Cain & A bel to o l
Use social e n g in e e rin g te c h n iq u e s such as sending em ails, SMS to tric k th e user t o open links th a t co n ta in m alicious w eb pages
H a ck iP h o n e u s in g M e ta s p lo it
M o d u le 16 P ag e 2542
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Step 5: Check for Access Point Check for access point with the same name and encryption type. Step 6: Check iOS device data transmission on Wi-Fi networks Perform a man-in-the-middle/SSL stripping attack by intercepting wireless parameters of iOS device on a Wi-Fi network. Send malicious packets on the Wi-Fi network using the Cain & Abel tool. Step 7: Check whether the malformed data can be sent to the device Use social engineering techniques such as sending emails or SMS to trick the user into opening links that contain malicious web pages.
M o d u le 16 P ag e 2543
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
W in d o w s P h o n e P e n T e s tin g
START .........
(citifwd
c EH
ItkKJl NM kM
Try t o t u r n o f f t h e p h o n e b y s e n d in g a n SM S
S e n d a n S M S t o t h e p h o n e w h ic h t u r n s o f f t h e m o b ile a n d r e b o o ts a g a in
Try t o j a i l b r e a k W in d o w s p h o n e
U s e W in d o w B r e a k p r o g r a m t o ja ilb r e a k /u n lo c k W in d o w s p h o n e
C h e c k fo r o n d e v ic e e n c r y p t io n
C h e c k w h e th e r t h e d a ta o n p h o n e c a n b e a c c e s s e d w i t h o u t p a s s w o r d o r PIN
C h e c k f o r v u ln e r a b il ity in W in d o w s p h o n e I n t e r n e t E x p lo re r
M o d u le 16 P ag e 2544
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
B la c k B e r r y P e n T e s tin g
( 5 ) START > P e r f o r m b la c k ja c k in g o n B la c k B e rr y U s e B B P ro x y t o o l t o h ija c k B la c k B e rry c o n n e c tio n
CEH
C h e c k f o r f la w s in a p p lic a t io n c o d e s ig n in g p ro c e s s
9 P e r f o r m e m a il e x p l o it S e n d m a ils o r m e s s a g e s t o t r ic k a u s e r t o d o w n lo a d m a lic io u s .c o d a p p lic a tio n f i l e o n t h e B la c k B e rry d e v ic e it P e r f o r m D O S a t ta c k T ry s e n d in g m a lf o r m e d S e rv e r R o u tin g P r o to c o l (SRP) p a c k e ts f r o m B la c k B e rry n e t w o r k t o t h e r o u t e r t o c a u s e DO S a tta c k ~ v ~ C h e c k f o r v u ln e r a b ilit ie s in B la c k B e r r y B r o w s e r 9 S e a rc h f o r p a s s w o r d p r o t e c t e d f ile s U s e t o o ls s u c h as E lc o m s o ft P h o n e P a s s w o rd B r e a k e r t h a t c a n r e c o v e r p a s s w o r d p r o te c te d file s , b a c k u p s f r o m B la c k B e rry d e v ic e s S e n d m a lic io u s ly c r a f t e d w e b lin k s a n d t r ic k u s e rs t o o p e n lin k s c o n ta in in g m a lic io u s w e b p a g e s o n t h e B la c k B e rry d e v ic e
M o d u le 16 P ag e 2545
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Step 5: Check for vulnerabilities in the BlackBerry Browser Send maliciously crafted web links and trick users to open links containing malicious web pages on the BlackBerry device. Step 6: Search for password protected files Use tools such as Elcomsoft Phone Password Breaker that can recover password protected files and backups from BlackBerry devices.
M o d u le 16 P ag e 2 5 4 6
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
M o d u le S u m m a ry
CEH
Urtiftetf ttku jl lUckM
S a n d b o x i n g h e l p s p r o t e c t s y s t e m s a n d u s e r s b y l i m it in g t h e r e s o u r c e s t h e a p p c a n a c c e s s in t h e m o b i l e p la tfo rm
J a ilb re a k in g p ro v id e s r o o t a c c e s s t o t h e o p e r a t in g s y s te m a n d p e r m its d o w n lo a d o f th i r d - p a r ty a p p l i c a t i o n s , t h e m e s , e x t e n s i o n s o n a n iO S d e v i c e s
A tta c k e r c a n o b t a i n c o d e - s i g n i n g k e y s a n o n y m o u s l y u s i n g p r e p a i d c r e d i t - c a r d s a n d f a l s e d e t a i l s , s ig n a m a l i c i o u s a p p l i c a t i o n , a n d p u b l i s h i t o n t h e B la c k b e r r y a p p w o r l d
M o b i l e D e v ic e M a n a g e m e n t (M D M ) p r o v i d e s a p l a t f o r m f o r o v e r - t h e - a i r o r w ir e d d i s t r i b u t i o n o f a p p l i c a t i o n s , d a t a , a n d c o n f i g u r a t i o n s e t t i n g s f o r a ll t y p e s o f m o b i l e d e v i c e s , in c lu d in g m o b ile p h o n e s , s m a r t p h o n e s , t a b l e t c o m p u te r s , e tc . _____ I
Module Summary
Q The focus of attackers and malware writers has shifted to mobile devices due to the increased adoption of mobile devices for business and personal purposes and comparatively lesser security controls. Q Sandboxing helps protect systems and users by limiting the resources the app can access in the mobile platform. 6 e Android is a software stack developed by Google for mobile devices that includes an operating system, middleware, and key applications. Rooting allows Android users to attain privileged control (known as "root access") within Android's subsystem. Jailbreaking provides root access to the operating system and permits download of third-party applications, themes, and extensions on iOS devices.
Q Attacker can obtain code-signing keys anonymously using prepaid credit-cards and false details, sign a malicious application and publish it on the BlackBerry app world.
M o d u le 16 Page 2547
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Mobile Device Management (MDM) provides a platform for over-the-air or wired distribution of applications, data, and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, and so on.
M o d u le 16 P ag e 2548
Ethical H acking a n d C o u n te rm e a s u re s C opyright by EC-C0UnCil All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .