CEHv8 Module 16 - Hacking Mobile Platform

H a c k in g M o b ile
P la tfo r m s
M o d u le 1 6
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Mobile Platforms
H acking M obile Platform s

M o d u le 16
Engineered by Hackers. Presented by Professionals.
CEH Q
E th ic a l H a c k in g a n d C o u n te rm e a s u re s v8
M o d u le 16: H a ck in g M o b ile P la tfo rm s
E xam 3 1 2 -5 0
Module 16 Page 2393 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

All Rights Reserved. Reproduction is Strictly Prohibited.
S ecurity New s CEH

Mobile Malware Cases Nearly Triple
in First Half of 2012, Says NetQin
July 3 1 ,2 0 1 2 0 9 :4 0 A M ET
In J u n e , 3 .7 m i l l i o n p h o n e s w o r l d w i d e b e c a m e i n f e c t e d w i t h
m a lw a r e , B e ijin g re s e a rc h e r f in d s .
M o b i l e m a lw a r e is r i s in g f a s t , in f e c t in g n e a r ly 1 3 m i llio n p h o n e s in t h e
w o r l d d u r i n g t h e y e a r f i r s t h a lf o f 2 0 1 2 , u p 1 7 7 % f r o m t h e s a m e
p e r io d a y e a r a g o , a c c o r d in g t o B e ijin g - b a s e d s e c u r it y v e n d o r N e t Q in .
I n a r e p o r t d e t a ilin g t h e w o r l d 's m o b ile s e c u r it y , t h e c o m p a n y

d e t e c t e d a m a j o r s p ik e in m a lw a r e c a s e s in J u n e , w i t h a b o u t 3 .7
m i l l i o n p h o n e s b e c o m in g i n f e c t e d , a h i s t o r i c h ig h . T h is c a m e a s t h e
s e c u r it y v e n d o r f o u n d 5 ,5 8 2 m a lw a r e p r o g r a m s d e s ig n e d f o r A n d r o id
d u r i n g t h e m o n t h , a n o t h e r u n p r e c e d e n t e d n u m b e r f o r t h e p e r io d .
D u r in g t h i s y e a r 's f i r s t h a lf , N e t Q in f o u n d t h a t m o s t o f t h e d e t e c t e d
m a lw a r e , a t 7 8 % , t a r g e t e d s m a r tp h o n e s r u n n in g A n d r o id , w it h m u c h
o f t h e r e m a in d e r d e s ig n e d f o r h a n d s e t s r u n n in g N o k ia 's S y m b ia n O S .
T h is is a r e v e r s a l f r o m t h e s a m e p e r io d a y e a r a g o , w h e n 6 0 % o f t h e
d e t e c t e d m o b ile m a lw a r e w a s d e s ig n e d f o r S y m b ia n p h o n e s .
h ttp ://w w w .c o m p u te rw o rld .c o m
Copyright © by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.
S e c u rity N e w s
■at m m M o b ile M a lw a re C a s e s N e a rly T rip le in F irs t H a lf o f

2012, S ay s N e tQ in
S o urce : h t t p : / / w w w . c o r n p u t e r w o r l d . c o m
In J u n e , 3 . 7 m i l l i o n p h o n e s w o r l d w i d e b e c a m e i n f e c t e d w i t h m a l w a r e , B e i j i n g r e s e a r c h e r f i n d s .
M o b i l e m a l w a r e is r i s i n g f a s t , i n f e c t i n g n e a r l y 1 3 m i l l i o n p h o n e s in t h e w o r l d d u r i n g t h e y e a r
fir s t h a lf o f 2 0 1 2 , u p 1 7 7 % f r o m th e s a m e p e rio d a y e a r ago, a c c o rd in g t o B e ijin g - b a s e d s e c u rity
v e n d o r N e tQ in .
In a r e p o r t d e t a i l i n g t h e w o rld 's m o b ile s e c u rity , th e c o m p a n y d e te c te d a m a jo r s p ik e in

m a l w a r e c a s e s in J u n e , w i t h a b o u t 3 .7 m i l l i o n p h o n e s b e c o m i n g i n f e c t e d , a h i s t o r i c h ig h . T h is
c a m e as t h e s e c u r i t y v e n d o r f o u n d 5 , 5 8 2 m a l w a r e p r o g r a m s d e s i g n e d f o r A n d r o i d d u r i n g t h e
m o n th , a n o th e r u n p r e c e d e n te d n u m b e r fo r t h e p e rio d .
D u rin g th is y e a r's f i r s t h a lf, N e tQ in f o u n d t h a t m o s t o f t h e d e t e c t e d m a lw a r e , a t 7 8 % , ta r g e t e d

s m a rtp h o n e s ru n n in g A n d ro id , w ith m u ch o f th e r e m a in d e r d e s ig n e d f o r h a n d s e ts ru n n in g
N o k ia ' s S y m b i a n OS. T h is is a r e v e r s a l f r o m t h e s a m e p e r i o d a y e a r a g o , w h e n 60% o f th e
d e te c te d m o b ile m a lw a r e w a s d e s ig n e d fo r S y m b ia n p h o n e s .

In total, NetQin detected 17,676 mobile malware programs during 2012's first half, up 42%
from the previous six months in 2011.
About a quarter of the detected malware came from China, which led among the world's
countries, while 17% came from Russia, and 16.5% from the U.S.
In China, malware is mainly spread through forums, ROM updates, and third-party app stores,
according to NetQin. So-called "remote control" Trojan malware that sends spam ads infected
almost 4.7 million phones in China.
NetQin also detected almost 3.9 million phones in China being infected with money-stealing
malware that sends out text messages to trigger fee-based mobile services. The high number of
infections would likely translate into the malware's creators netting $616,533 each day.
The surge in mobile malware has occurred at the same time that China has become the world's
largest smartphone market by shipments. Android smartphone sales lead with a 68% market
share, according to research firm Canalys.
The country's Guangdong and Jiangsu provinces, along with Beijing, were ranked as the three
highest areas in China for mobile malware.
Co pyrig ht © 1994 - 2012 C o m p u te rw o rld Inc
By Michael Kan
h ttp ://w w w .c 0 m p u te rw 0 rld .c 0 m /s/a rtic le /9 2 2 9 8 Q 2 /M 0 b ile m alw a re cases n early trip le in first
h a lf of 2012 says N etQ in

Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2 -5 0 C ertified Ethical H acker
M o d u le O b je c tiv e s CEH
r----- —
j M o b i l e A t t a c k V e c to r s J G u id e lin e s f o r S e c u r in g W i n d o w s OS
D e v ic e s
j M o b i l e P la t f o r m V u ln e r a b i l it ie s a n d
R isks J B la c k b e r r y A t t a c k V e c to r s
j A n d r o i d OS A r c h it e c t u r e J G u id e lin e s f o r S e c u r in g B la c k B e r r y
j A n d r o i d V u ln e r a b ilit ie s D e v ic e s
j A n d r o i d T r o ja n s J M o b i l e D e v ic e M a n a g e m e n t ( M D M )
j S e c u rin g A n d r o i d D e v ic e s J G e n e r a l G u id e lin e s f o r M o b i l e P la t f o r m
j J a ilb r e a k in g iO S S e c u r ity
j G u id e lin e s f o r S e c u r in g iO S D e v ic e s J M o b i l e P r o t e c t io n T o o ls
j W i n d o w s P h o n e 8 A r c h it e c t u r e J M o b i l e P e n T e s tin g
U
Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le O b je c tiv e s
T h e m a i n o b j e c t i v e o f t h i s m o d u l e is t o e d u c a t e y o u a b o u t t h e p o t e n t i a l t h r e a t s o f
m o b ile p la tfo rm s and how to use th e m o b ile d e v ic e s s e c u re ly . T h is m o d u le m akes you
fa m ilia riz e w ith :
9 M o b ile A tta c k V e c to rs 9 W in d o w s P hone 8 A rc h ite c tu re
9 M o b ile P la tfo rm V u ln e ra b ilitie s 9 G u id e lin e s fo r S e c u rin g W in d o w s OS

a n d Risks D e v ic e s
9 A n d r o i d OS A r c h i t e c t u r e 9 B la c k b e rry A tt a c k V e c to rs
9 A n d ro id V u ln e ra b ilitie s 9 G u i d e l i n e s f o r S e c u r i n g B l a c k B e r r y D e v ic e s
9 A n d ro id T ro ja n s 9 M o b i l e D e v ic e M a n a g e m e n t ( M D M )
9 S e c u r i n g A n d r o i d D e v ic e s 9 G eneral G u id e lin e s fo r M o b ile P la tfo rm

S e c u rity
9 J a i l b r e a k i n g iOS
9 M o b i l e P r o t e c t i o n T o o ls
9 G u id e lin e s fo r S e c u rin g iOS
D e v ic e s 9 M o b ile Pen T e s tin g
Module 16 Page 2 3 9 6 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

All Rights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Copyright © by EC-Couid. All Rights Reserved Reproduction is Strictly Prohibited.
M o d u le F lo w
M l
F o r b e t t e r u n d e r s t a n d i n g , t h i s m o d u l e is d i v i d e d i n t o v a r i o u s s e c t i o n s a n d e a c h s e c t i o n
d e a ls w i t h a d i f f e r e n t t o p i c t h a t is r e l a t e d t o h a c k i n g m o b i l e p l a t f o r m s . T h e f i r s t s e c t i o n d e a ls
w it h m o b ile p la tfo r m a tta c k v e c to rs .
M o b ile P la tfo rm A tta c k V e c to rs ^ ' 1‫׳‬ Hacking BlackBerry
|| Hacking Android iOS M obile Device M anagem ent
Hacking iOS Mobile Security Guidelines and Tools
Hacking W indows Phone OS ^ M obile Pen Testing
T h is s e c tio n in tro d u c e s you to th e v a rio u s m o b ile a tta c k v e c to rs and th e a ss o c ia te d

v u l n e r a b i l i t i e s a n d risk s. T h is s e c t i o n a l s o h i g h l i g h t s t h e s e c u r i t y is s u e s a r i s i n g f r o m a p p s t o r e s .

Mobile Threat Report Q2 2012 CEH
• A n d ro id M o b ile T h re at
M o b ile T h re at • S y m b ia n b y T y p e Q2 2012
R e p o r t Q2 2012 • P o c k e t PC
( 5 ) J2M E
Tro jan M onitoring R iskw a re A p p lic a tio n A dw are

2011 2011 2011 2011 2012 2012 Tool
h t t p : / / ww w.f-secure.com h ttp ://w w w .h o tfo rs e c u rity .c o m
M o b ile T h re a t R e p o rt Q 2 2012
Source: http://www.f-secure.com
In the report, malware attacks on Android phones continue to dominate the other mobile
platforms. The most attacks were found in the third quarter of 2011. And in 2012, Q2 came in
at 40%.

Ethical Hacking a n d C o u n te rm e a s u re s Exam 3 1 2-50 C ertified Ethical H acker
2011 2011 2011 2011 2012 2012
FIG U R E 1 6 .1 : M o b ile T h r e a t R e p o r t Q 2 2 0 1 2
Note: T h e t h r e a t s t a t i s t i c s u s e d in t h e m o b i l e t h r e a t r e p o r t Q 2 2 0 1 2 a r e m a d e u p o f f a m i l i e s
a n d v a r ia n ts in s te a d o f u n iq u e file s .
M o b ile T h re a t b y T y p e Q 2 2012
S o urce : h t t p : / / w w w . h o t f o r s e c u r it v . c o m
A tta c k s o n m o b ile p h o n e s w e r e m o s tly d u e t o th e T ro ja n s , w h ic h a c c o rd in g t o t h e M o b ile

T h r e a t b y T y p e Q 2 2 0 1 2 . is a b o u t 8 0 % . F r o m t h e g r a p h o r r e p o r t i t is c l e a r t h e m a j o r t h r e a t
a s s o c i a t e d w i t h m o b i l e p l a t f o r m s is T r o j a n w h e n c o m p a r e d t o o t h e r t h r e a t s s u c h as m o n i t o r i n g
to o ls , ris k w a re , a p p lic a tio n v u ln e ra b ilitie s , a n d a d w a re .
M o b ile T h re a t
b y T y p e Q 2 2012
T r o ja n M o n it o r in g R is k w a r e A p p li c a t i o n A d w a re
Tool
FIGURE 1 6 .2 : M o b ile T h r e a t b y T y p e Q 2 2 0 1 2
Module 16 P ag e 2399 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

Term inology CEH

Stock ROM
I t is t h e d e f a u l t R O M ( o p e r a t i n g s y s t e m ) o f a n A n d r o i d d e v ic e
s u p p lie d b y t h e m a n u f a c tu r e r
CyanogenMod
I t is a m o d i f i e d d e v i c e R O M w i t h o u t t h e r e s t r i c t i o n s i m p o s e d b y
d e v ic e ’s o r ig in a l R O M
Bricking the Mobile Device
A l t e r i n g t h e d e v i c e O S u s i n g r o o t i n g o r j a i l b r e a k i n g in a w a y t h a t
c a u s e s t h e m o b ile d e v ic e t o b e c o m e u n u s a b le o r in o p e r a b le
Bring Your Own Device (BYOD)

B r i n g y o u r o w n d e v i c e (B Y O D ) is a b u s i n e s s p o l i c y t h a t a l l o w s
e m p l o y e e s t o b r i n g t h e i r p e r s o n a l m o b i l e d e v ic e s t o t h e i r w o r k
p la c e
T e rm in o lo g y
T h e f o l l o w i n g is t h e b a s ic t e r m i n o l o g y a s s o c i a t e d w i t h m o b i l e p l a t f o r m h a c k i n g :
© Stock ROM: It is t h e d e f a u l t R O M ( o p e r a t i n g s y s t e m ) o f a n a n d r o i d d e v i c e s u p p l i e d b y
th e m a n u fa c tu re r
© CyanogenMod: It is a m o d i f i e d d e v i c e R O M w i t h o u t t h e r e s t r i c t i o n s i m p o s e d b y d e v i c e 's
o rig in a l R O M
© Bricking the M obile Device: A l t e r i n g t h e d e v i c e O S e s u s in g r o o t i n g o r j a i l b r e a k i n g in a

w a y t h a t causes th e m o b ile d e v ic e t o b e c o m e u n u s a b le o r in o p e r a b le
© Bring Your Own Device (BYOD): B r i n g y o u r o w n d e v i c e (B Y O D ) is a b u s i n e s s p o l i c y t h a t

a l l o w s e m p l o y e e s t o b r i n g t h e i r p e r s o n a l m o b i l e d e v i c e s t o t h e i r w o r k p la c e

M obile Attack Vectors

,data streak a n d e m a tt
Extracted s c r a p ’*‫® ״‬
a n d s c re e n
tand rootkit P r in t s c re e n
0f backup
APPlication U S B ^ e V a n d ' ° ss
m°drficati0n o copvto
\
0s‫׳‬n° dificatic
o $ r/1
Wp«cati0nv-
U n a p P r0 '
° o
Copyright © by E&Ctliacfl. All Rights Reserved. Reproduction is Strictly Prohibited.
M o b ile A tta c k V e c to rs
S im ila r t o t r a d it io n a l c o m p u t e r s y s te m s , m o s t m o d e r n m o b ile d e v ic e s a re a lso p r o n e

t o a tta c k s . M o b ile d e v ic e s h a v e m a n y p o te n t ia l a tta c k v e c to r s u s in g w h ic h th e a tt a c k e r tr ie s t o
g a i n u n a u t h o r i z e d a c c e s s t o t h e m o b i l e d e v i c e s a n d t h e d a t a s t o r e d in o r t r a n s f e r r e d b y t h e
d e v i c e . T h e s e m o b i l e a t t a c k v e c t o r s a l l o w a t t a c k e r s t o e x p l o i t t h e v u l n e r a b i l i t i e s p r e s e n t in
o p e r a t in g s y s te m s o r a p p lic a t io n s use d by t h e m o b ile d e v ic e . T h e a t t a c k e r can a lso e x p lo it th e
h u m a n f a c t o r . T h e v a rio u s m o b ile a t t a c k v e c to r s in c lu d e :
M a lw a re :
9 V ir u s a n d r o o t k i t
9 A p p lic a tio n m o d ific a tio n
6 OS m o d i f i c a t i o n
D a ta E x filt r a tio n :
9 D a ta l e a v e s o r g a n i z a t i o n a n d e m a i l
9 P rin t scre e n a n d s c re e n sc ra p in g
9 C o p y t o USB k e y a n d lo ss o f b a c k u p

D a ta T a m p e r in g :
© M o d ific a tio n by a n o th e r a p p lic a tio n
© U n d e te c te d ta m p e r a tte m p ts
© J a il-b ro k e n d e v ic e
D a t a Loss:
© A p p lic a tio n v u ln e ra b ilitie s
© U n a p p r o v e d p h y s i c a l a c ce s s
© Loss o f d e v i c e

M o b ile P la t f o r m V u ln e r a b ilit ie s
a n d R is k s
M o b ile A p p lic a tio n

A p p S to re s
V u ln e r a b ilitie s 7
1
M o b ile M a lw a r e P riv a c y Issues (G e o lo c a tio n )

2
8
A p p S a n d b o x in g D ata S e c u rity
' 9
3
D e v ic e a n d A p p E n c ry p tio n E xce ssive P e rm is s io n s

1 0
4
O S a n d A p p U p d a te s C o m m u n ic a tio n S e c u rity
5 ] 1 1
V 1 ‫׳' —דז‬
c ‫ר‬
J a ilb r e a k in g a n d R o o tin g P h y s ic a l A tta ck s
6 ] 1 2
------------------------ - ■
.. ...:----------- J
M o b ile P la tfo rm V u ln e ra b ilitie s a n d R is k s
M o b i l e p l a t f o r m v u l n e r a b i l i t i e s a n d ris k s a r e t h e c h a l l e n g e s f a c e d b y m o b i l e u s e r s d u e
t o t h e f u n c t i o n a l i t y a n d i n c r e a s i n g u s e o f m o b i l e d e v i c e s a t w o r k a n d in o t h e r d a i l y a c t i v i t i e s .
T h e n e w f u n c t i o n a l i t i e s a m p l i f y t h e a t t r a c t i o n o f t h e p l a t f o r m s u s e d in m o b i l e d e v i c e s , w h i c h
p ro v id e an easy p a th f o r a tta c k e rs t o la u n c h a tta c k s a n d e x p lo ita tio n . A tta c k e rs use d iffe r e n t
t e c h n o l o g i e s s u c h as A n d r o i d s a n d o t h e r m u l t i p l e i n s t a n c e s t o i n s e r t m a l i c i o u s a p p l i c a t i o n s
w i t h h id d e n f u n c t io n a l it y t h a t s te a lth ily g a th e r a u s e r's s e n s itiv e i n f o r m a t io n . T h e c o m p a n ie s
th a t a re in to d e v e lo p in g m o b ile a p p lic a tio n s a re m ore c o n ce rn e d a b o u t s e c u rity because
v u l n e r a b le a p p lic a t io n s can c a u se d a m a g e t o b o th p a rtie s . T h u s , l e v e ls o f s e c u r i t y a n d d a t a
p r o t e c t i o n g u a r a n t e e s a re m a n d a t o r y . B u t t h e a ssis ta n c e s a n d s e rvice s p r o v id e d by m o b ile
d e v ic e s f o r s e c u re usage a re s o m e tim e s n e u tr a liz e d by fr a u d a n d s e c u rity th r e a ts .
T h e f o l l o w i n g a r e s o m e o f t h e ris k s a n d v u l n e r a b i l i t i e s a s s o c i a t e d w i t h m o b i l e p l a t f o r m s :
0 A p p S to re s
© M o b ile M a lw a re
Q A p p S a n d b o x in g
© D e v ic e a n d A p p E n c r y p t i o n
© OS a n d A p p U p d a t e s

e J a ilb re a k in g a n d R o o tin g
e M o b ile A p p lic a tio n V u ln e r a b ilitie s
e P r i v a c y Is su e s ( G e o l o c a t i o n )
Q D a ta S e c u r i t y
e E x c e s s iv e P e r m i s s i o n s
e C o m m u n ic a tio n S e c u rity
e P h y s ic a l A t t a c k s

S e c u r it y I s s u e s A r is in g fr o m
A p p S to re s
CEH
A tta c k e r s c a n a ls o s o c ia l e n g in e e r u s e rs
J In s u ffic ie n t o r n o v e t t in g o f a p p s le a d s t o
t o d o w n lo a d a n d ru n a p p s o u t s id e th e
m a lic io u s a n d fa k e a p p s e n t e r in g a p p
o ffic ia l a p p s to re s
m a r k e tp la c e
M a lic io u s a p p s c a n d a m a g e o t h e r a p p lic a t io n
J A p p s to re s a re c o m m o n ta r g e t f o r a tta c k e r s
a n d d a ta , a n d s e n d y o u r s e n s itiv e d a ta t o
t o d is t r ib u t e m a lw a r e a n d m a lic io u s a p p s
a tta c k e r s
A p p S to re ■ 11 n 11
:......>d
•...... < f ‫ יי‬i m
JLp
A•
h i ®»*>’ :
\ T h ir d P a r ty
■A p p S t o r e
M o b ile A p p N o V e ttin g
......>
.......
M a lic io u s app sends s e n s itiv e data t o a tta c k e r
Call lo g s /p h o to /v id e o s /s e n s itiv e docs
S e c u rity Is s u e s A ris in g fro m A p p S to re s
------- An a u th e n tic a te d d e v e lo p e r o f a c o m p a n y cre a te s m o b ile a p p lic a tio n s fo r m o b ile

u s e rs . In o r d e r t o a l l o w t h e m o b i l e u s e r s t o c o n v e n i e n t l y b r o w s e a n d i n s t a l l t h e s e m o b i l e a p p s ,
p la tfo r m v e n d o rs have c re a te d c e n tra liz e d m a rk e tp la c e s , b u t s e c u rity c o n c e rn s h a ve re s u lte d .
U s u a lly m o b ile a p p lic a tio n s th a t a re d e v e lo p e d by d e v e lo p e rs a re s u b m itte d to th e s e
m a rk e tp la c e s (o ffic ia l a p p s to re s and th ird -p a rty app s to re s ) w i t h o u t s c re e n in g o r v e ttin g ,
m a k i n g t h e m a v a i l a b l e t o t h o u s a n d s o f m o b i l e u s e rs . If y o u a r e d o w n l o a d i n g t h e a p p l i c a t i o n
f r o m a n o f f i c i a l a p p s t o r e , t h e n y o u c a n t r u s t t h e a p p l i c a t i o n as t h e h o s t i n g s t o r e h a s v e t t e d i t.
H o w e v e r , i f y o u a r e d o w n l o a d i n g t h e a p p l i c a t i o n f r o m a t h i r d - p a r t y a p p s t o r e , t h e n t h e r e is a
p o s s ib ility o f d o w n lo a d in g m a lw a r e a lo n g w it h th e a p p lic a tio n b e c a u s e t h i r d - p a r t y a p p s to re s
d o n o t v e t th e apps. T h e a tt a c k e r d o w n lo a d s a le g it im a t e g a m e a n d re p a c k a g e s it w it h m a lw a r e
a n d u p lo a d s th e m o b ile ap p s to a th ir d - p a r t y a p p lic a tio n s to re fr o m w h e re th e end u s e rs
d o w n l o a d t h i s m a l i c i o u s g a m i n g a p p l i c a t i o n , b e l i e v i n g i t t o b e g e n u i n e . As a r e s u l t , t h e m a l w a r e
g a th e rs and sends user c re d e n tia ls such as c a ll lo g s /p h o to /v id e o s /s e n s itiv e docs to th e
a tta c k e r w it h o u t th e u s e r 's k n o w le d g e . U s in g t h e in fo rm a tio n g a th e re d , th e a tta c k e r can
e x p lo it t h e d e v ic e a n d la u n c h m a n y o t h e r a tta c k s . A tt a c k e r s can a lso s o c ia lly e n g in e e r u se rs t o
d o w n lo a d and ru n apps o u ts id e th e o ffic ia l a p p s to re s . M a lic io u s ap p s can d a m a g e o th e r
a p p lic a tio n s a n d d a ta , a n d se n d y o u r s e n s itiv e d a ta t o a tta c k e rs .

C a ll lo g s / p h o t o / v id e o s / s e n s it iv e d o c s
FIG U R E 1 6 .3 : S e c u r ity Is s u e s A r is in g f r o m A p p S to re s
Module 16 P ag e 2 4 0 6 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

Threats of M obile M alw are CEH
T h re a ts o f M o b ile M a lw a re
In r e c e n t y e a r s , m a n y s y s t e m u s e r s a r e m o v i n g a w a y f r o m u s in g p e r s o n n e l c o m p u t e r s
to w a rd s m a rtp h o n e s and t a b l e t s . T h is in c re a s e d a d o p tio n o f m o b ile d e v ic e s by u sers fo r
b u s in e s s a n d p e rs o n a l p u rp o s e s a n d c o m p a r a t iv e ly le sse r s e c u r ity c o n tr o ls has s h ifte d th e
fo c u s o f a tta c k e r s a n d m a lw a r e w r it e r s f o r la u n c h in g a tta c k s o n m o b ile d e v ic e s . A t t a c k e r s a re
a t t a c k i n g m o b i l e d e v i c e s b e c a u s e m o r e s e n s i t i v e i n f o r m a t i o n is s t o r e d o n t h e m . S M S s p o o f i n g ,
to ll fr a u d s , e tc . a re a tta c k s p e r f o r m e d b y a tta c k e r s o n m o b ile d e vice s. M o b i le m a lw a r e in c lu d e
v iru s e s , S M S -s e n d in g m a lw a r e , m o b ile b o tn e t s , s p y w a r e , d e s tr u c tiv e T ro ja n s , e tc . T h e m a lw a r e
is e i t h e r a p p l i c a t i o n o r fu n c tio n a lity h id d e n w ith in o th e r a p p lic a tio n . For in fe c tin g m o b ile
d e v ic e s , th e m a lw a r e w r i t e r o r a tt a c k e r d e v e lo p s a m a lic io u s a p p lic a tio n a n d p u b lis h e s th is
a p p lic a tio n t o a m a jo r a p p lic a tio n s to r e a n d w a it s u n til users in s ta ll th e s e m a lic io u s m o b ile
a p p lic a tio n s o n t h e ir m o b ile d e v ic e s . O n c e t h e u s e r in s ta lls th e a p p lic a tio n h o s te d by th e
a t t a c k e r , as a r e s u l t , t h e a t t a c k e r t a k e s c o n t r o l o v e r t h e u s e r ' s m o b i l e d e v i c e . D u e t o m o b i l e
m a l w a r e t h r e a t s , t h e r e m a y b e lo ss a n d t h e f t , d a t a c o m m u n i c a t i o n i n t e r r u p t i o n , e x p l o i t a t i o n
a n d m is c o n d u c t, a n d d ire c t a tta c k s .
A c c o r d in g t o th e t h r e a t s r e p o r t , t h e s e c u r ity th r e a ts t o m o b ile d e v ic e s a re in c re a s in g d a y by
d a y . In 2 0 0 4 , m a l w a r e t h r e a t s a g a i n s t m o b i l e d e v i c e s w e r e f e w e r w h e n c o m p a r e d t o r e c e n t
ye ars. T h e f r e q u e n c y of m a lw a re th re a ts to m o b ile d e v ic e s in th e year 2012 d ra s tic a lly
in c re a s e d .

FIG U R E 1 6 .4 : T h r e a ts o f M o b ile M a lw a r e

App Sandboxing Issues CEH

S a n d b o x in g h e lp s p r o t e c t s y s te m s a n d u s e rs b y l im it in g t h e re s o u rc e s
t h e a p p c a n access in t h e m o b ile p la t f o r m ; h o w e v e r, m a lic io u s
a p p lic a t io n s m a y e x p lo it v u ln e r a b ilit ie s a n d b y p a s s t h e s a n d b o x
A p p S a n d b o x in g Is s u e s
Sandboxing separates the running program with the help of a security mechanism. It
helps protect systems and users by limiting the resources the app can access in the mobile
platform; however, malicious applications may exploit vulnerabilities and bypass the sandbox.
Sandboxing is clearly explained by comparing a computer and a smartphone. In normal
computers, a program can access any of the system resources such as entire RAM i.e. not
protected, hard drive information, and more can be read easily by anyone, unless and until it is
locked. So if any individual downloads malicious software believing it as genuine, then that
software can read the keystrokes that are typed in your system, scan the entire hard drive for
useful file types, and then send that data back through the network. The same occurs in mobile
devices; if an application is not given a working environment, it accesses all the user data and
all the system resources. If the user downloads a malicious application, then that application
can access all the data and resources and can gain complete control over the user's mobile
device.
S e cu re s a n d b o x e n v ir o n m e n t
In a secure sandbox environment, each individual application is given its own working
environments. As a result, the application is restricted to access the other user data and system
resources. This provides protection to mobile devices against malware threats.

O th e r
U s e r D ata
A
s U se r D ata
‫ו‬
N *•
Unrestricted
No A ccess D
Access
B
App
O
S y stem
rriw iiif S y stem
X
R esources R esources
FIG U R E 1 6 .5 : S e c u re s a n d b o x e n v ir o n m e n t
V u ln e r a b le S a n d b o x E n v ir o n m e n t
In v u l n e r a b l e s a n d b o x e n v i r o n m e n t , t h e m a l i c i o u s a p p l i c a t i o n e x p l o i t s l o o p h o l e s o r w e a k n e s s e s
f o r b y p a s s i n g t h e s a n d b o x . As a r e s u l t , t h e a p p l i c a t i o n c a n a c c e s s o t h e r u s e r d a t a a n d s y s t e m
re so u rce s t h a t a re re s tric te d .
s U se r D ata
U se r D ata
1“ nr A
M
Unrestricted
A ccess
Access
B ypass
the App
S an dbox
S y stem S y stem
R esources R esources
FIG U R E 1 6 .6 : V u ln e r a b le S a n d b o x E n v ir o n m e n t

Modu .le Flow U

c EH
ttiftod IUk
jI lU
chM
• • •
1 1 e H . fl^:‫^־‬ -
M o b ile P latform
Attack Vectors
Copyright © by E&Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F lo w
w So f a r , w e h a v e d i s c u s s e d v a r i o u s p o t e n t i a l a t t a c k v e c t o r s o f m o b i l e p l a t f o r m s . N o w
w e w i l l d is c u s s h a c k i n g t h e A n d r o i d OS.
M obile Platform Attack Vectors * '< Hacking BlackBerry

1 f>
flB S i H a c k i n g A n d r o i d iO S M obile Device M anagem ent

v-------/
Hacking iOS ■ ^‫׳‬ Mobile Security Guidelines and Tools
Hacking W indows Phone OS ‫^־׳‬ M obile Pen Testing

T h is s e c t i o n in tro d u c e s yo u to th e A n d ro id OS a n d i ts a r c h i t e c t u r e , v a r i o u s v u l n e r a b i l i t i e s
a s s o c i a t e d w i t h it, A n d r o i d r o o t i n g a n d A n d r o i d r o o t i n g t o o l s , v a r i o u s A n d r o i d T r o j a n s , A n d r o i d
s e c u rity to o ls , A n d r o id p e n e tr a tio n te s t in g to o ls , a n d A n d ro id d e v ic e tra c k in g to o ls .

Android OS CEH
A n d r o i d is a s o f t w a r e e n v i r o n m e n t d e v e l o p e d b y G o o g l e f o r m o b i l e d e v i c e s
t h a t in clu d es a n o p e ra tin g s y s te m , m id d le w a re , a n d key a p p lic a tio n s
Features
A p p lic a t io n f r a m e w o r k e n a b lin g r e u s e a n d r e p la c e m e n t o f
c o m p o n e n ts
D a lv ik v ir t u a l m a c h in e o p t im iz e d f o r m o b ile d e v ic e s
I n te g r a t e d b r o w s e r b a s e d o n t h e o p e n s o u r c e W e b K it e n g in e
S Q L ite f o r s t r u c t u r e d d a ta s to ra g e
M e d ia s u p p o r t f o r c o m m o n a u d io , v id e o , a n d s t ill im a g e f o r m a t s (M P E G 4 , H .2 6 4 ,
M P 3 , A A C , A M R , JPG, P N G , G IF)
Rich d e v e lo p m e n t e n v ir o n m e n t in c lu d in g a d e v ic e e m u la to r , to o ls f o r d e b u g g in g ,
m e m o ry a n d p e r fo rm a n c e p r o filin g , a n d a p lu g in f o r t h e E clipse IDE
http://developer.android.com
Copyright © by E&Cauac!. All Rights Reserved. Reproduction is Strictly Prohibited.
A n d ro id O S
A n d r o i d is a s o f t w a r e s t a c k d e v e l o p e d b y G o o g l e s p e c i f i c a l l y f o r m o b i l e d e v i c e s s u c h
as s m a r t p h o n e s a n d t a b l e t c o m p u t e r s . It is c o m p r i s e d o f a n o p e r a t i n g s y s t e m , m i d d l e w a r e , a n d
k e y a p p l i c a t i o n s . A n d r o i d ' s m o b i l e o p e r a t i n g s y s t e m is b a s e d o n t h e L i n u x k e r n e l . T h e A n d r o i d
a p p l i c a t i o n r u n s in a s a n d b o x . T h e s a n d b o x s e c u r i t y m e c h a n i s m is e x p l a i n e d o n a p r e v i o u s s l id e .
A n tiv iru s s o ftw a re such as Lookout M o b ile S e c u rity , AVG T e c h n o lo g ie s , and M c A fe e a re
r e l e a s e d b y s e c u r i t y f i r m s f o r A n d r o i d d e v i c e s . H o w e v e r , t h e s a n d b o x is a l s o a p p l i c a b l e t o t h e
a n tiv iru s s o ftw a re . As a re s u lt, t h o u g h th is a n tiv iru s s o ftw a re has t h e a b ility to scan th e
c o m p l e t e s y s t e m , i t is l i m i t e d t o s c a n n i n g u p t o a c e r t a i n e n v i r o n m e n t .
T h e fe a tu re s o f a n d r o id o p e r a tin g s y s te m in c lu d e :
© A p p lic a tio n f r a m e w o r k e n a b lin g re u s e a n d re p la c e m e n t o f c o m p o n e n ts
0 D a lv ik v ir tu a l m a c h in e o p tim iz e d f o r m o b ile d e v ic e s
© In te g ra te d b ro w s e r based on th e o p e n s o u rc e W e b K it e n g in e
0 S Q L ite f o r s t r u c t u r e d d a t a s t o r a g e
0 M e d i a s u p p o r t f o r c o m m o n a u d i o , v i d e o , a n d s ti l l i m a g e f o r m a t s ( M P E G 4 , H . 2 6 4 , M P 3 ,
A A C , A M R , JPG, P N G , GIF)

Q R ich d e v e lo p m e n t e n v iro n m e n t in c lu d in g a d e v ic e e m u la to r, to o ls fo r d e b u g g in g ,
m e m o r y a n d p e r f o r m a n c e p r o f i l i n g , a n d a p l u g i n f o r t h e E c lip s e IDE

Android OS Architecture CEH

(•rtifwd itkitjl
APPLICATION
C o n ta c t s Phone
APPLICATION FRAMEWORK
A c t iv ity M a n a g e r W in d o w M a n a g e r C o n te n t P ro vid e rs
Package M a n a g e r
T e le p h o n y R eso urce N o tific a tio n

L o c a tio n M a n a g e r
M anager M anager M anager
S u rfa c e M a n a g e r M e d ia F r a m e w o r k ANDROID RUNTIME
C o re L ib ra rie s
\
LIBRARIES O p en G L | ES
D a lv ik V ir tu a l M a c h in e
SG I
LINUX KERNEL
D is p la y D riv e r C a m a ra D riv e r Flash M e m o r y D rive r B in d e r (IPC) D riv e r
K e y p a d D riv e r W iF i D riv e r A u d io D riv e r P o w er M anagem ent
A n d ro id O S A rc h ite c tu re
A n d r o i d is a L i n u x - b a s e d o p e r a t i n g s y s t e m e s p e c i a l l y d e s i g n e d f o r p o r t a b l e d e v i c e s
s u c h as s m a r t p h o n e s , t a b l e t s , e t c . T h e p i c t o r i a l r e p r e s e n t a t i o n t h a t f o l l o w s s h o w s t h e d i f f e r e n t
l a y e r s s u c h as a p p l i c a t i o n , a p p l i c a t i o n f r a m e w o r k , l i b r a r i e s , a n d r o i d r u n t i m e , a n d L i n u x k e r n e l ,
w h ic h m a k e u p th e A n d ro id o p e ra tin g s ys te m .

H acking M o b ile P la tfo rm s
Jf\PPLI CATION
Hom e C o n ta c ts Phone B ro w s e r
APPLICATION FRAMEWORK
A c tiv ity M a n a g e r W in d o w M a n a g e r Content Providers V ie w S ystem
Package M a n a g e r
T e le p h o n y Reso urce Notification

Locatio n M a n a g e r
Manager M anager M anager
S urface M a n a g e r M e d ia F ra m e w o rk S Q lite ANDROID RUNTIME
C o re Libraries
LIBRARIES O pen G L | ES Fre eT y p e W e b K it
D a lvik V ir tu a l M a c h in e
SGL SSL libc
LINUX KERNEL
D isplay D riv e r C am ara D riv e r Flash M e m o r y D riv e r B in d e r (IPC) D riv e r
Keypad D riv e r W iF i D riv e r A u d io D riv e r Pow er M an ag em en t
FIGURE 16.7: Android OS Architecture
Applications:
The applications provided by Android include an email client, SMS, calendar, maps, Browser,
contacts, etc. These applications are written using the Java programming language.
Application Framework
Q As Android is an open development platform, developers have full access tothe API
that is used in the core applications
© The View System can be used to develop lists, grids, text boxes,buttons, etc. in the
application
Q The Content Provider permits applications to access data from other applications in
order to share their own data
© The Resource Manager allocates the non-code resources like localized strings, graphics,
etc.
Q The Notification Manager helps applications to show custom messages in the status bar
Q The Activity Manager controls the lifecycle of applications
Libraries
Libraries comprise each and every code that provides the main features of an Android OS. For
example, database support is provided by the SQLite library so that an application can utilize it
for storing data and functionalities for the web browser provided by the Web Kit library. The
M o d u le 16 P ag e 2 4 1 6 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Android core library includes Surface Manager, Media Framework, SQLite, OpenGL | ES,
FreeType, WebKit, SGL, SSL, libc, SQLite (database engine), and LibWebCore (web browser
engine).
Android Runtime
Android Runtime includes core libraries and the Dalvik virtual machine. The set of core
libraries allows developers to write the Android applications using the Java programming
language. Dalvik virtual machine is helpful in executing Android applications. Dalvik can run
multiple VMs efficiently.
Linux Kernel
The Android operating system was built based on the Linux kernel. This layer is made up of all
the low-level device drivers such as Display Driver, Camara Driver, Flash Memory Driver, Binder
(IPC) Driver, Keypad Driver, WiFi Driver, Audio Driver, and Power Management for various
hardware components of an Android device.
M o d u le 16 P ag e 2417 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

Android Device Administration API I CEH

J T h e D e v ic e A d m in is t r a tio n AP I in tr o d u c e d in A n d r o id 2 .2 p r o v id e s d e v ic e a d m in is t r a t io n f e a tu r e s
a t t h e s y s te m le v e l »
J T h e s e A P Is a llo w d e v e lo p e r s t o c r e a te s e c u r it y - a w a r e a p p lic a tio n s t h a t a r e u s e fu l in e n t e r p r is e

s e ttin g s , in w h ic h IT p r o fe s s io n a ls r e q u ir e ric h c o n t r o l o v e r e m p lo y e e d e v ic e s
P o lic ie s s u p p o r t e d b y
t h e D e v ic e A d m in is t r a t io n A P I
I*
Password enabled 6 Minimum uppercase letters
M inim um password length required in password
Alphanumeric password © Password expiration timeout
required © Password history restriction
Complex password required
9 Maximum failed password
M inim um letters required in
attempts
password
a Maximum inactivity time lock
M inim um lowercase letters
required in password 0 Require storage encryption
M inim um non-letter characters o Disable camera
required in password
« Prompt user to set a new
M inim um numerical digits password
required in password
9 Lock device immediately
M inim um symbols required in
password
S Wipe the device's data
h ttp://developer. android, com
Android Device Administration API

",“"■‫'׳‬ Source: http://developer.android.com
The Device Administration API introduced in Android 2.2 provides device administration
features at the system level. These APIs allow developers to create security-aware applications
that are useful in enterprise settings, in which IT professionals require rich control over
employee devices. The device admin applications are written using the Device Administration
API. These device admin applications enforce the desired policies when the user installs these
applications on his or her device. The built-in applications can leverage the new APIs to
improve the exchange support.
Policy Description
Password enabled Requires that devices ask for PIN or passwords.

Minimum password Set the required number of characters for the password. For
length example, you can require PIN or passwords to have at least six
characters.
Alphanumeric password Requires that passwords have a combination of letters and numbers.
required They may include symbolic characters.

Complex password Requires that passwords must contain at least a letter, a numerical
required digit, and a special symbol. Introduced in Android 3.0.
Minimum letters required The minimum number of letters required in the password for all
in password admins or a particular one. Introduced in Android 3.0.
Minimum lowercase The minimum number of lowercase letters required in the password
letters required in for all admins or a particular one. Introduced in Android 3.0.
password
Minimum non-letter The minimum number of non-letter characters required in the
characters required in password for all admins or a particular one. Introduced in Android
password 3.0.
Minimum numerical digits The minimum number of numerical digits required in the password
required in password for all admins or a particular one. Introduced in Android 3.0.
Minimum symbols The minimum number of symbols required in the password for all
required in password admins or a particular one. Introduced in Android 3.0.
Minimum uppercase The minimum number of uppercase letters required in the password
letters required in for all admins or a particular one. Introduced in Android 3.0.
password
Password expiration When the password will expire, expressed as a delta in milliseconds
timeout from when a device admin sets the expiration timeout. Introduced in
Android 3.0.
Password history This policy prevents users from reusing the last ‫ רו‬unique passwords.
restriction This policy is typically used in conjunction with
setPasswordExpirationTimeout(), which forces users to update their
passwords after a specified amount of time has elapsed. Introduced
in Android 3.0.
Maximum failed Specifies how many times a user can enter the wrong password
password attempts before the device wipes its data. The Device Administration API also
allows administrators to remotely reset the device to factory
defaults. This secures data in case the device is lost or stolen.
Maximum inactivity time Sets the length of time since the user last touched the screen or
lock pressed a button before the device locks the screen. When this
happens, users need to enter their PIN or passwords again before
they can use their devices and access data. The value can be
between 1 and 60 minutes.
Require storage Specifies that the storage area should be encrypted, if the device
encryption supports it. Introduced in Android 3.0.
Disable camera Specifies that the camera should be disabled. Note that this doesn't
have to be a permanent disabling. The camera can be
enabled/disabled dynamically based on context, time, and so on.
Introduced in Android 4.0.
T A B L E 1 6 .1: A n d r o id D e v ic e A d m in is tr a tio n API

I S M o 2:0977]
A p p /D e v ic e A d m in
D e m o n s tra tio n o f ‫ ג‬D ev iceA d m in class fo r

a d m in is te rin g th e u s e r 's d ev ice.
FIGURE 16.8: Android Device Administration API

A ndroid Rooting CEH

J R o o tin g a llo w s A n d r o id u s e rs t o a t t a i n p r iv ile g e d c o n t r o l ( k n o w n as " r o o t a c c e s s ") w it h in A n d r o id 's s u b s y s te m
J R o o tin g p ro c e s s in v o lv e s e x p lo itin g s e c u r ity v u ln e r a b ilitie s in t h e d e v ic e f ir m w a r e , a n d c o p y in g t h e s u b in a r y t o a

lo c a tio n in t h e c u r r e n t p ro c e s s 's PATH (e .g . / s y s t e m / x b in / s u ) a n d g r a n t in g it e x e c u ta b le p e r m is s io n s w it h t h e
chm od com m and
R o o tin g e n a b le s a ll t h e u s e r - in s ta lle d R o o tin g a ls o c o m e s w it h m a n y
a p p lic a tio n s t o r u n p r iv ile g e d s e c u r it y a n d o t h e r r is k s t o y o u r
c o m m a n d s s u c h as: d e v ic e in c lu d in g :
M o d ify in g o r d e le tin g s ys te m files , m o d u le , & V o ids y o u r p h o n e 's w a rr a n ty

R O M s (s tock firm w a re ), a nd kernels
» P o o r p e rfo rm a n c e
R e m o vin g c arrie r- o r m a n u fa c tu re r-
in stalle d a p p lic a tio n s (b lo a tw a re ) © M a lw a re in fe c tio n
Low -level access t o th e h a rd w a re t h a t a re

6 B ric k in g th e de v ic e
ty p ic a lly u n a v a ila b le t o th e devices in th e ir
d e fa u lt c o n fig u ra tio n
Im p ro v e d p e rfo rm a n c e
W i-F i a nd B lu e to o th te th e rin g
In stall a p p lic a tio n s on SD card
B e tte r user in te rfa c e a nd k eyboard
Android Rooting
Rooting is the process of removing the limitations and allowing full access. It allows
Android users to attain "super user" privileged control (known as "root access") and permission
within Android's subsystem. After rooting the Android phone, an Android user will have control
over SETTINGS, FEATURES, and PERFORMANCE of his or her phone and can even install
software that is not supported by the device. The root users will have "super -user" privileges
using which they can easily alter or modify the software code on the device. Rooting is basically
hacking Android devices and is equivalent to "jailbreaking" in iPhone. Rooting exploits a
security vulnerability in the device firmware, and copying the su binary to a location in the
current process's PATH (e.g. /system/xbin/su) and granting it executable permissions with the
chmod command.
Rooting enables all the user-installed applications to run privileged commands such as:
9 Modifying or deleting system files, module, ROMs (stock firmware), and kernels
Q Removing carrier- or manufacturer-installed applications (bloatware)
Q Low-level access to the hardware that are typically unavailable to the devices in their
default configuration
© Improved performance

© Wi-Fi and Bluetooth tethering
© Install applications on SD card

© Better user interface and keyboard
Rooting also comes with many security and other risks to your device including:
© Voids your phone's warranty
© Poor performance
© Malware infection
© Bricking the device

Rooting Android Phones using

SuperOneClick CEH
Df-Vf 1‫י‬,‫ זת«ווזז״‬H
J P lu g in a n d c o n n e c t y o u r a n d r o i d d e v ic e t o y o u r USB debugging
c o m p u t e r v i a USB
Debugmode*whenuse«(oamom
PC Mode ©
Stay awa ke
J I n s t a l l d r iv e r f o r t h e d e v ic e i f p r o m p t e d
t
S erf n will n eve* slee p * h ile (t w p n g
Windows Media Sync O
Allow mock locations
A llow n o c k loe& ions
J U n p lu g a n d r e - c o n n e c t , b u t t h i s t i m e s e le c t USB Mass Storage O
" C h a r g e o n l y " t o s u r e t h a t y o u r p h o n e 's S D C a rd

Charge Only Q
is n o t m o u n t e d t o y o u r PC
J G o t o S e tt in g s ‫ >־־‬A p p li c a t i o n s ‫ > ־‬D e v e lo p m e n t

a n d e n a b le U S B D e b u g g in g t o p u t y o u r a n d r o i d
i n t o U S B D e b u g g in g m o d e
J R u n S u p e r O n e C lic k . e x e ( a v a i la b le i n T o o l s D V D )
J C lic k o n t h e " R o o t " b u t t o n

!5]
S u p er u ser R eq u e st
J W a it f o r s o m e t i m e u n t i l y o u s e e a " R u n n in g a
Su t e s t S u c c e s s !" m e s s a g e
A pp: drocap2 (10104)
pAckdga: ca m g u v * n ig . Jtudrcx4()3
R eq u ested U1D: root(O)
J N o w c h e c k o u t t h e i n s t a l le d a p p s in y o u r p h o n e C om nw ltd: /sy s 1« 1n ‫ ׳‬bl1Vsh
Rcmember
J S u p e r u s e r ic o n m e a n s y o u n o w h a v e r o o t a c c e s s
( r e b o o t t h e p h o n e i f y o u d o n o t s e e it )
J
Rooting Android Phones using SuperOneClick

SuperOneClick is a tool designed especially for rooting an Android phone. The step-by-
step procedure for rooting an Android phone with the help of SuperOneClick follows:
9 Plug in and connect your Android device to your computer via a USB.
9 Install the driver for the device if prompted.
9 Unplug and re-connect, but this time select Charge only to ensure that your phone's SD
Card is not mounted to your PC.
9 Go to Settings ‫ >־־‬Applications ‫ >־־‬Development and enable USB Debugging to put your
android into USB Debugging mode.
9 Run SuperOneClick.exe (available in Tools DVD).

9 Click the Root button.
9 Wait for some time until you see a "Running a Su test Success!" message
9 Now check out the installed apps in your phone.
9 Superuser icon means you now have root access (reboot the phone if you don't see it).

Li —
© USB connection USB debugging
1 PC Mode o Debug mod* when USB Is connected
Stay awake mm
1
Windows Media Sync o Saeen will never sleep while charging
Allow mock locations m
USB Mass Storage o Allow mock locations
1 Charge Only o
OK | Cancel
Text M « \ fro m e r M arket VOKfmju
© 1
Superuser Request
The follow ing ap p is requesting superuser

access:
A p p : d rocap2 (10104)
Package: c0m.gmail.nag...atu.df0cap2
Requested UID: root (0)
C o m m a n d : /system/bin/sh
FIGURE 16.9: Rooting Android Phones using SuperOneClick
M o d u le 16 P ag e 2424 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0l1nCil

All R ights R eserved. R ep ro d u ctio n is Strictly P ro h ib ite d .
Rooting Android Phones Using .

Superboot ------
Download and extract the Superboot files
ft P u t y o u r A n d r o id p h o n e in
b o o t lo a d e r m o d e
m D e p e n d in g o n y o u r c o m p u t e r 's
O S , d o o n e o f th e f o llo w in g :
J T u rn o ff th e p h o n e , re m o v e t h e b a tte r y , W i n d o w s : D o u b le click " in s ta ll- s u p e r b o o t -

a n d p l u g i n t h e USB c a b l e w in d o w s .b a t"
J W h e n t h e b a t t e r y ic o n a p p e a r s o n s c r e e n , M a c : O p e n a te r m in a l w in d o w t o t h e d ir e c to r y
p o p t h e b a t t e r y b a c k in c o n ta in in g t h e files, a n d ty p e " c h m o d +x in sta ll-
s u p e r b o o t- m a c .s h " f o llo w e d b y " ./in s ta ll-
al N o w t a p t h e P o w e r b u t t o n w h i l e h o ld i n g
s u p e r b o o t- m a c .s h "
d o w n t h e C a m e r a k ey
L in u x : O p e n a te r m in a l w in d o w to t h e d ir e c to r y
J F o r A n d r o id p h o n e s w i t h a t r a c k b a l L T u r n
c o n ta in in g t h e files, a n d ty p e " c h m o d +x in sta ll-
o ff t h e p h o n e , p r e s s a n d h o ld t h e tr a c k b a ll,
s u p e r b o o t- lin u x .s h " fo llo w e d b y 1'./in s ta ll-
th e n tu rn th e p h o n e b a c k o n
s u p e r b o o t- l in u x .s h "
1 Your device has been rooted

*
r~ 1
j . m
Copyright © by E&Caincl. All Rights Reserved. Reproduction Is Strictly Prohibited.
Rooting Android Phones using Superkoot

Superboot is a boot.img. It is designed specifically to root Android phones. It roots
Android phones when they are booted for the very first time. Any individual can root the
Android phone using superboot by following these steps:
Step 1: Download and extract the Superboot files.

Step 2: Put your Android phone in bootloader mode:
© Turn off the phone, remove the battery, and plug in the USB cable.
© When the battery icon appears onscreen, pop the battery back in.
© Now tap the Power button while holding down the Camera key.
© For Android phones with a trackball: Turn off the phone, press and hold the trackball,
then turn the phone back on.
Step 3: Depending on your computer's OS, do one of the following:
© Windows: Double-click install-superboot-windows.bat.
© Mac: Open a terminal window to the directory containing the files, and type chmod +x
install-superboot-mac.sh" followed by ./install-superboot-mac.sh.

6 Linux: Open a terminal window to the directory containing the files, and type chmod +x
install-superboot-linux.sh" followed by ./install-superboot-linux.sh.
Step 4: Your Android device has been rooted.

A ndroid Rooting Tools CEH

i ( ] □ ! B B D f f l 12:56.
un re v o k e d
(DB a ‫׳‬a m a 9:15am
?!
y r Universal Androot
tho tutron to root your phono Wo don't antiripa!!
Do you want to install this

application? UnlockRoot.com
a t
Allow this application to:
A Storage
in i
modify/delete SD card contents
A Phone calls
read phone state and identity
A System tools
ctange W i-Fi state, prevent phone from
sleeping
O S h o w a ll
R e c o v e r y F la s h e r
‫ר‬
U n iv e r s a l A n d r o o t
U n lo c k R o o t
C O J
Android Rooting Tools
In addition to SuperOneClick and Superboot, there are many other tools that can be
used for rooting Android phones:
© Unrevoked available at http://unrevoked.com
© Recovery Flasher available at https://sites.google.com/site/adlxmod
© Universal Androot available at http://forum.xda-developers.com
© Unlock Root available at www.unlockroot.com

AH□ ‫ י‬S gfflj® 12:56*
i & B D 0 9:15 AM
un re v o k e d
, \u Universal Androot
P r e s s t h e b u tt o n t o r o o t y o u r p h o n e . W e d o n 't a n tic ip a te
o r e a ld n g y o u r p r io n * , b u t w e 'r e n o i lia b le if It (t o o t O n Ev
UntocfcRoot v2 0
y o u ’l h a r e t o d o th i5 e a c h tim e y o u r e b o o t . H a v e fu n !
Do you w a nt to install this
application?
UnlockRoot.com
Donate | Follow us on Twitter. A llo w th is app lic a tio n to :
A S torage
m odify/delete 50 can) contents
A
Phone c a lls
S ystem to o ls
i n
change W i-Ft state, prevent phone from
sleeping
O Show a ll 1 _ . I
Install || Cancel
Root
Contort devic• wtfh U S 8 coblo and
FIGURE 16.10: Android Rooting Tools

Session Hijacking Using

DroidSheep
J D r o i d S h e e p is a s i m p l e A n d r o i d t o o l f o r w e b s e s s i o n h i j a c k i n g •. © * v ? i n ■ s 2:02 pm
(s id e ja c k in g ) C o n n e c t e d t o -*••‫י י» י‬ ‫«■״‬
Sp o o f i n g I P: 19 2.168.0.1
J It l i s t e n s f o r H T T P p a c k e t s s e n t v ia a w i r e l e s s ( 8 0 2 . 1 1 ) n e t w o r k ». . ^ [http7/www.facebook...
m IP=192.168 0.100 Anil Sardiwal [http7Mw..
c o n n e c t i o n a n d e x t r a c t s t h e s e s s i o n ID s f r o m t h e s e p a c k e t s in o r d e r http://www.google.co.in
to re u s e th e m ‫צ‬ IP=192.168.0.100 ID: 1239002684
http://xsltcache.alexa.com
IP=192.168.0.100 ID: 1120334729
J D r o i d S h e e p c a n c a p t u r e s e s s i o n s u s i n g t h e l i b p c a p li b r a r y a n d http://api.mywot.com
s u p p o rts : O PEN N e tw o r k s , W E P e n c ry p te d n e tw o rk s , W PA a n d IP-192.168.0.100 ID: 166224861
http://apis.google.com
W P A 2 (P S K o n l y ) e n c r y p t e d n e t w o r k s IP=192.168 0.100 ID: -561222905
http://www.blogger.com
IP=192.168.0.100 ID: •70447663
http://platform.linkedin.com
in IP“ 192.168.0.100 ID: •2082712684
o n ■
http://platform .twitter.com
IP-192.168.0.100 ID: 1933430236
http://s7.addthis.com
A A
U ser
w IP-192.168 0.100 ID: 1667993814
In te rn e t
ARP http://www.stumbleupon.com
Spoofing Attacker modifies the W IP-192.168.0.100 ID: •1486882064
Attacker intercepts session IDs and relay them
client's request for a *«. m to web server ✓ c
web page
A tta c k e r
o RUNNING AND
SPOOFING
Copyright © by EfrCaincl. All Rights Reserved. Reproduction is Strictly Prohibited.
Session Hijacking Using DroidSheep

Most web applications use a session ID to verify the user's identity with the
application. This session ID is transmitted in subsequent requests within HTTP packets in order
to maintain the session with the user. The attacker uses the DroidSheep tool to read the all the
packets sent via a wireless network and captures the session ID. Once the attacker captures the
victim's legitimate session ID, he or she may use this stolen session ID to access the target web
application on behalf of the victim.
DriopSheep listens and captures HTTP packets sent via a wireless (802.11) network and then
analyzes the captured packets to extract and reuse the session IDs. DriopSheep accomplishes
this using the libcap library. It supports OPEN Networks, WEP encrypted networks, WPA, and
WPA2 (PSK only) encrypted networks.

A A
User Internet
ARP
S p o o f in g A t t a c k e r m o d if ie s t h e
A t t a c k e r i n te r c e p t s s e s s io n ID s a n d r e la y t h e m
c lie n t 's r e q u e s t f o r a *»« to W e b s e rv e r
webpage
Attacker
FIGURE 16.11: Session Hijacking Using DroidSheep

^ rid I © 2:0 2 PM
C o n nected to -•••■‫• י״ י י י י‬
Spoofing IP: 192.168.0.1
[http://www.facebook....
IP=192.168.0.100 Anil Sardiwal [http://ww...
http://www.google.co.in
IP=192.168.0.100 ID: 1239002684
http://xsltcache.alexa.com
IP=192.168.0.100 ID: 1120334729
http://api.mywot.com
IP=192.168.0.100 ID: 166224861
http://apis.google.com
IP=192.168.0.100 ID: -561222905
http://www.blogger.com
IP=192.168.0.100 ID: -70447663
http://platform.linkedin.com
IP=192.168.0.100 ID: -2082712684
http://platform.twitter.com
IP=192.168.0.100 ID: -1933430236
http://s7.addthis.com
IP=192.168.0.100 ID: -1667993814
http://www.stumbleupon.com
IP=192.168.0.100 ID: -1486882064
M aiARP-Spoofing Generic mode
RUNNING AND
o SPOOFING
FIGURE 16.12: DroidSheep Screenshot

Android-based Sniffer: FaceNiff I CEH

F a c e N iff is an A n d r o id a p p t h a t a llo w s y o u t o s n i f f I t is p o s s ib le t o h ija c k s e s s io n s o n ly w h e n W iF i is
a n d in t e r c e p t w e b s e s s io n p r o f ile s o v e r t h e W iF i n o t u s in g EAP, b u t it s h o u ld w o r k o v e r a n y p r iv a t e
t h a t y o u r m o b ile is c o n n e c te d t o n e t w o r k s (O p e n /W E P /W P A -P S K /W P A 2 -P S K )
|‫ז‬
Vibration
V ib rate w h e n n ew praM e is fo u td
MAC TO Vendor resolving

Try ftrxfcng out th e d e v ic e rt*Sot
Filter services
S e le c l w tn ch t w v ic t t y o u w an t to b e sh o w n
h ttp ://fa c e n iff.p o n u ry . net
H
Android-based Sniffer: FaceNiff
Source: http://faceniff.ponury.net
FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the
Wi-Fi that your mobile is connected to. It is possible to hijack sessions only when Wi-Fi is not
using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK).
Note: If webuser uses SSL this application won't work.

m u
L _ J STOP
Fitter services
V ibration
am azon.com
Vibrate w t * n new proMe it found
f71f| bponury
pubel MAC TO V e ndor reso lv in g
am azon.co uk
Try fry in g out (he device vendor
bponury Filter serv ic es

am azon.de
Setecl which services you want to be •hew n
Intel Corporate (30.88.b4:

tuenti.com
BartoszTestowy
nk.pl
10 0 ‫ ו‬00 ‫ ו‬6(
tw itte r.c o m
tu m b lr.c o m
m einvz.net
%
& •
Unlock ap p Request n ew key Go to w ebsite
studivz.net
r t ©
Export sessions Im p o rt sessions Settings b lo n o e r c o m
FIGURE 16.13: FaceNiff Screenshot

Android Trojan: ZitMo (ZeuS-in- r cu

the-Mobile) !z —?
Z itm o is th e n o to r io u s m o b ile
c o m p o n e n t o f th e Zeu s b a n k in g
T ro ja n t h a t c irc u m v e n ts t w o - Ml » » ‫יי‬ » »
f a c to r a u th e n tic a tio n by Car Home Contacts Car Home onucn c‫״ ״ * ״‬
Custom Dev Tool!
in te rc e p tin g SMS c o n fir m a tio n local* lAraU
c o d e s t o access b a n k a c c o u n ts
^ 5 Zertifikat
T he n e w v e rs io n s f o r A n d ro id H m Q
a n d B la c k B e rry have n o w add e d Email Galery Mnugng Music
b o tn e t-lik e fe a tu re s , such as I n s ta l la t io n erfolgreich
e n a b lin g c y b e r c r im in a ls t o
r m * 4 I h r A k tiv ie ru n g sk o d e lau tet
c o n tr o l th e T ro ja n via SMS
com m ands
7725486193
Android Trojan: ZitMo (ZeuS‫־‬in‫־‬the‫־‬Mobile)

Zitmo refers to a version of the Zeus malware that specifically targets mobile devices.
It is a malware Trojan horse designed mainly to steal online banking details from users. It
circumvents mobile banking app security by simply forwarding the infected mobile's SMS
messages to a command and control mobile owned by cybercriminals. The new versions of
Android and BlackBerry have now added botnet-like features, such as enabling cybercriminals
to control the Trojan via SMS commands.

SBD® 1 0 :5 3 am I
Car H om e Contacts Custom DevTools

Locale
Email Gallery Messaging M usk
Phone Settings Spare Parts Speech

Recorder
FIGURE 16.14: ZitMo (ZeuS-in-the-Mobile) Screenshot

Android Trojan: GingerBreak CEH
AndroidOS/GingerBreak is a
trojan that affects mobile devices
GingerBreak v l.l running the Android operating p GingerBreak
system
Options It drops and executes another Do you w a n t to in s ta ll t h is
trojan detected as Exploit: application?
Q ) GingerBreak
Android0s/CVE-2011-1823,
Please m ake sure o f the which, if run successfully, gains
Allow th is a p p lic a tio n t o :
fo llo w in g before rooting: administrator privileges on the
- You have an SD card inserted device A S y stem to o ls
a n d m o unted ‫׳‬e»d system log riles
- USB debugging is enabled
Copyright © by E frC aincl. All Rights Reserved. Reproduction is Strictly Prohibited.
Android Trojan: GingerBreak

AndroidOS/GingerBreak is a Trojan that affects mobile devices running the Android
operating system. It drops and executes another Trojan detected as Exploit: AndroidOS/CVE-
2011-1823, which, if run successfully, gains administrator privileges on the device.

G in g e rB re a k
GingerBreak v1.1 |PS GingerBreak

APK: C hainfire
Exploit: The Android Exploid Crei
O p tio n s________________ Do you want to install this

application?
A System to ols
r e a d s y ste m log files
FIGURE 16.15: GingerBreak Screenshot
M o d u le 16 P ag e 2 4 3 7 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnGil

Android Trojan: AcnetSteal and

Cawitt CEH
A cn etS teal C aw itt
J A c n e tS te a l is a p r o g r a m t h a t h a r v e s t s d a t a a n d J C aw itt.A o p e r a t e s s ile n tly in t h e b a c k g r o u n d ,
in f o r m a ti o n f r o m t h e d e v ic e g a t h e r i n g d e v i c e in f o r m a ti o n w h ic h it la te r
f o r w a r d s to a r e m o t e s e r v e r
J T ro ja n s e n d s t h e c o n t a c t i n f o r m a ti o n t o a
r e m o te lo c a tio n u s in g T riple DES E n c ry p tio n J C o llected in f o r m a tio n in c lu d e s d e v i c e ID,
(D E S ede) I n te r n a tio n a l M o b ile E q u ip m e n t Id e n tity (IM EI)

n u m b e r , p h o n e n u m b e r , B o t ID, a n d m o d u le s
8:06 AM a n a 8:06 AM
Quote!!! Slim
Be social! plugin
32.C0KB
A Your messages
v R ), E xam ple w a llp a p e rs rcterve SMS
ookb
A Network communication
(til Inifinrt K e n t
Sam ple Soft Keyboard
• 1600KR A Storage
A
r r o a ify /a eltteS O ca rd co m c o r
Services that cost you
money
se n d SM S r n e s u g e s
A Phone calls
read p h o n e t u t e ar>d identity
Android Trojan: AcnetSteal and Cawitt

AcnetSteal
AcnetSteal is a program that harvests data and information from the device. The Trojan
sends the contact information to a remote location using Triple DES Encryption (DESede).
FIGURE 16.16: AcnetSteal Screenshot

Cawitt
Cawitt operates silently in the background, gathering device information which it later
forwards to a remote server. Collected information includes device ID, International Mobile
Equipment Identity (IMEI) number, phone number, Bot ID, and modules. This Trojan doesn't
place any launcher icon in the application menu in order to avoid being detected by the device
user.
tr iR & G 8:06 A M
Manage applications Application Info
com .and ro id .gestu re.b u ilder

32.00K B
Permissions
H Be s o c ia l! plugin This a p p lic a tio n c a n a c c e s s th e fo llow ing o n y o u r

32.00KB phone:
A Your m essages
w T) Exam ple W allp ap ers re c e iv e SMS
20.00K B
A N e tw o rk co m m u n ica tio n
full In te r n e t a c c e s s
Sam ple Soft Keyboard
A Storage
3600K B
m o d ify /d e le te SO c a rd c o n te n ts
A Services th a t cost you

m o n ey
s e n d SMS m e s s a g e s
A Phone calls
r e a d p h o n e s ta te a n d id en tity
FIGURE 16.17: Cawitt Screenshot

Android Trojan: Frogonal and

Gamex c EH
toftNM ItkM
Jl IlM
hM
Frogonal
J F r o g o n a l.A is a r e p a c k a g e d v e r s i o n o f a n o r i g i n a l a p p l i c a t i o n
w h e r e e x tr a f u n c tio n a litie s u s e d f o r m a lic io u s i n t e n t h a v e
b e e n a d d e d in to th e n e w p a c k a g e
J It h a r v e s t s t h e f o l l o w i n g i n f o r m a t i o n f r o m t h e c o m p r o m i s e d
d e v ic e s u c h a s id e n tif ic a tio n o f t h e T ro ja n e d a p p lic a tio n ,
p h o n e n u m b e r , IM EI n u m b e r , IM S I n u m b e r , S IM s e r ia l
n u m b e r, d e v ic e m o d e l, o p e r a tin g s y s te m v e rs io n , r o o t
a v a ila b ility
Gamex
-I G a m e x .A h i d e s its m a l i c i o u s c o m p o n e n t s i n s i d e t h e p a c k a g e
f ile
_J O n c e it is g r a n t e d a r o o t a c c e s s b y t h e u s e r , it c o n n e c t s t o a
c o m m a n d a n d c o n t r o l (C & C ) s e r v e r t o d o w n l o a d m o r e
a p p l i c a t i o n s a n d t o f o r w a r d t h e d e v i c e IM EI a n d IMSI n u m b e r s
J It a l s o e s t a b l i s h e s a c o n n e c t i o n t o a n e x t e r n a l lin k w h ic h
c o n t a i n s a r e p a c k a g e d A PK f ile , a n d p r o c e e d s t o d o w n l o a d i n g
a n d i n s t a l l i n g t h e file
Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited
Android Trojan: Frogonal and Gamex

F ro g o n a l
Frogonal is a repackaged version of an original application where extra functionalities

used for malicious intent have been added into the new package. It harvests the following
information from the compromised mobile devices:
9 Identification of the Trojanized application:
• Package name
• Version code
9 Phone number
9 IMEI number
9 IMSI number
9 SIM serial number
9 Device model
9 Operating system version
9 Root availability

m @My G am es
Do you want to install this

application?
✓ Your messages
receive SMS
ft m
✓ N etw ork comm unication
Jull Internet access
✓ Storage
modify/delete SO card contents
✓ Hardware controls
take pictures and videos
✓ Phone calls
read ohone state and identity
*s ‫מ«י»א‬
FIGURE 16.18: Frogonal and Gamex Frogonal Screenshot
Gamex
Gamex is an Android Trojan that downloads and installs the files on a compromised
mobile device. It hides the malicious content inside the file that is to be installed; once it is
granted a root access by the device owner, it connects to a command and control (C&C) server
to download more applications and to forward the device's IMEI and IMSI numbers. It also
establishes a connection to an external link that contains a repackaged APK file, and proceeds
to download and install the file.
* m e 12:21 PM Q 8 B i< 3 12:22 PM

Manage applications Application info
com.android.gesture. builder
32.00KB
Example Wallpapers
20.00KB
Sample Soft Keyboard

* 7 36.00KB
This application can access the following on your
phone:
A S torage
m odify/delete SD card contents
A N e tw o rk c o m m u n ic a tio n
fu l Internet access
A Phone calls
FIGURE 16.19: Gamex Screenshot

Android Trojan: KabStamper and

Mania CEH
KabStamper Mania
J K a b S ta m p e r.A is a m a lw a r e d is tr i b u te d via T ro ja n e d J M a n ia .A is a n S M S - s e n d in g m a lw a r e t h a t s e n d s
a p p lic a tio n s t h a t d e liv e r n e w s a n d v id e o s o n t h e o u t m e s s a g e s w ith t h e c o n t e n t " te l" o r " q u iz " to
A K B 48 g r o u p th e n u m b e r 8 4 2 4 2
J M a lic io u s c o d e in t h e m a lw a r e is h ig h ly d e s tr u c tiv e ; J A n y re p ly f r o m th is n u m b e r is r e d i r e c t e d t o
it d e s t r o y s im a g e s f o u n d i n t h e s d c a r d / D C I M a n o t h e r d e v ic e to p r e v e n t u s e r fr o m b e c o m in g
/ c a m e r a f o l d e r t h a t s t o r e s im a g e s t a k e n w ith t h e s u s p ic io u s
d e v ic e 's c a m e r a
J M an ia .A is k n o w n f o r u s in g t h e tr o ja n iz a tio n
J E v e ry fiv e m i n u t e s , t h e m a lw a r e c h e c k s th is f o ld e r
te c h n iq u e , w h e r e it is r e p a c k a g e d w ith a n o t h e r
a n d m o d ifie s a fo u n d im a g e b y o v e r w r itin g it w ith a
o rig in a l a p p lic a tio n in o r d e r to d u p e v ic tim s
p r e d e f i n e d im a g e
U f f i ]<Li 6:M AM I rtflDa*26AM y ! S B 6:2* AM
£| ce« h
^ t1M*ewwa
a u11p
p jp
jp e
cn
n H c o m . a n d r o l d . g e s t u r e .b u l l d e r
W m 3*.00KB
m t*n
Android Trojan: KabStamper and Mania

K a b S ta m p e r
KabStamper is an Android Trojan that modifies images found in the target mobile
device by overwriting them with a predefined image. It is distributed via Trojanized
applications that deliver news and videos about the AKB48 group. It is very destructive and
destroys images found in the sdcard/DCIM/camera folder that stores images taken with the
device's camera.

6 S4 AM 6 :5 4 AM
r r- ‫־‬
704 1 *‫ י‬2 ‫ז‬KB
com.android.gesture.builder
• 32.00KB
■ RV E x a m p le W a llp a p e r s
S t/ 20.00KB
S a m p le S o ft K e y b o a r d
• 36.00KB
FIGURE 16.20: KabStamper and Mania Kabstamper Screenshot
M a n ia
Mania is an Android Trojan that pretends to perform license checking to cover up its
SMS-sending activities in the background. It is SMS-sending malware that sends out messages
with the content "tel" or "quiz" to the number 84242. Any reply from this number is redirected
to another device to prevent the device owner from becoming suspicious. While running,
Mania appears to be performing license checking, but this process always fails and never seems
to be completed. The license checking is a coverup for the SMS sending activities that are taking
place in the background.
a n e 6 :2 6 A M y b S G 6 :2 8 AM
FIGURE 16.21: Mania Screenshot

Android Trojan: PremiumSMS and

SmsSpy CEH
PremiumSMS SmsSpy
PremiumSMS.A is a Trojan that reaps profit from J SmsSpy.F poses as an Android Security Suite
its SMS sending activities application that records received SMS messages
into a secsuite.db
It has a configuration file that contains data on
the content of the SMS messages and the J Thismalwaretargetsbankingconsumers in Spain
recipient numbers where it is spammed via a message indicatingthat
an extra Security Protection program that
Example of the sent messages:
protects the device is availablefor download
1. N u m b e r: 1151
ft8 1 ® 7:14AM
C o n te n t: 6 9 2 0 4 6 169 BG Q C b 5 T 3 w
2. N u m b e r: 1161
s. * 7
C o n te n t: 6 9 2 0 4 6 169 BG Q C b 5 T 3 w 1 •
3. N u m b e r: 3381
ft * < 1 *
C o n te n t: 6 9 2 0 4 6 169 BG Q C b 5 T 3 w
q ‫§ז‬/ ft m
(«•< &*r.y Snlun
f e &
W.K Phone Setting* Spoic hits
Android Trojan: PremiumSMSand SmsSpy

P re m iu m S M S
PremiumSMS is an Android Trojan that reaps profit from its SMS-sending activities. It
has a configuration file that contains data on the content of the SMS messages and the
recipient numbers.
Example of send messages:
1. Number: 1151
Content: 692046 169 BG QCb5T3w

2. Number: 1161

3. Number: 3381
4. Number: 1005
Content: kutkut clsamg 6758150
5. Number: 5373

6. Number: 7250
S m sS py
SmsSpy is an Android Trojan that poses as an Android Security Suite application that
actually does nothing in ensuring the device's security. However, it records received SMS
messages into secsuite.db instead. It targets banking consumers in Spain, posing as an Android
Security Suite application.
FIGURE 16.22: SmsSpy Screenshot

Android Trojan: DroidLive SMS

and UpdtKiller CEH
DroidLive SMS UpdtKiller
D r o id L iv e m a s q u e ra d e s as a G o o g le L ib ra ry , J U p d tK ille r.A c o n n e c ts t o a c o m m a n d a n d
a t te m p t s t o u tiliz e D e v ic e A d m i n is t r a t i o n A P I c o n t r o l (C & C ) s e r v e r , w h e r e it f o r w a r d s u s e r s '
d a ta t o a n d re c e iv e s f u r t h e r c o m m a n d s f r o m
I t a t te m p t s t o in s ta ll it s e lf as a d e v ic e
a d m in is t r a t io n a p p , a n d is c a p a b le o f t a p p in g J T h is m a lw a r e is a ls o c a p a b le o f k illin g
in to p e r s o n a l d a ta a n d p e r f o r m in g a m ix t u r e o f a n t iv ir u s p r o c e s s e s in o r d e r t o a v o id b e in g
n e f a r io u s a c t iv it ie s o n a n d r o id m o b ile d e v ic e s d e te c te d
Text Messages
A i •
U ‫׳‬n(»M1 llrowv*
4P
OMOiMtOr
S
Cillfnnni
; D roidLive M a in
Add » »‫י ־‬
Contact* D«v loolt
a
I m*l
ShutdownReceiver Device
A C o n tro lle r Admin
‫י‬ ‫ &ז‬8 fe
SmsMessageReceiver
Call Phone
WakeLockReceiver Numbers D e v ic e A d m in
(Pfll W
Copyright © by EfrCoincl. All Rights Reserved. Reproduction is Strictly Prohibited.
Android Trojan: DroidLive SMSand UpdtKiller

I | D ro id L iv e S M S
DroidLive SMS is an Android Trojan masquerading as a Google Library; it attempts to

utilize a device administration API. It attempts to install itself as a device administration app,
and is capable of tapping into personal data and performing a mixture of nefarious activities on
Android mobile devices. It attempts to disguise itself as a Google library, and receives
commands from a Command and Control (C&C) server, allowing it to perform functions
including sending text messages to premium numbers, initiating phone calls, and collecting
personal data.

Send
B o o tR eceiver
T e x t M essages
A
LiveR eceiver
Add
DroidLive Main D evice
S h u td o w n R e ceive r
Controller A d m in
SmsMessageReceiver
V
Call Phone
W a ke L o c kR e ce iv er N um bers DeviceAdmin
FIGURE 16.23: DroidLive SMS and UpdtKiller DroidLive SMS
A n d ro id T ro ja n : U p d tK ille r
UpdtKiller is an Android Trojan that terminates processes belonging to antivirus products in

order to avoid detection. It connects to a command and control (C&C) server, where it forwards
harvested user data to and receives further command from.
7:51 AM
•• • 1$ 2
Alarm Clock Browser Calculator C alendar
C am era Contacts D ev Tools Email
$!7 5 P &
G allery Gestures Messaging Music
Builder
B
Phone Settings
#‫ ־‬E
Sparc Parts
FIGURE 16.24: UpdtKiller Screenshot

A n d r o id T r o ja n : F a k e T o k e n C E H
C«rt1fW4 ttfciul ■Uckw
F a k e T o k e n s t e a ls b o t h b a n k i n g a u t h e n t i c a t i o n f a c t o r s ( I n t e r n e t
p a s s w o r d a n d m T A N ) d i r e c t l y f r o m t h e m o b i l e d e v ic e
Permissions Permissions
This application can access the following on This application can access the following on
D is t r ib u t io n T e c h n iq u e s your phone: your phone:
• Through phishing emails pretending to be ✓ Y our m essag es ✓ Y our m e ssa g e s

sent by the targeted bank receive SMS receive SMS
• Injecting web pages from infected ✓ N e tw o r k c o m m u n i c a t i o n ✓ N e tw o r k c o m m u n i c a t i o n

computers, simulating a fake security app full Internet access full Internet access
that presumably avoids the interception
‫✓י‬ Y o u r p e rs o n a l in fo rm a tio n ✓ S to r a g e
of SMS messages by generating a unique read contact data modify/delete SD card contents
digital certificate based on the phone
number of the device ■S S to r a g e ✓ P h o n e c a lls
modify/delete SD card contents read phone state and Identity
• Injecting a phishing web page that
redirects users to a website pretending to ✓ P h o n e c a lls ✓ S e r v ic e s t h a t c o s t y o u
be a security vendor that offers the read phone state and Identity m oney
"eBanking SMS Guard" as protection send SMS messages
✓ S e r v ic e s t h a t c o s t y o u
against "SMS message interception and
m oney
mobile Phone SIM card cloning" A NEW VERSION
send SMS messages
Copyright © by E&Caincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
^ Android Trojan: FakeToken

FakeToken steals both authentication factors (Internet password and mTAN) directly
from the mobile device.
Distribution Techniques:
© Through phishing emails pretending to be sent by the targeted bank
© Injecting web pages from infected computers, simulating a fake security app that
presumably avoids the interception of SMS messages by generating a unique digital
certificate based on the phone number of the device
© Injecting a phishing web page that redirects users to a website pretending to be a
security vendor that offers the "eBanking SMS Guard" as protection against "SMS
message interception and mobile Phone SIM card cloning"

Permissions Permissions
This application can access the following on This application can access the following on
your phone: your phone:
✓ Your messages V Your messages

receive SMS receive SMS
✓ Network communication ✓ Network communication

full Internet access full Internet access
✓ Your personal information ✓ Storage

read contact data modify/delete SD card contents
✓ Storage ✓ Phone calls

modify/delete SD card contents read phone state and Identity
✓ Phone calls ✓ Services that cost you

read phone state and Identity money
send SMS messages
✓ Services that cost you
money
NEW VERSION
send SMS messages
FIGURE 16.25: FakeToken Screenshot

■ 1
Copyright © by EC-Coind. All Rights Reserved Reproduction is Strictly Prohibited.
|J Securing Android Devices

----- Security of Android devices is a major concern as most people at present using these
devices as substitutes for computers. Similar to a traditional computer, security is mandatory
for Android devices to avoid being infected by a malicious application or data loss. The
following are a few key points that help you in securing your Android device:
© Enable screen locks for your Android phone for it to be more secure
© Never root your Android device
© Download apps only from official Android market
© Keep your device updated with Google Android antivirus software
© Do not directly download Android package files (APK)
© Keep updated with the operating system as and when updates arrive
© Use free protectors Android apps such as Android Protector. Where you can assign
passwords to text messages, mail accounts, etc.
© Customize your locked home screen with the user's information

G o o g le A p p s D e v ic e P o lic y C E H
Google Apps Device Policy app allows Google J This app allows IT administratorto enforce
Apps domain admin to set security policies for security policies and remotely wipe your
your Android device device
It is a device administration app for Google J Additionally, this app allows you to ring, lock,
Apps for Business, Education, and Government or locate your Android devices through the
accountsthat makes your Android device more My Devices page:
secure for enterprise use h t t p s : //w w w . g o o g le . c o m /a p p s /m y d e v ic e s
Dc sic p .ir tn n is W fd u r d « g o o g le
O o r u ir o d r u m stfjto f s ca n **I
p o 1c * « nrxl rtirn lr iy w ip • lb*
q o o q e cc n V a p ta /m ir cfcv c es
cl 1c changrpauvora
irk tinMMMCn*««t no! b• gfit• ■ than /
J r r e g isttf th is a cco u n t 80 I ‫ גו‬no A c c o u rt r« j 1ster<d

O f 0# f m an ao efl b y you r dom ain
x in n ii t n i t w i
h ttp s ://p lo y .g o o g le .c o m
Google Apps Device Policy

Source: https://play.google.com
The Google Apps Device Policy app allows a Google Apps domain admin to set security policies
for your Android device. It is a device administration app for Google Apps for Business,
Education, and Government accounts that makes your Android device more secure for
enterprise use. This app allows an IT administrator to enforce security policies and remotely
wipe your device. Additionally, this app allows you to ring, lock, or locate your Android devices
through the My Devices page: https://www.google.com/apps/mydevices■

Device administered under rpogle Some device details arp shared with ✓ Successfully synced with Domain administrators can v
I com domain administrators server retails about your device
Dama r administrators can set

Click 10 view •h a ted <t*wic♦ M a ilt IVvict• Model ft alary Ncnic
Successfully synced with
policies and remotely wipe the HsidworcID
device. Dcvicc password must contort
numbers.
server
0«vtce ID '4*684
Phont Numb?'
1 Successfully synced with
9 ocate your device at m & J l m x i .

google com/apps/mydevices
google.com/apps/mydevices
C lick 10 cl<d n;c p assw ord
Device password must have at least 8 ✓

server.
Successfully synced with

Ocvicc OS;
Bu»ld Numbe!
T Mobk
Android 4.0.4
IMM/bH
characters
Successfully synced with server at
Succe! server.
O‫ו‬2:‫ו‬2.
Kernel version 3 08-fll»4feC9
Click 10 ch a n g e p assw ord
Basftv.no Version IS?SOXXI A?
Successfully synced with Iasi Sync: 2012rtWQ316:IS
Lock timeout must not be greaier than ✓ server.
kUCAdd’ess a: S»7cJ«J4rtft
15 minutes.
Unregister this account so it is no Click to change timeout Account registered.
lenger managed by your domain
administrators. Domain administrators w il be able to
remotely wipe the riei/ic#*
Jmegistei
FIGURE 16.26: Google Apps Device Policy

‫נ‬
RemoteWipe Service: RemoteWipe CEH (•rtifw d itk itjl
J If users have Google Sync installed on a supported mobile device or an Android device
with the Google Apps Device Policy app, they can use the Google Apps control panel
to remotely wipe the device
Mobile settings
T o r e m o t e w ip e
O n S te m s A ctM ton
a lo s t o r s to le n d e v ic e :
S ign in t o y o u r G o o g le A p p s c o n t r o l
p a n e l.
C lic k S e ttin g s ‫ >־־‬M o b ile .
In t h e D e v ic e s t a b , h o v e r y o u r c u r s o r
o v e r t h e u s e r w h o s e d e v ic e y o u w a n t t o
w ip e .
C lic k R e m o te W ip e in t h e b o x t h a t
a p p e a rs .
A s e c o n d b o x a p p e a rs a s k in g y o u t o
c o n f ir m t h a t y o u w a n t t o r e m o te ly w ip e
t h e d e v ic e . I f y o u a r e s u r e y o u r w a n t t o
w ip e t h e d e v ic e , c lic k W ip e D e v ic e .
h ttp ://s u p p o rt.g o o g le .c o m
RemoteWipe Service: Remote Wipe

' Source: http://support.google.com
Remote Wipe Service is a feature service that allows you to reset or erase the information in
the lost or stolen device. To use this service the device should install Google Sync or Device
Policy. This can also delete all the information in the device such as mail, calendar, and
contacts, etc. and cannot delete data stored on the device's SD card. When this service
completes its task, it prompts the user with a message as acknowledgement to the delete
function.
To remote wipe a lost or stolen device:

1. Sign in to your Google Apps control panel.
2. Click Settings ‫ >־‬Mobile.
3. On the Devices tab, hover your cursor over the user whose device you want to wipe.
4. Click Remote Wipe in the box that appears.
5. A second box appears asking you to confirm that you want to remotely wipe the device.
If you are sure you want to wipe the device, click Wipe Device.

M o b ile s e tt in g s
P>B»««|na» Acevrtgn d«. c«

Search A! vxr.r, B 'o c k R e m o tt E*pcrtAI ‫׳‬
‫[ ם‬Device ID OS Type Last Sync. Status

‫—דמזזיזי‬ ‫סד־‬5‫־‬5‫־‬ ‫— חזזדר‬ ‫זר־‬a m *r
‫ר‬
□ Mt f .XUPm )utreiirtmftnn^aaliMcotn
□ AppLJSSMQ EmrroZun? •<nm4&jru^*ll0Ktr*lc0«n ■Phone 3G» iOS 5 Google Syne Approved
□ Acot..0K33NR Bustos Dormxa txniaufcanocq-aacatiMcom ■Phone 3G» OS 4 0 Coogle Sync 11/4/11 Approved
,Prone 4 iOSS Google Sync 11/4/11 Approved

On mouseover hovercards
*aaosltalcom Google Sync 11/4/11 Approved
7 Phone 7
‫ם‬ 6‫׳פפ‬-.‫«טטוג‬ kLWSSi \ avetrom ia M lia tc o n iPhone 3G ■OS 4 2 Google Sync 11/2/11 Aporoved
□ 36cS 878ac0 Snaro? M lff|1 r1 \| mwoCTHrancto ‫ י‬a*oatr»Uoro News S Android 2 3 6 Android 10F2*11 Aporoved
□ A00LB9KA4I La m n e M0H! Nexus S IS Google Sync 10/26/11 Aperovod
N*mo Suw*iM1r«l1 IS Google Sync 10/28/11 Approved
‫ם‬ Ab07..‫׳‬BWMP H«Ti_Bacf»l1« 3 a C 1» l l l i w i M l* 1■ ■ a ■ M 1
‫ם‬ AdpI 2TTA4T Doctor Brode 00V<« ID 38c60Sd IS Google Sync 10/20/11 Approved
■ M ID 86743096674 309
H a rd w a re
‫ם‬ ABfiLDUMT Hi ifaart OuMn IS Google Sync 10/20/11 Approved
F T»t Sync 4/1(111 926 PM
□ Am U EX M I l- . k lr o k . r o d i Last Sync 1 (y2 * 1 1 208 PM IS Google Sync 10/20/11 Approved
c And JCSA4T JucquKRetm i [ Block Remote Woe View Details ‫ ר‬IS Google Sync 10/15/11 Approved
‫ם‬ Afifif.PniMS Vic l a ! t o ] 1 A. IS Google Sync 10/18/11 Approved
‫ם‬ Acd EYD3NS Tom Castro tome att1 0 **acatr *teem ■Phone 3Gs ■OS 4 3 Google Sync 10/14/11 Approved
‫ם‬ AP0L.50XA4T Gervaslo Montonwro am nlom on •4K«t1Mcom iPhone 4 iOS 4.3 Google Sync 10/13/11 Approved
C 3cSO Ie7a0§ Erik Lontito( etklomot >a«astfatcom Oqtad MT Andro!d235 Android 1013/11 ‫׳‬ ‫ן‬
‫ם‬ Ado WQ8A4T 1
B<wtr /Vllofbo beatimasfbo - altos trat com ■Phone 4 !os 4 ‫נ‬ Google Sync 10/8/11 Biocaod
□ 3336 &04a6d Ptofro Monaid ptMiememrdialostialcoai Ixjiad UT Android 2 3 5 Android 1<y7/11 Approved
A0PLZPDFHW Silas Haslam stoslmlamaaaostiatcom iPad 2 ■OS4 3 Google Sync 10/6/11
FIGURE 16.27: Remote Wipe Service

Android Security Tool:

DroidSheep Guard CEH
D ro id S h e e p G u a rd m o n i to r s
y o u r p h o n e s A R P -T ab le a n d
. ^ 1* ®‫״ *יי י‬27.12.2011
‫ ג י‬20•:)« 51<
p o p - u p a l e r t s in c a s e it
d e t e c ts s u s p ic io u s e n tr ie s in m -
t h e p h o n e s A R P-T able ‫וז מ ח ה‬
It c a n im m e d ia te ly d is a b l e
W iFi c o n n e c tio n to p r o te c t
C h e c k s p er Minute: 60
y o u r a c c o u n ts
V ' Autoslart/ slop depending WiFi
D ro id S h e e p G u a rd w o r k s S O M E O N E SEEM S TO BE HIJACKING USING
ARP S P O O FIN G ON THIS NETWORK'
w ith all A R P -B a se d a t ta c k s ,
V / Disable WiFi on alert
like D ro id S h e e p a n d F ace n iff Open DroidSheep Guard
y / Notify in system
mnrfe (MIGHT cause false alerts)

. / ruutious mode 1‫ ״‬lun
WiFi was ne!»o‫*׳‬
Hijack•' You d , , M , MAC
h ttp ://d r ° idsheeP''
Android Security Tool: DroidSheep Guard

Source: http://droidsheep.de
DroidSheep Guard monitors your phone's ARP-Table and it warns you by pop-up alerts in case
it detects malicious entries. It can instantly disable a Wi-Fi connection to protect your accounts.
This can guard against all ARP-based attacks, such as DroidSheep and Faceniff, man-in-middle
attacks, handmade attacks, etc. You can use Facebook, eBay, Twitter, and Linkedln accounts on
public Wi-Fis securely.

*SS T <3 20:00

Status: R unning
< last check 27 12 2011 20:00 51>
111mil
4K
^^^TL
‫־‬r r -
Checks per Minute: 60
V ' ' A utostart/ stop d epending W iFi

S O M E O N E S E E M S T O B E H IJ A C K IN G U S IN G
A R P S P O O F IN G O N T H IS N E T W O R K !
\ / D isable W iF i on alert
\ f Notify in system
V / Cautious m ode (M IG H T c a u se false alerts)
Start Stop Sa/eand

protection protection hide
nIP
*1190216176.#211S171M
8MACQ?sot3a>ao-ao
ACt04t7lto(Mt1
FIGURE 16.28: DroidSheep Guard Screenshot

Android Vulnerability
Scanner: X-Ray CEH
X-Ray scans your Android device to determine ^ r
I whether there are vulnerabilities that remain | _ ♦1 ‫י‬
unpatched by yourcarrier X I ‫׳ ״‬ ‫• < »׳‬
Wunderbar
It presents you with a list of vulnerabilities Mcmpodroid

A
1 You! (kWtell rUnnMlr 1C jO
that it is able to identify and allows you to
check for the presence of each vulnerability ASHMEM
on your device Uilfr.*,‫ ! ״‬Jjl, ?.'.>1. :02
ZcrgRuch
U1l«.KWrl Jjl, 71^ JtW
Gingerbr^nk V‫׳‬
t Ml rrvVy/M JmV WH
Zim peilkh
X-Ray is automatically updated with the V‫׳‬
♦‫כד־‬ O ‫י ם‬
ability to scan for new vulnerabilitiesas
they are discovered and disclosed © L ____________________
h ttp ://w w w .x ra y .io
Android Vulnerability Scanner: X-Ray

Source: http://www.xray.io
X-Ray scans your Android device to determine if there are vulnerabilities that remain
unpatched by your carrier. It presents you with a list of vulnerabilities that it is able to identify
and allows you to check for the occurrence of vulnerabilities on your device. This is
automatically updated with the ability to scan for new vulnerabilities as they are discovered
and disclosed. X-Ray has detailed information about a class of vulnerabilities known as
"privilege escalation" vulnerabilities. Such vulnerabilities can be exploited by a malicious
application to gain root privileges on a device and perform actions that would normally be
restricted by the Android operating system.
FIGURE 16.29: X-Ray Screenshot

Android Penetration TestingTool:

Android Network Toolkit - Anti CEH
On each run, Anti will map your network, scan for active devices
and vulnerabilities, and will display the information accordingly:
A ‫« ״‬i Green led signals an Active device, Yellowled signals
Available ports, and Red led signals Vulnerabilityfound
J Each device will have an icon representing

the type of the device
J When finished scanning, Anti will produce
an automatic report specifying which
vulnerabilities you have or bad practices
used, and howto fixeach one of them
h ttp ://w w w .z a n tia p p .c o m
Android Penetration Testing Tool: Android Network

Toolkit ‫־‬Anti
Source: http://www.zantiapp.com
Android Network Toolkit ‫ ־‬Anti is an Android penetration testing tool. It is a network scanner
that allows you to scan for active devices and vulnerabilities and shows the evidence
accordingly: Green signals an "Active device," yellow signals "available ports," and red signals
"Vulnerability found.. Each device has an icon representing the type of device. When finished
scanning, it produces an automatic report specifying which vulnerabilities you have or bad
practices are used, and how to fix each one of them.

‫ יי‬t 9 t * ▼4 ■ »« « | f M v 1 4 • IN
X Local Target!
IDHQ.3
•
•
ft■
1 ;
1000JV24 10001
•
Scar
w ; ip •
•
•
CennMi 02
100 100.0J
‫ ׳‬W • MM
• 1HWlHW
■ • iMMUMMl• •
•
\ «R«I
m
100.0s
■
‫׳‬ 19
006
•
I 10
MJ.TM Altxk
m
^
! mW •
••
V 1!‫«׳‬ A 0
FIGURE 16.30: Android Network Toolkit ‫ ־‬Anti

Android Device Tracking Tools CEH

(•rtifwd ilk. (41 •UthM
to!■4D 711w
Security Settings
p r e y
Find M y Phone Prey A n ti-T h e ft A n d ro id A n ti T h e ft S e cu rity W heres M y D roid

http://findmyphone. mangobird. com http://preyproject. com http://w w w .5nuko.com http://where5mydroid. com
Total Equipment
Pr te c tio n
app
□ Btctup my ptauw fromQniMvKi
o
iH ound G adgetTrak M o b ile S e cu rity Total E q u ip m e n t P ro te c tio n A pp A n d ro id L o s t.c o m
https://ww w . ihoundsoftware. com http://w w w . gadgettrak. com https://protection. sprint, com http ://www. android lost, com
Android Device Tracking Tools

Android device tracking tools help you to track and find the locations of an Android
device in case it is lost, stolen, or misplaced cases. A few Android device tracking tools are
listed as follows:
F in d M y P h o n e
Source: http://findmyphone.mangobird.com
Find My Phone is an Android phone app that helps you find your lost, stolen, or misplaced
phone. When you lose your phone, just send it a text msg (SMS) and the phone will reply with
its current location. You can also make your phone ring loudly if you lose it somewhere close,
like inside your home.

FIGURE 16.31: Find My Phone Screenshot
P r e y A n ti-T h e ft
Source: http://preyproject.com
Prey lets you keep track of your laptop, phone, or tablet if it is stolen or missing. It supports
geolocation. It's lightweight, open source software that gives you full and remote control, 24/7.
FIGURE 16.32: Prey Anti-Theft Screenshot
A n d ro id A n ti-T h e ft S e c u r ity
— Source: http://www.snuko.com
The Android anti-theft security tool Snuko is anti-theft software that allows you to use it on
multiple platforms protecting thousands of PCs, mobile phones, laptops, etc. It offers a
complete online back-up solution; as part of the anti-theft package Snuko subscribers' files can
be stored safely and securely in the cloud. This can generate important tracking information
and security for your data by using its Mobile Dashboard. If the mobile device is lost, then the
device is locked to prevent any unauthorized access. If the device's SIM card is replaced without

your knowledge, the new SIM card number, phone number, and the IMEI/IMSI numbers will be
recorded. The phone cannot be used until the correct PIN code is entered.
1•
• 0■ a o n
M . b|fSf»*r>
ANDROID ANTI-THEFT
O tv K • lo c a tio n
y .
m • -_ ‫• ־‬
I
'*
y V
* #
‫־‬-* •
A c c u • c y to iM h n € 0 r « c « « n o f
t o c j d o n C k t 1 r u f » « o r r M r w T V t n \j p ,
FIGURE 16.33: Android Anti-Theft Security Screenshot
W h e re s M y D ro id
Source: http://wheresmydroid.com
Where's My Droid is an Android device tracking tool that allows you to track your phone from
anywhere, either with a text messaged attention word or with an online Commander. The app
can also get the GPS coordinates with a link to Google Maps; if you're not near enough to your
phone to hear the ringer, it can turn the ringer volume up and make your phone ring. One of
the features is Activity Log, which enables you to see what the app does, when it does it, and
who is using it.
%•!■>)<™‫י‬-•
FIGURE 16.34: Wheres My Droid Screenshot
iH o u n d
-------- Source: https://www.ihoundsoftware.com

iHound is an Android device tracking tool that allows you to track your mobile using its GPS and
WiFi, 3G, or Edge signals built into your devices to determine its location. Using its tracking
website, you can track the location of your device, remotely lock your phone, and remotely
erase important personal information such as: SMS messages, contacts, phone call logs, photos,
videos, and/or SD storage data. You can also set Geofencing location alerts by its intuitive
mobile website optimized for iPhone, iPod Touch, and Android phones. You can track multiple
devices on multiple platforms and set up Geofences.
FIGURE 16.35: iHound Screenshot
G a d g e tT r a k M o b ile S e c u rity
Source: http://www.gadgettrak.com
GadgetTrak Mobile Security tool helps you to moderate the risk of mobile device loss or theft.
It allows you to track its location, back up data, and even wipes the data in the device remotely.
With the combination of GPS, Wi-Fi positioning, and cell tower triangulation, you can easily
track the location of your device. If your device is lost or stolen, you can remotely enable a
piercing alarm, even if it's in silent mode. Once tracking is activated, the software settings
cannot be modified unless deactivated.
' B f f f l U l 2 2 4 PM
II w a n e t o b e a b e t o w ip e m y p ic t u r e s
if (his Susan s N e xjs One gets stolen
I Backup n y pictures frorr th s device
FIGURE 1 6 .3 6 : G a d g e tT r a k M o b ile S e c u r ity

T o ta l E q u ip m e n t P r o te c tio n A p p
-----‫—־‬ Source: https://protection.sprint.com

Total Equipment Protection App is an Android device tracking tool that allows you to find,
repair, and replace your phone, whether it is dead or lost. It also comes with online features
that protect your existing handset. When you lose the phone, you can map the exact location
with directions on how to get there. It sounds the alarm when the phone is misplaced by its
alarm even when it is on silent mode. You can choose to remotely lock a misplaced phone or
erase your contacts and you can even synchronize and restore the lost phone after its recovery
or can get a new phone.
Total E q u ip m e n t
P r te c tio n
app
a su n o n
FIGURE 16.37: Total Equipment Protection App Screenshot
A n d r o id L o s t.c o m
‫—י‬ Source: http://www.androidlost.com

AndroidLost.com is an online service that allows you to find your lost phone. You don't need to
install the AndroidLost on the phone but you can push the AndroidLost app to your phone from
Google Market and initiate the connection to Google servers by sending an SMS with the
message "Androidlost register" to your phone when its lost to find its location and tracking.
Sound alerts can be enabled even when the phone is in silent mode from your PC. You can
control more than one phone from your account.

4 9 ’!‫ ^ * י ן‬/ ■ ( : u i n
www.Androidlost.com
IM k U
Dm s •n •pp (M l M you rwnott coMrol yaw
Jfton* from *form 4nar04O(»t.(0m UtcfUl m c««
fOu pul your im M c on ite it and lew n «
u»n«w«Mr•. of In cm• ■ (•o *cm
8 »0
iooa ntwt • your prion* • «ir*Mfy r#f » f m
fo o t* vo trw‫־‬y can vmd to you Non
0
I |v> to wwrw mdroOott com 411*0 ‫ יו‬to
wnottcantroi your phone.
I■01
FIGURE 16.38: AndroidLost.com Screenshot

M odu.le Flow c EH
Uttiftod IU kjI lUchM
ft ft ft
r ls M . r ‫׳‬
Mobile Platform
Attack Vectors
Hacking
BlackBerry
Copyright © by E&Caind. All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
iOS is a mobile operating system developed by Apple. Apple does not license iOS for
installation on non-Apple hardware. The increasing use of Apple devices for many purposes has
grabbed the attention of attackers. Attackers are concentrating on hacking iOS so that they can
gain access to Apple devices at the root level.
(^ 6 ) Mobile Platform Attack Vectors Hacking BlackBerry

1
Hacking Android iOS Mobile Device Management
Hacking iOS Mobile Security Guidelines and Tools
Hacking Windows Phone OS ‫^י׳‬ Mobile Pen Testing

This section introduces you to the Apple iOS and focuses on hacking iOS. This section describes
iOS attack vectors such as jailbreaking and types of jailbreaking, and also covers the guidelines
to be followed in order to secure iOS devices.

Security News CEH

■
H om e A b o u t Us P ortfolio | T ec h N e w s | S e r v ic e
24-Sep-2012
Researchers Hack iPhone Running Latest
^ Apple iOS, Steal Data
A h W h it e - h a t h a c k e rs b r o k e in to t h e d e v e lo p e r v e r s io n o f iOS 6, m e a n in g A p p le 's ^
n e w iP h o n e 5 c o u ld b e v u ln e r a b le . P™ / ,
..... R esearchers h a v e b ro k e n in to a n iP h o n e 4S ru n n in g th e la te s t v e rs io n o f A p p le
‫מ‬ I iOS, m a k in g it p o s s ib le t o e x p lo it th e sa m e v u ln e ra b ility in th e iP h o n e 5.
:"2 1 The w h ite -h a t hacke rs J o o s t Pol a n d D a an K e uper s h o w e d h o w th e y w e re a b le t o

s te a l c o n ta c ts , b ro w s in g h is to ry , p h o to s a n d v id e o s t o w in $ 3 0 ,0 0 0 in th e m o b ile
P w n 2 0 w n c o n te s t W e d n e s d a y a t E U SecW est in A m s te rd a m , IT W o rld re p o rts .
Beca use th e h acke d iP hone w a s ru n n in g a d e v e lo p e r v e rs io n o f iOS 6, it's lik e ly

th e s a m e v u ln e r a b ility c o u ld be us e d t o b re a k in to a n iP h o n e 5 o r t h e la te s t iP ad
J® a n d iP o d T o u c h d e v ic e s .
U sing th e m a lic io u s c o d e in a w e b s ite w o u ld e n a b le a c y b e rc rim in a l t o bypass th e

s e c u rity m e c h a n is m s in S a fa ri t o g a in access t o th e p h o n e 's d a ta .
h ttp ://w w w .c o m p u te rw o rld .in
Security News
R e s e a r c h e r s H a c k iP h o n e R u n n in g L a t e s t A p p le iO S ,
S te a l D a ta
Source: http://www.computerworld.in
White-hat hackers broke into the developer version of iOS 6, meaning Apple's new iPhone 5
could be vulnerable.
Researchers have broken into an iPhone 4S running the latest version of Apple iOS, making it
possible to exploit the same vulnerability in the iPhone 5.
The white-hat hackers Joost Pol and Daan Keuper showed how they were able to steal contacts,
browsing history, photos and videos to win $30,000 in the mobile Pwn20wn contest
Wednesday at EUSecWest in Amsterdam, IT World reports.
Because the hacked iPhone was running a developer version of iOS 6, it's likely the same
vulnerability could be used to break into an iPhone 5 or the latest iPad and iPod Touch devices.
The WebKit browser exploit took only a few weeks to make, the researchers told IT World.
Using the malicious code in a website would enable a cybercriminal to bypass the security
mechanisms in Safari to gain access to the phone's data.

WebKit is a layout engine used by browsers to render Web pages. The open source technology
is used in the Safari Web browser in iOS and in Google's Chrome, which recently became the
default browser for Android.
The Dutch researchers are not the first penetrate the iPhone's defenses through WebKit, said
Chenxi Wang, an analyst for Forrester Research. Hackers typically target WebKit because Apple
does not use a number of standard security practices in using the engine.
Apple has not said why, but it could be related to phone performance and battery life. In
addition, Apple doesn't vet code executed on the browser, like it does apps before allowing
them to be offered to iPhone users.
"This opens doors to remote exploitation," Wang said. "But to [Apple's] credit, we haven't seen
a lot of that going on, which is actually quite impressive."
Wang does not believe the risk of the latest vulnerability is very high. That's because a
cybercriminal would have to find a way to get iPhone users to a compromised site. A hacker
could inject malicious code into a popular Web site, but this would also be difficult.
"It's certainly possible and certainly is a threat, but I don't see it becoming a massively popular
way of attacking iPhone users," he said.
The Dutch researchers held back some of the details of their work, in order to prevent giving
cybercriminals a hacking roadmap to the iPhone.
"Apple will have to come up with an update and then people need to upgrade as fast as
possible," Pol told IT World.
Speed in plugging the hole is key to reducing risk, said Peter Bybee, president and chief
executive of cloud security provider Security On-Demand.
"Whether you're likely to be attacked depends on how long the gap will be between when
Apple fixes the problem and attackers repeat the researcher's success," Bybee said. "Just
because the exploit is shared only with the vendor doesn't mean that it won't get out into the
open market. There was enough detail in how they found the exploit and used it that it could
be replicated by an experienced malware creator."
Other participants in the hacker contest demonstrated breaking into the Samsung Galaxy S3 via
its near field communication (NFC) technology. The researchers from security company MWR
Labs were able to beam an exploit from one Galaxy S3 to another.
Once the malicious app is installed in the receiving phone, a hacker would have full access to
the phone's data, Tyrone Erasmus, a security researcher at MWR told IT World. The app runs in
the background, making it invisible to the phone's user.
The exploit targets vulnerability in the document viewer application that comes as a default app
in the Galaxy S2, S3 and some HTC phones. The flaw enables a hacker to steal text messages,
emails, contact information and other data.
The researchers said the vulnerability, which also exists in the Galaxy S2, could be exploited by
malware sent via email, the MWR team said. The researchers also won $30,000 for the hack.

Zero Data Initiative by Hewlett-Packard's DVLabs organized the competition. DVLabs will send
details of the hacks to Apple and Samsung, respectively.
Copyright © 2005 - 2009 IDGMedia Private Ltd. All rights reserved.
By Antone Gonsalves
http://www.computerworld.in/news/researchers-hack-iphone-running-latest-apple-ios-steal-
data-29822012

Apple iOS CEH

J
J iOS is A p p l e 's m o b i l e o p e r a t i n g system, !‫יי‬ J The user interface is based on the

which supports Apple devices such as concept of d i r e c t m a n i p u l a t i o n , using
iPhone, iPod touch, iPad, and Apple TV m u l t i - t o u c h gestures
Core Services
Core OS
Apple iOS
m iOS is the Apple mobile's operating system established for its iPhones. It maintains and
sustains other Apple devices such as iPod Touch, iPad, and Apple TV. Using the Mac OS X, the
iOS operating system is fabricated. The user interface is based on the concept of direct
manipulation, using multi-touch gestures. This has many other options and features using
which daily work becomes easy and this can be updated on your iPhone, iPad, or iPod Touch
using Wi-Fi and other wireless networks.
FIGURE 1 6 .3 9 : A p p le lo s S c r e e n s h o t
M o d u le 16 P ag e 2471 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UI1Cil

Jailbreaking iOS CEH

(•rtifw d ith iu l •UtkM
J Jailbreaking is defined as the process of installing a modified set of kernel patches

that allows users to run third-party applications not signed by the OSvendor
J Jailbreaking provides root access to the operating system and permits
downloading of third-party applications, themes, extensions on an iOSdevices
J Jailbreaking removes sandbox restrictions, which enables malicious apps to access
restricted mobile resources and information
J a ilb r e a k in g , lik e r o o t in g , a ls o c o m e s w it h m a n y s e c u r i t y
a n d o t h e r r i s k s t o y o u r d e v i c e in c l u d in g ?
V o id s y o u r p h o n e 's
M a lw a r e in fe c tio n
w a rra n ty
P o o r p e r fo r m a n c e B ric k in g t h e d e v ic e
Jailbreaking iOS
Jailbreaking is a method of getting control of the iOS operating system that is used on
Apple devices. It relaxes the device from the barriers of dependencies on exclusive Apple
source applications and allows the user to use third-party apps unavailable at the official app
store. It is accomplished by installing a modified set of kernel patches that allow you to run
third-party applications not signed by the OS vendor. It is used to add more functionality to
standard Apple gadgets. It can also provide root access to the operating system and permits
download of third-party applications, themes, extensions, etc. This removes sandbox
restrictions, which enables malicious apps to access restricted mobile resources and
information.
Jailbreaking, like rooting, also comes along with many security and other risks to your device
including:
© Voids your phone's warranty

© Poor performance
Q Bricking the device
© Malware infection

Types o f Jailbreaking CEH

U serland Exploit
J A userland jailbreak allows user-level access but

does not allow iboot-level access
r ,---------------------------------------------------------------------------------------------------------
^ ^ iB o o t E x p lo it
w i
f c j
, J An iboot jailbreak allows user-level access and iboot- I m
r —1\
level access
)
L, — Bootrom Exploit
* ‫ד‬ ^ J A bootrom jailbreak allows user-level access and

UJ
iboot-level access
v J
Types of Jailbreaking
When the device starts booting, it loads Apple's own iOS at start, but to get more apps
from third parties, the device must then be broken and have the kernel patched each time it is
turned on. There are three types of jailbreaking methods used:
Userland Exploit: A userland jailbreak allows user-level access but doesn't allow iboot-level
access. This type of exploit cannot be tethered as it cannot have recovery mode loops. These
can be patched by Apple. The userland exploits use a loophole in the system application to gain
control of that application. This exploit can only give control to the filesystem. This type of
exploit can access non-vital code in the application and is user friendly and platform
independent.
iBoot Exploits: An iBoot jailbreak allows file system and iboot level access. This type of exploit
can be semi-tethered ifthe device has a new bootrom. This is mostly used to reduce low-level
iOS controls. This exploit method takes the help of the hole in iBoot to delink the code signing
appliance and then the customer can download required applications. Using this method users
configure the mobile to accept custom firmware and probably jailbreak more.
Bootrom Exploits: A bootrom jailbreak can break all the low-level authentications such as
providing filesystem, iBoot, and NOR access (custom boot logos). This process finds a hole in
the application to discard the signature checks. It can't be corrected by Apple. A bootrom
jailbreak allows user-level access and iBoot-level access. These cannot be patched by Apple.

Jailbreaking Techniques CEH

UrtNM
A ■ I ^ ^ h e l d Jailbreaking^
W i th a t e t h e r e d j a i l b r e a k , if t h e
d e v i c e s t a r t s b a c k u p o n it s o w n ,
i t w ill n o l o n g e r h a v e a p a t c h e d
k e r n e l , a n d it m a y g e t s t u c k in a
Untethered Jailbreaking p a r t i a l l y s t a r t e d s t a t e ; in o r d e r
f o r it t o s t a r t c o m p l e t e l y a n d
A n u n te th e r e d ja ilb r e a k h a s th e w i t h a p a t c h e d k e r n e l , it
p r o p e r t y t h a t if t h e u s e r t u r n s t h e e s s e n tia lly m u s t b e "re-
d e v ic e o ff a n d b a c k o n , t h e d e v ic e ja ilb r o k e n " w ith a c o m p u te r
w ill s t a r t u p c o m p l e t e l y , a n d t h e ( u s in g t h e " b o o t t e t h e r e d "
k e r n e l w ill b e p a t c h e d w i t h o u t t h e f e a tu r e o f a ja ilb r e a k in g to o l)
h e l p o f a c o m p u t e r - in o t h e r e a c h t i m e i t is t u r n e d o n
w o r d s , it w ill b e j a i l b r o k e n a f t e r
ea ch re b o o t
Copyright © by E&Ctincfl. All Rights Reserved. Reproduction is Strictly Prohibited.
Jailbreaking Techniques
There are two jailbreaking techniques:
Untethered Jailbreaking
Untethered jailbreak is a method of rebooting the mobile device without connecting
it to the system every time you boot. If the battery of the device is spoiled, after changing it
boots as usual. Some jailbreak solutions are greenpoisOn, PwnageTool, limeraln, and
snOwbreeze.
Tethered Jailbreaking
With a tethered jailbreak, if the device starts back up on its own, it will no longer have
a patched kernel, and it may get stuck in a partially started state; in order for it to start
completely and with a patched kernel, it essentially must be "re-jailbroken" with a computer
(using the "boot tethered" feature of a jailbreaking tool) each time it is turned on.

Platform for Jailbroken

A p p r E 11
Devices: Cydia lE ?
Cydia is a software application for iOS that Welcome 10 Cydia"*
enables a user to find and install software y by Jay Frooman (saurik)

Extensions Ute'ul on iPad
packages (including apps, interface

o C ydU > □ saurik
^ *ctivatof cuMonae actors >
Featured Them
customizations, and system extensions) on a " J FullForea H M W 1M K M 1 >
IncarcarApp ‫* •יי״י‬on«ua« >

jailbroken iPhone, iPod Touch, or iPad
(jgj ►rtallJC Zyi^SZLZ'‫'־‬ NOLOCKSCTWT ««** >
EH SBSertnas ffoiMfcwi wttnga >

^ Cydia Storr Products
" J Spit Mol oo‫״ ׳••׳‬uJ « kh»‫> ״•׳‬
X U aiig• AceourV
Prodjcl* DasiQnet) tor IPad
UpQ-adlnqard jailbreaMnq Help
J It is a graphical front end to Advanced Mar• P vb ig• iour(•■
ntaplayOtit rt*rw •craan IdTV >
Packaging Tool (APT) and the dpkg package mrrnnc30

^ ruli6<r*en m p w tW r >
H in t• troaaatraod'ylocal‫> יייי‬
management system, which means that the Ute' OUKMS rZ.' Mutk Cofitroli Pro •■. , ‫•־‬ >
packages available in Cydia are provided by a F ieq uan tly A »k*d O u eslton a MyWI OnOemana --1 w »‫> ) ״׳‬
decentralized system of repositories (also Copying FMo« l»*nm novk-o
t s HhotoAtjum*. !wag* • M n >
called sources) that list these packages O p n I M Aoom • Mm> To Q PrcTcba paimcraYouTub• >
Hoa Hat■word How-To ^ Paim •Pm) , ho ‫> •כיי‬
Oovdopar* Onty B Sw‫״‬lySMJ <Mm«MV>u> M >
h ttp ://c y d ia .s a u rik .c o m
Copyright © by E&Cauici. All Rights Reserved. Reproduction is Strictly Prohibited.
App Platform for Jailbroken Devices: Cydia

Source: http://cydia.saurik.com
Cydia is a software application specifically designed for iOS enabled services for devices to
jailbreak that facilitates a user to install software on iPhone, iPod Touch, iPad, etc. It has many
different applications, extensions, themes, features, and customizations. It is a graphical front
end to Advanced Packaging Tool (APT) and the dpkg package management system, which
means that the packages available in Cydia are provided by a decentralized system of
repositories (also called sources) that list these packages.

H D D
«‫־‬a
FIGURE 16.40: Cydia Screenshot

Jailbreaking Tools: RedsnOw

and Absinthe
RedsnOw A bsinthe
J RedSnOwallows you to jailbreak your iPhone, J Ajailbreak solution for your iPhone, iPod,
iPod Touch, and iPad running a variety of iPad, and AppleTV brought to you by Chronic
firmware versions Dev Team
........ redsnOw 0.9.12bl C h ro n ic -D e v A b s in th e - V e rs io n 2 .0
Welcome to Absinthe 105 5.1.1 untethered jailbreak1

Welcome! This Is the latest version of redsnOw.
Copyright 2007-2012 IPhone Dev-Team. All rights reserved. Not Please make a backup of your device before using this tool. We donf expect
for commercial use. any ssues. but we aren't responsible if anything happens.
httD://bloa.lDhone-dev.ora iPnone 4s with 10S 5.1.1 (9B206) detected. Click the button to begin.
Jailbreak Jailbreak and install Cydia.

Jailbreak
Extras Everything else. Chronic-Dev Absinthe© 2011-2012 Chronic-Dev Team

S.1.x exploits by @pod2g. ®planetbeing, and @p1mskeks
5.0.x exploits by: @pod2g, @planetbeing, @saurik, @pimskeks,
Connected: IPhone 4S (5.1.1) @p0s1xnmja, @MusdeNerd, and @xvolks.
Artwork by @iOPK. GUI by Hangne Samara &@)pimskeks.
i Next > ) | Cancel Support us (PayPal) http://greenpo1s0n.com/
h ttp ://b lo g .ip h o n e -d e v .o rg h ttp ://g re e n p o i5 0 n .c o m
Jailbreaking Tools: RedsnOwandAbsinthe

RedsnOw
w Source: http://blog.iphone-dev.org
RedSnOw allows you to jailbreak your iPhone, iPod Touch, and iPad running a variety of
firmware versions. This is developed by the iPhone Dev Team. It supports Windows and Mac OS
X operating systems to jailbreak iOS devices, both tethered and untethered.
o r> o redsnOw 0.9.12bl
Welcome' This is the latest version of redsnOw.

Copyright 2007-2012 iPhone Dev-Team All rights reserved. Not
for commercial use.
Into:/ / btoa. inhone-dev.ora
Jailbreak Jailbreak and install Cydia
Extras Everything else.
Connected iPhone 45(5.1.1)
; Next > ! ( Cancel
FIGURE 1 6 .4 1 : R e d s n O w S c r e e n s h o t

A b sin th e
S o u rce: h ttp ://g re e n p o is O n .c o m
A b s in th e is a j a i l b r e a k s o lu tio n fo r y o u r A p p le m o b ile d e v ic e s , in c lu d in g th e iP h o n e , iP a d , iP o d
Touch, and A p p le T V b ro u g h t to you by C h ro n ic D ev T eam ; th e ir a im is to d e v e lo p iO S
u n te th e r e d ja ilb r e a k to o lk its .
ft O r Chronic-DevAbsinthe - Version 2.0

WelcometoAbsinthe !OSS.1.1untetheredjailbreak1
Please make a backupof your device before usingtins tool. Wedon't expect
anyIssues, but we aren't responsible ifanythinghappens.
iPhone4Swith!OSS.1.1(9B206) detected. Clickthe buttontobegin.
jailbreak
ChronK-DevAbsintheC2011-2012 Chronic-OevTeam.
5.1.xexploits by 0 pod2g. planet being, and $pimskeks
S.O.xexploits by ppod2g. ftplanetbeing. (tiaunk. pptmskeks.
ppOsixninja. $Musc1eNerd. and pxvolks.
Artwork by01OPK. CUl byMan*neSamaraA$p1mskeks.
Support us (PayPal) http //greenpouOn.com/
FIGURE 16.42: A b sin th e Screenshot

T e t h e r e d J a i l b r e a k i n g o f i O S 6 .
E H
U s i n g R e d S n O w
S te p 1: D o w n lo a d RedSnOw and o p e n i t (a lso a v a ila b le in CEH Tools DVD)
S te p 2: Place y o u r iOS d e v ic e in t o DFU m o de b y h o ld in g H om e and P o w e r fo r 10 seconds,

a nd re le a s in g P o w e r w h ile s till h o ld in g H om e fo r an a d d itio n a l 10 seconds
S te p 3: C lick Ja ilb re a k
S te p 4 : S e le ct In s ta ll Cydia fo r "P le a se s e le c t y o u r o p tio n s " p ro m p t and c lic k N e x t
S te p 5: W a it fo r a p p ro x im a te ly 5 m in u te s u n t il th e ja ilb re a k in g p roce ss is c o m p le te and y o u are

re d ire c te d to th e H om e scre en
S te p 6: P u t y o u r d e v ic e back in to DFU m o d e
S te p 7: Go back t o th e m a in page o f RedSnOw, and s e le c t E xtras Just b o o t
S te p 8: You w ill see Cydia on y o u r H om e s c re e n o nce y o u r d e v ic e b o o ts back up
C o p y r ig h t © b y E&Coihg I . A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d
fs f\ T e th e r e d J a ilb r e a k in g o f iO S 6 U sin g R edS nO w
As m e n tio n e d p re v io u s ly , R edsnO w can be used fo r b o th te th e re d and u n te th e re d
ja ilb re a k in g . L e t's d is c u s s th e process or s te p s in v o lv e d in te th e re d ja ilb re a k in g o f iO S 6 u s in g
RedSnOw:
S te p 1: D o w n lo a d RedSnOw and open it ( a ls o a v a i l a b l e in C E H T o o ls D V D ) .
S t e p 2 : P la c e y o u r iO S d e v ic e in to DFU m o d e b y h o ld in g H o m e and P o w e r fo r 1 0 seco n d s, a n d
re le a s in g P o w e r w h i l e s till h o l d i n g H o m e fo r a n a d d itio n a l 1 0 s e c o n d s .
S t e p 3 : C lic k J a ilb r e a k .
S te p 4 : S e le c t In s ta ll C y d ia u n d er th e P le a s e s e le c t y o u r o p tio n s p r o m p t a n d c lic k N e x t .
S te p 5: W a it fo r a p p ro x im a te ly 5 m in u te s u n til t h e ja il b r e a k in g p r o c e s s is c o m p l e t e a n d y o u are
re d ire c te d to th e H o m e screen.
S te p 6: P u t y o u r d e v ic e b a c k in to DFU m o d e.
S te p 7: G o back to th e m a in page o f RedSnOw , and s e le c t E x tra s ‫>־‬ Just b o o t.
S te p 8: Y ou w ill s e e C y d ia on your H o m e s c re e n o n c e y o u r d e v ic e b o o ts back up.

J a i l b r e a k i n g T o o l s : S n O w b r e e z e _ _ ‫״‬
a n d P w n a g e T o o l .--------------------
C o p y r ig h t © b y EfrCoincl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
J a ilb r e a k in g T o o ls: S n O w b re e z e a n d P w n a g e T o o l
S n O w b reeze
S n O w B reeze is a j a i l b r e a k i n g to o l fo r W in d o w s OS to c re a te a c u s to m P re -J a ilb ro k e n
iO S firm w a re file th a t m ust be re s to re d to your iP h o n e , iP o d Touch, or iP a d fo r it t o b eco m e
ja ilb ro k e n . It a l l o w s iP h o n e u n lo c k e rs to u p d a te to th e la te s t f ir m w a r e w ith o u t u p d a tin g th e ir
baseband in th e process. T h is g iv e s you fu ll c o n tro l over your ja ilb re a k , a llo w in g you to
c u s to m iz e a d v a n c e d o p tio n s su ch as y o u r r o o t p a rtitio n s iz e .

- t f c j f ■Phono 3 G S
Select any of the following options, then d ic k the arrow to continue
MB \
Q G « n s ra l U n lo c k s
In s ta lle r s ‫ ׳‬U C ustom p o o k n fl■ *
^ C u s to m b o o t k tg o r V f B u i l d I P g Y O •
FIGURE 16.43: SnOw breeze Screenshot
P w n a g e T o o l
1------------ - P w nage is a ja ilb re a k in g to o l th a t a llo w s you to u n lo c k and c re a te a c u s to m IP S W ,
th u s a llo w in g you to u p d a te yo u r firm w a re w h ile s till p re s e rv in g th e baseband fo r u n lo c k in g .
Even if y o u r baseband is n 't u n lo c k a b le , you m ay w a n t to p reserve your baseband in case a
fu tu re u n l o c k is f o u n d . T h i s t o o l is c o m p a t i b l e w i t h M ac OS.
FIGURE 16.44: Pw nageTool Screenshot

J a i l b r e a k i n g T o o l s : L i m e R a l n
C E H
a n d J a i l b r e a k m e
Ja ilb re a k m e
JailbreakMe
JaibreakMe is the easiest way 10 free your device Experience iOS as it could be,
fully customizable themeable. and with every tweak you coukJ possibly imagine
Safe and completely reversible (jus* restore in iTunes) jaibreaking gives you
control over the device you own ‫ זז‬only lakes a minute or two and as always., it's L im e R a ln
completely free.
Please make an !Tunes backup & I
M o re Inform atio n
C y d ia
Jay Freeman (saurik)
Jailbreak by comex.
T e ll * F rien d
This jaibreak was brought to you I

Preeman (saunk), MuscleNerd ai
Donate'?
A
Bmeraln. 6 months In (he making
IPhone 30S. IPod Touch 30. IPad. IPhone 4. iPod Touch 40
C o m e b a c k o n y o u r iP h o n e , iP a d , o r iP o d 4J}-4.1 and beyond■*‫■♦־*־‬
t o u c h to u e e J a ilb r e a k M e — o r u t e a d iffe re n t limcraln is unputchublc
untcthered thanks to jailbreakme *tar comex
ja ilb r e a k o n y o u r c o m p u te r. rckased today to get chronkdev to do the nght thin(
brought 10 you by R^ohot
Mac and Linux cumin# noun
follow (he inxnicdons in the box. sadly limcraln Isn't oik click
http://www.jailbreakme.com that‫ *׳‬the price of tinpatchahillty
as usual, donuuons appreciated but not required
mil in beta, pardon my ragged cdfeA
AppfcTV L* tcchnfcally *upponcd. bm thcres no apps yci
m
zero pictures of my facc
known hujjs
3GS new bootrom is broken, fix ponding
sonx people need to restart to gel the Cydia icon to show up after nualling
some people still don't have windows
beat iOS versions aren't supported
onr.stall tr. kmeraln app doew t work, you can ju« delete the blackra In .app directory. 1 need rctresuon icson*
http://www.limeraln.com
C o p y r ig h t © b y E&Cauaci. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
J a ilb r e a k in g T o o ls: L im e R a ln a n d J a ilb r e a k m e
& 1=1
B' Q L im eR aln
S o u rce: h ttp ://w w w .lim e ra ln .c o m
L im e R a ln is a j a i l b r e a k i n g to o l in v e n te d by a G e o H o t (p ro fe s s io n a l h acker) to h a lt C h ro n ic D ev
fro m re le a s in g a b o o tr o m e x p lo it c a lle d S H A tte r. O n e o f th e fe a tu re s o f th is to o l e n a b le s y o u to
s w itc h b e tw e e n ja ilb re a k in g m e th o d s and it s u p p o rts th e W in d o w s and M a c OS X o p e ra tin g
s y s te m s .
FIGURE 1 6 .4 5 : L i m e R a ln S c r e e n s h o t

Jailb reak m e
S o u rce: h ttp ://w w w .ja ilb r e a k m e .c o m
J a ilb re a k M e is a to o l th a t a llo w s you to ja ilb r e a k yo u r iP h o n e , iP o d Touch, or iP a d th ro u g h
o n l i n e s e r v i c e s . I t is u s e d t o p ro v id e a ja ilb r e a k fo r th e iP a d 2 u n t e t h e r e d .
JarfbreaklAe
« n to free you d w c e ExpcnenceiOSasitcoiJdbe

customable and every iwe*k you could possibly ■mepne
Sal• and coir& m * reversO* restore m 1T10WS) grves you

cormct o m V« <Je*ce you own I o r* takes a mrxte or two and as always it s
« bedne betore pitveakmg
C y d ia
Jay Freemen (eeurtk)
Jaibreak by comax
Coma back on your Phone. iPad, or

touch to use J a M b raa kM a-o ru M a d
!atlbraefc on your cowpular
FIGURE 16.46: Ja ilbrea km e Screenshot

J a i l b r e a k i n g T o o l s : B l a c k r a l n
C E H
a n d S p i r i t
S p irit
“The c a lm before the Spirit s to rm .”
Spirit
Jailb rea k
P le a s e c o n n e c t d e v ic e .
S pirit J a ilb re a k
iFad.iFnone.iPod touch
http://spiritjb.com
J a ilb r e a k in g T o o ls: B la c k r a ln a n d S p irit
B la c k ra ln
S o u rc e : h ttp ://b la c k r a ln .c o m
B la c k ra ln is a j a i l b r e a k i n g to o l t h a t a llo w s y o u to ja ilb re a k d e v ic e s such as an iP h o n e , iP o d , or
iP a d on firm w a re s . T h is can w o rk on a ll d e v ic e s w ith o u t h a v in g to m ake a d ju s tm e n ts in
a d v a n c e in t h e s o f t w a r e . It w o r k s o n b o th W in d o w s and M a c O S . I t is d e s i g n e d by G e o h o t.
FIGURE 1 6 .4 7 : B l a c k r a l n S c r e e n s h o t

S pirit
Source: http://spiritjb.com
Spirit is a jailbreaking tool t h a t allows you t o jailbreak devices t h a t are u n t e t h e r e d . It can

jailbreak th e iPad, iPhone, and iPod touch on certain f irm w a re versions. It is not a carrier
unlock.
“The calm before the Spirit storm.‫״‬
‫׳‬,‫ » י‬n
Spirit
P I « M C 0 n n « t 0 * ‫» <ייו‬
Sp i r it j a i l b r c a k
iF a d .iliio n e .iP o d touch
FIGURE 16.48: S pirit Screenshot

Ethical Hacking and Countermeasures Exam 3 12 -5 0 Certified Ethical Hacker
G u i d e l i n e s f o r S e c u r i n g i O S
C E H
D e v i c e s
Use passcode lo ck Use iOS devices o n a Do n o t access w e b D ep lo y o n ly tr u s te d

fe a tu re fo r lockin g se c u re d and p ro te c te d services on a th ir d - p a r ty a p p lic a tio n s
iP hone W i-F i n e tw o rk c o m p ro m is e d n e tw o r k on iOS devices
»I ♦ •I ♦I
•I •I •I •I
1
D isable Ja vascrip t Do n o t s to re se nsitive Do n o t o pe n lin k s o r Change d e fa u lt p a s s w o rd

and a dd -o n s fro m data on c lie n t-s id e a tta c h m e n ts fro m o f iP hone's ro o t
w e b b ro w s e r d a ta b a se u n k n o w n sources p a s s w o rd fr o m a lp in e
C o p y r ig h t © b y EfrCoincl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u id e lin e s fo r S e c u rin g iO S D e v ic e s
Guidelines for security iOS d e te rm in e t h e co urse of action t h a t helps in enhancing the

security of iOS devices. These guidelines a re not m a n d a t o r y to apply, but help in protecting iOS
devices from being attacked. The following are a few guidelines for security iOS:
© Use passcode lock feat ure for locking iPhone
© Disable JavaScript and ad d-ons from w e b browsers
© Use iOS devices on a secured and p rotected Wi-Fi network
© Do not store sensitive data on a client-side d a ta ba s e
© Do not access w e b services on a c o m p r o m is e d netw ork
© Do not op en links or a t t a c h m e n t s from unknown sources
© Deploy only trust ed third-party applications on iOS devices
© Change default password of iPhone's root password from Alpine

G u i d e l i n e s f o r S e c u r i n g i O S
C E H
D e v i c e s ( c o m ‫׳‬d )
Do not jailbreak or root y o u r device if used w ith in enterprise environm ents
Config
Configure Find M y iPhone and utilize it to w ipe a lost o r stolen device
■
Enable Jailbreak d e te ctio n and also protect access to iTunes A p p le lD and
Google accounts, w hich are tied to sensitive data
D isable iCIoud services so that sensitive enterprise data is not backed up to

the cloud (Note th at cloud services can back up docum ents, account
inform ation, settings, and messages)
Along w ith th is fo llo w th e com m on security g u id e lin es fo r all the m obile

devices outlined in the later slides
C o p y r ig h t © b y E&CtlMGfl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u i d e l i n e s f o r S e c u r i n g i O S D e v i c e s ( C o n t ’d )
Guidelines t h a t are to be followed by every user in or der to secure iOS devices against
attacks include:
© Do not jailbreak or root your device if used within e nt e r pr is e e n v ir o n m e n t s
Q Configure Find My iPhone and utilize it to wipe a lost or stolen device
Q Enable Jailbreak detection and also protect access to iTunes ApplelD and Google
accounts, which are tied to sensitive d a ta
Q Disable iCIoud services so th a t sensitive enterprise data is not backed up to th e cloud

(note th at cloud services can back up doc uments, account information, settings and
messages)
Q Along with this follow th e c o m m o n security guidelines for all th e mobile devices
outlined in t h e later slides

i O S D e v i c e T r a c k i n g T o o l s C E H
11:02 AM K>0N i
iLocalh
© 1.1-6
■Qj Change Package Settings >
Author
Package Details
[‫ם‬ ID com iiocaiis frontend
Section Utiites
Contact poetcjpiy
■‫ ■י‬.
Find M y iP ho n e iH o u n d G a d g etT ra k iOS S e c u rity iLocalis

https://itunes.apple.com https://www.ihoundsoftware.com http://www.gadgettrak.com http://ilocolis.com
a*
M i;
C o p y r ig h t © b y E C C a i n d . A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
iO S D e v ic e T r a c k in g T o o ls
F in d M y iP h o n e
Source: https ://itun es.a pp le.co m
Find My iPhone iOS Device Tracking Tool allows you t o track a lost or misplaced mobile, iPhone,
iPad, iPod touch, or Mac. This allows you to use a n o th e r iOS device t o find it and p r o te c t your
data. To use this, you need to install t h e app on a n o th e r iOS device, ope n it, and sign in with
your Apple ID. It helps you locate your missing device on a map, play a sound, and even display
a message, remotely.

FIGURE 16.49: Find M y iPhone Screenshot
iH o u n d
Source: http s: //w w w .i ho un ds of tw a re .c om
iHound is a iOS device tracking tool th at allows you to track your device by simply turning on
iHound; minimize it and let it run. You can even delete it from t h e fast ap p switching bar. It can
still locate your p h on e anytime, a nywhere.
.‫*״‬942 AM IfS
■*‫׳‬ : scftwa* ^
> WOM I r K l* r
Wn! «*M»j® • ■ w w w iMttm
FIGURE 16.50: Find M y iPhone Screenshot
G a d g e t T r a k iO S S e c u rity
Source: ht tp :// ww w. ga dg ett rak .c om
GadgetTrak iOS Security is an iOS device tracking tool th at allows you to recover your iPhone,
iPad, or iPod touch by using t h e ability to track your device by using GPS, Wi-Fi positioning, and

cell to w e r triangulation to pin poin t location. Using t h e built-in cameras, you can collect crucial
evidence to help catch th e thief. W he n tracking occurs, you'll receive an email with detailed
information a bo ut its current location. Once tracking is activated th e so ftware settings c annot
be modified unless deactivated. Whe n tracking data is being t r a n s m i t t e d from your device, a
secure SSL connection is used. Only you can access your location reports and camer a. All
images, network information, and location data are s e n t directly to you from your device.
G o dgefT rak
» ‫( «•׳‬
(M C M ta u u
Gadget
FIGURE 16.51: G adgetTrak iOS Security S creenshot
iL o calis
Source: http://ilocalis.com
iLocalis iOS device tracking tool allows you to control yo ur iPhone from your c o m p u t e r
co nne cte d to t h e Internet. If your iPhone has be en stolen you can find it with th e track feat ure
or even make a r e m o t e call or SMS to see t h e new nu m b e r if th e SIM has been changed. It has
many feat ure s such as location tracking and sharing location with others, r e m o t e iPhone
control, and SMS c o m m a n d s with backup and r e m o t e wipe of data. It has alert zone, push
support, and r e m o t e audio recording with iPhone lock.
C hange Package S e ttin g s >
-j A u th o r .... >
Package D etails
□ ID com. io calis frontend
S ection Utilities
C o nta ct p o e tic jo lly
$ S po n sor ModMvl.com > 1
V ‫( ־‬f)
C
y
ii
U
© m
M
a
ne
ge
ex
t—
r
ch
FIGURE 1 6 .5 2 : iL o ca lis S c r e e n s h o t

M o d u . l e F l o w C E H
(•rMwd tu«4i lUchM
• • •
1 1 eH .
•
i ^ :‫־‬
4^ ‫־‬
^
^
M o b ile P la tfo rm
A tta c k V e c to rs
C o p y r ig h t © b y E ( M i« I I iG i. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o d u le F lo w
So far, we have discussed how to hack iOS. Now we will discuss hacking th e Windows
Phone OS. Similar to Apple's iOS, Windows Phone OS is a n o th e r operating system in tended for
mobile devices.
M o b ile P la tfo rm A tta c k V e c to rs ^ ' Y H a c k in g B la c k B e rry

‫ן ן‬J l
H a c k in g A n d r o i d iO S M o b ile D e v ic e M a n a g e m e n t
*
IL Jl
H a c k in g iO S M o b i l e S e c u r ity G u id e lin e s a n d T o o ls
9
^5 H a c k in g W in d o w s P h o n e OS ^ M o b ile P e n T e s tin g
This section introduces you to Windows Phone 8 and its architecture and secure bo ot process.

W i n d o w s P h o n e 8 C E H
(
•r
tr
f
w di
t
fcK
4lN
Mh
M
Trusted shared Windows core

and improved support for
removable storage
Core components from Windows 8,
including kernel, file system, drivers,
3 network stack, security components,
It allows devices w ith larger media and graphics support
screens and m ulti-core
processors up to 64 Internet Explorer 10, Nokia map
technology and background
multitasking
Supports Near field communication

Features improved app sandboxing (NFC), including payment and
and VoIP and video chat integration content sharing with Windows
for any VoIP or video chat app Phone 8 and Windows 8 machines
United Extensible Firmware Interface Supports native code (C and C++),

(UEFI) secure boot protocol and Firmware simplified porting from platforms such
over the air for Windows Phone updates as Android, Symbian, and iOS
Native 128-bit Bitlocker encryption and remote device Carrier control and branding of "wallet" element is
management of Windows Phone possible via SIM or phone hardware
C o p y r ig h t © b y E&Caincl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
W in d o w s P h o n e 8
Windows Phone 8 is th e second ge ne ration operating system developed by Microsoft

for Windows Phone. A few i m p o r t a n t points a bo ut Windows Phone 8 are as follows:
© It allows devices with larger screens and multi-core processors up to 64 cores.
© Trusted s hared Windows core and im pr ove d s upp ort for r em ovable storage.
© Core co m p o n e n t s from Windows 8, including kernel, file system, drivers, network stack,
security c o m po ne nt s , media and graphics s uppo rt.
© Internet Explorer 10, Nokia map technology, and background multitasking.
© Supports Near field co m m u n ic a t io n (NFC), including p a y m e n t and co n te n t sharing with

Windows Phone 8 and Windows 8 machines.
© Supports native code (C and C++), simplified porting from platforms such as Android,
Symbian, and iOS.
© Carrier control and branding of "wallet" e le m en t is possible via SIM or p ho ne hardware.
© Native 128-bit Bitlocker encryption and r e m o t e device m a n a g e m e n t of Windows Phone.
© United Extensible Firmware Interface (UEFI) secu re b o o t protocol and Firmware over
th e air for Windows Phone updates.

6 Features improved ap p sandboxing and VoIP and video chat integration for any VoIP or
video chat app.

W i n d o w s P h o n e 8 A r c h i t e c t u r e C E H
W in d o w s P h o n e - W in d o w s 8 N a tiv e API D if f e r e n c e s
neous
( W in R T )
CoreApplication (WinRT)
DirectX Networ- D*taS*vcr/ Storage

M edia
XAudio2 king Connection Sensors (WinRT Location Bluetooth Proximity Camera Contacts
1 1 .1 Engine Manager
(COM) (WinRT (WinRT) and (WinRT) (WinRT) (WinRT) (WinRT) (WinRT)
(COM) (COM) (WinRT)
and COM) Win32)
Base
H
CR T(C /C + + ), T h r e a d i n g ( W in R T ) , M o C O M ( W in R T ) , B a s e T y p e s / W i n d o w s . F o u n d a t io n ( W in R T )
W in d o w s P h o n e 8 A rc h ite c tu re
FIGURE 1 6 .5 3 : W in d o w s P h o n e 8 A r c h ite c tu r e

S e c u re B oot P ro c e s s
Source: http://www.uefi.org
The goal of th e SafeBoot feat ure of W in do w s P h o n e 8 is to design a SafeBoot process to

achieve safe launching of th e OS t o g u a r a n t e e only t rus ted c o m p o n e n t s get loaded. The
background of t h e information system incorporated here is each device gets a distinct key
e m b e d d e d into a chip, along with c o m m o n keys from Microsoft and th e OEM and t h e n t h e fuse
is soldered on th e chip.
W hen you first switch on th e pow er th e firmware starts a Unified Extensible Firmware
Interface (UEFI) background t h a t validates t h e hash of t h e s e keys c o m p a r e d to th e signatures
on th e initial boot loaders to confirm t h e operating environment. In this stage t h e signatures
are co mp ar ed on th e Windows Phone b o o t m a n a g e r t o permit t h e genuine and trust ed
applications to start.
Microsoft nee ds their own binaries along with OEM binaries and they should also have a digital
signature signed by Microsoft, which is used to shield th e application and th e boot system from
malware. No one can access all th e keys t h a t are required to start th e system run, and it is not
possible t o build convenient ROMs and t h e signa tures as th ey may differ from th e original
signatures.

Microsoft has reduced th e OS footprints. All th e applications should be run on t h e sa me

sandbox as third-party marketplace apps, which in turn extend t h e customization of OEM
drivers. If any attacker tries t o mitigate th e application with malware it can only access th e
c on te nt inside t h a t sandbox, preventing malware from gaining access to th e lower system level
of t h e device.
P o w e r On
W in d o w s
Phone 8
F irm w a re W in d o w s OS B o o t
O E M UEFI
Boot Phone Boot
A p p lic a t io n s
L o a d e rs M anager
W in d o w s
Phone 8
S y s te m -o n -c h ip U p d a te
(SoC) v e n d o rs B o o t to OS B o o t
Secure F la s h in g
UEFI M ode
TechEd
FIGURE 16.54: Secure B oot Process

be ch anged th at are not man da to ry but e n h a n ce security if applied. The following are
a few guidelines th at help in securing Windows OS devices:
© Download apps only from tr u s t e d sources like Zune Marketplace
© Keep your p ho ne u p da te d with WP8 security updates
© Make sure t o clear all your browsing history from Internet Explorer
© Use Zune desktop software t o backup your device data
© Try to avoid accessing password pro tec ted websites in your windows phone while you
are in unsecured Wi-Fi networks
© Setup passwords for WP8 lock screen
© Protect your WP8 SIM (Subscriber Identity Module) with a PIN (personal identification
number)

M o d u l e F l o w C E H
Itfc'ul IU<h«
C o p y r ig h t © b y EtCouncfl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o d u le F lo w
BlackBerry is a brand of wireless handheld devices and service developed by R es e a rc h
In Motion (RIM). Attackers are also concentrating on BlackBerry devices.
(w ^ / M o b ile P la tfo rm A tta c k V e c to rs ^ ' Y H a c k in g B la c k B e rry
H a c k in g A n d r o i d iO S M o b ile D e v ic e M a n a g e m e n t
»
I -------
H a c k in g W in d o w s P h o n e O S M o b ile P e n T e s tin g
This section introduces you to t h e BlackBerry operating system, BlackBerry enterprise solution
architecture, and attack vectors. It also covers guidelines for securing BlackBerry devices.

B l a c k B e r r y O p e r a t i n g S y s t e m E H
(
ct
t
c
i
fwdI
tkK
JlI
l
M k
M
B la c k B e rry OS is a p r o p r ie ta r y m o b ile o p e r a tin g s y s te m d e v e lo p e d

B la c k B e r r y
b y R ese a rch In M o tio n (R IM ) f o r its B la c k B e rry lin e o f s m a r tp h o n e s
OS
a n d h a n d h e ld d e v ic e s
I t includes a Java-based th ir d - p a r ty a p p lic a tio n fra m e w o rk th a t

Ja v a B ased im p le m e n ts J2M E M o b ile In fo rm a tio n D evice P ro file v2 (M ID P 2 )a n d
A p p lic a t io n . C onnected Lim ited Device C o n fig u ra tio n (CLDC), as w e ll as a n u m b e r
o f R IM sp ecific APIs
B lackB erry F ea tu res
N a t iv e s u p p o r t B la c k B e r ry B la c k B e r r y B la c k B e r r y B la c k B e r r y
f o r c o r p o r a te E n te r p ris e M essenger In te rn e t e m a il c lie n t
e m a il S e rv e r S e rv ic e
a:
-
B la c k B e rry O p e ra tin g S y ste m
BlackBerry OS is a proprietary mobile operating system developed by Research In

Motion (RIM) for its BlackBerry line of sm a r tp h o n e s and handheld devices. It includes a Java-
based third-party application fra m ew or k th at imp lements J2ME Mobile Information Device
Profile v2 (MIDP2) and Connec ted Limited Device Configuration (CLDC), as well as a number of
RIM specific APIs.
Some of t h e fea tures of BlackBerry include:
© Native su p p o rt for co rp or a te email
© BlackBerry Enterprise Server
© BlackBerry Messenger
9 BlackBerry Internet Service
© BlackBerry email client

B l a c k B e r r y E n t e r p r i s e S o l u t i o n
A r c h i t e c t u r e
B la c k B e rry E n te rp ris e S o lu tio n A rc h ite c tu re
Blackberry Enterprise Solution allows mobile users to wirelessly access their

organization emails and ot he r business-critical applications safely and securely. BlackBerry
Enterprise Solution Architecture is comprised of six vital elements. They are BlackBerry®
Enterprise Server, BlackBerry® Mobile Data System, BlackBerry Smartphones, Devices with
BlackBerry® Connect™ software, BlackBerry® Alliance Program, and BlackBerry Solution
Services.
The enterprise server, to g e t h e r with e nt e rp ris e messaging and collaboration systems, provides
email access t o mobile users, enterprise instant messaging, and personal information
m a n a g e m e n t tools. Poorly c onfigured firewalls increase t h e risk of attacks. The Web, Database,
and Application Server contain vulnerabilities. Ift he attacker detec ts t h o s e vulnerabilities, t h e n
he or she can easily carry out an a ttack and t ake control over th e entire server.

BlackBerry Mobile Data System BlackBerry

Smartphones
Web, Database and

Application Servers
Wireless
BlackBerry
Networks
Instant Messaging Servers Enabled Devices
BlackBerry Solution Services BlackBerry Alliance Program
FIGURE 16.55: B lackB e rry Enterprise Solution A rc h ite ctu re

B l a c k b e r r y A t t a c k V e c t o r s C E H
©
I
M e m o ry and T C P /IP
P ro c e s s e s I E m a il C o n n e c tio n s y B la c k b e r r y
V u ln e r a b ilit ie s M a lw a r e s
M a n ip u la tio n s I E x p lo its
r \ r \ r \ r \ r \
JA D F ile 1 S h o rt M e s s a g e | P IM D a ta T e le p h o n y
E x p lo its S e rv ic e (S M S ) 1 A tta c k s A tta c k s
E x p lo its
m if
B la c k B e rry A tta c k V ecto rs

BlackBerry is prone to many attacks since t h e r e are many ne w tools and m et ho ds
available for finding potential vulnerabilities pr esent on BlackBerry devices. Attack vectors such
as luring and attracting users to download malicious s o ft w a r e on their mobiles, finding website
vulnerabilities using tools, etc. are th e few techni qu es used by an att ack er for carrying out
attacks on BlackBerry devices. Apart from t h e s e tech ni que s t h e r e a re many more attack
vectors th at allow attackers to launch attacks on BlackBerrys th at include:
6 Malicious Code Signing
Q Memory and Processes Manipulations
e Email Exploits
e TCP/IP Connections Vulnerabilities
e Blackberry Malwares
© JAD File Exploits
0 Short Message Service (SMS) Exploits
e PIM Data Attacks
Q Telephony Attacks

C E H
J A tta c k e r can o b ta in c o d e -s ig n in g keys

J BlackB erry a pp lica tio n s m u s t be sig n e d by
a n o n y m o u s ly using p rep a id c re d it-c a rd s
R IM to g e t fu ll access to th e o p e ra tin g
and fa ls e deta ils, sign a m alicious
syste m APIs
a p p lic a tio n and pub lish it on th e B la c k B e rry
J I f a re q u ire d s ig n a tu re is m issin g o r th e app w o r ld
a p p lica tio n is a lte re d a fte r sign in g, th e JVM
J A tta c k e rs can also c o m p ro m is e a
w ill e ith e r r e fu s e /r e s tr ic t th e API access to
d e v e lo p e r's s y s te m to steal code signing
th e a p p lic a tio n o r w ill fa il a t ru n -tim e w ith
keys and p a s s w o rd to d e c ry p t th e e n c ry p te d
an e rro r m essage
keys
■v* ■*‫־‬/:
•« l ,‫״‬o
|K gP | P u b lis h o n t h e U s e r d o w n lo a d s
a p p w o r ld m a lic io u s a p p
£
Code Signing Service Malicious App Blackberry App
User
A World
A C re a te
m a lic io u s A p p
©
O b t a in c o d e - s ig n in g k e y s M a l i c i o u s a p p s e n d s a ll i n c o m i n g
a n o n y m o u s ly u s in g p r e p a id m e s s a g e s a n d s e n s it iv e d a t a
c r e d it - c a r d s a n d f a l s e d e t a i l s
Attacker
—
........ 11 M a lic io u s C o d e S ig n in g
BlackBerry applications must be signed by RIM to get full access to th e operating

system APIs. If a required signature is missing or the application is altered after signing, th e JVM
will either refus e/r est ric t t h e API access t o t h e application or will fail at run-time with an error
message. Attackers can obtain code-signing keys a n on ym ou s l y using prepaid credit cards and
false details, sign a malicious application, and publish it on t h e BlackBerry a pp world. Attackers
can also c o m p r o m is e a developer's system to steal code-signing keys and passwords t o decrypt
th e encrypted keys.
A pictorial rep resentation of malicious cod e signing follows:

■ ® r . ^.4..................... > ....................... >

P H g Publish on the User downloads O
app world malicious app
M a lic io u s A p p B la c k b e rry A p p
U ser
A W o rld
Create
malicious App
©
O b ta in code-signing keys M a lic io u s app sends all in c o m in g

a n o n ym o u sly using prep a id messages and s e n sitive data
cre d it-ca rd s and fa lse d e ta ils
A tta c k e r
FIGURE 16.56: M a lic io u s Code Signing Screenshot

J A D F i l e E x p l o i t s a n d M e m o r y /
E H
P r o c e s s e s M a n i p u l a t i o n s (
ccitifw
dIt
kKJ
lNM
k
w
JAD F ile E x p lo its

J .jad (Java A p p lic a tio n D e sc rip to rs ) files in clu d e th e a ttr ib u te s o f a ja v a a p p lic a tio n ,
such as app d e s c rip tio n , v e n d o r deta ils and size, and p ro v id e s th e URL w h e re th e
a p p lica tio n can be d o w n lo a d e d
J I t is used as a sta n d a rd w a y to p ro v id e O v e r The A ir (OTA) in s ta lla tio n o f java

a p p lica tio n s 0 n J 2 M E m o b ile devices
1a
J A tta cke rs can use specially c ra fte d .ja d file w ith s p o o fe d in fo r m a tio n and tr ic k user
to in s ta ll m a lic io u s apps
I II I I I I I I I I I I I I I I I I I
M e m o r y /P r o c e s s e s M a n ip u la tio n s
A ttacke rs can cre ate m alicious a pp lic a tio n s by c re a tin g an in fin ite lo o p , w ith a
b rea k c o n d itio n in th e m id d le th a t w ill a lw a ys be false to bypass c o m p ile r
v e rific a tio n
I t w ill cause a d e n ia l-o f-s e rv ic e (DoS) a tta c k w h e n th e m aliciou s a p p lic a tio n is

ru n re n d e rin g th e device u n re s p o n s iv e
C o p y r ig h t © b y E f r C a i n c l . A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
JA D F ile E x p lo its a n d M e m o r y / P ro c e s s e s M a n ip u la tio n s
JA D F ile E x p lo its
JAD (Java Application Descriptors) files include th e attributes of a Java application,

such as ap p description and vend or details and size, and provides th e URL w h e r e th e
application can be do wnloa ded. It is used as a standar d way to provide Over The Air (OTA)
installation of Java applications on J2ME mobile devices. Attackers can use specially crafted .jad
files with spoofed information and trick users into installing malicious apps.
‫זוז‬ M e m o ry /P ro c e s se s M a n ip u latio n s
Attackers can c rea te malicious applications by creating an infinite loop, with a break
condition in t h e middle t h a t will always be false to bypass compiler verification. It will cause a
denial-of-service (DoS) attack when t h e malicious application is run, rendering th e device
unresponsive.

S h o r t M e s s a g e S e r v i c e ( S M S )
E x p l o i t s
User dow n lo a ds and

runs th e m aliciou s App
A pp sends p re m iu m rate
messages in th e background & If A pp is n o t signed
...................... © • •
■ < © • ..................................
User receives > ‫־‬-.H
J t j|
Service Provider huge bill u
User q u its th e gam e, b u t A pp User d o w n lo a d and run

runs s ile n tly in th e background th e m aliciou s A pp
0 O 0
—— If A pp is n ot signed
..................I * ... ; H i f j i ® ....................... 5

A pp sends a n o tific a tio n SMS .........................................
and forw a rds all incom ing messages User agrees
A tta c k e r User
SM S B a c k d o o r User d o w n lo a d and run

th e m aliciou s A pp
A tta cker opens TCP/IP connections O Allow Network

..... ^ ts n°*s'^nec* > Connection?
‫י * ז‬ Attacker
A pp sends all in com in g messages
and se nsitive data
@ * » < ‫ ׳‬............................................................u
User agrees Yes No
C opyright © by EC-Cauactl. A ll Rights Reserved. Reproduction is S trictly Prohibited.
S hort M e s s a g e S e rv ic e (S M S ) E x p lo its
P re m iu m R ate S c a m
H■
Regular PC users are more likely to be t ar g e te d by premium rate "d ial ers /'
applications th at connect a user's m o d e m to a premium rate t e l e p h o n e number, which results
in more service provider bills than expected. The s a m e mechanism is enforced in BlackBerry but
doe sn 't use prem ium rate SMSes.
The working of th e application is illustrated in t h e figure t h a t follows:

U s e r d o w n lo a d a n d r u n
t h e m a li c io u s A p p
A p p s e n d s p r e m iu m ra te
m e s s a g e s in t h e b a c k g r o u n d o A llo w N /W
- ! » , If A p p is n o t s ig n e d
C onnection?
f e s r .................. © ©
y .......... >A
U s e r r e c e iv e s U s e r ag re e s
P re m iu m Rate S e r v ic e P r o v id e r h u g e b i ll
Service
FIGURE 16.57: Short M essage Service (SMS) Exploits
SM S in tercep tio n
Sending and receiving of m essages can be done easily by the unsigned application. The

messages from a c o m p r o m is e d BlackBerry can be s e n t and received by third parties easily

using a malicious application.
The malicious application works as sh ow n here:

U s e r q u it s t h e g a m e , b u t A p p U s e r d o w n lo a d a n d r u n
r u n s s i l e n t l y in t h e b a c k g r o u n d t h e m a li c io u s A p p
^ ‫״‬ If A p p is n o t s ig n e d A llo w N / W
I ^ .............................................■> C o n n e c tio n ?
.......................................... 0 w -
it B
A p p s e n d s a n o t if ic a t io n S M S 9 E E 1 K .................................. Ifc f
a n d fo r w a r d s a ll in c o m in g m e s s a g e s U s e r a g re e s Yes No
A tta c k e r
FIGURE 16.58: SM S in te rcep tio n
‫נ‬ SM S B ackdoor
SMS is basically used as a c o m m a n d and control channel by t h e signed malicious

application for a backdoor. This malicious application has th e ability t o send and receive
messages, steal or alter confidential or personal data, and ope n TCP/IP connections. The
incoming SMS messages a re mon itore d thoroughly for finding out keywords or for impor tant
ph one numbers. These messa ge are in terpreted by t h e attacker as c o m m a nd s for carrying out
certain malicious activities.
User download and run
the malicious App
e ‫״‬ Attacker opens TCP/IP connections

o If App is not signed A llow N/W
[— 3 ^ • • XJ ■•> Connection?
— *‫־‬ App sends all incoming messages

‫ ׳‬:■' © ' *■S' ‘'■
User agreesyes rj0
©” m
, and sensitive data
Attacker User
FIGURE 16.59: SM S B ackd oor

E m a i l E x p l o i t s
U
r
t
rf
W
cdi
tf
cMj
lNM
h
M
E H
. c o d f i l e in s t a l l s i t s e l f
as a s ta rt-u p p ro c e ss
w i t h n o ic o n
mm 1 1 * *- —‫—־״‬
S en d s an 0
e m a il t o a F r o m : <mary (®company.com>
B la c k B e r r y u s e r T o: "Bob Brickhaus" <bb@company.com>
S u b je c t: Cool Game
Hey, check o u t th is c o d new game! P ro m p ts to

h ttD :/ /w w w . iu e e v b o v .c o m /B a m e .ia d d o w n lo a d a n d K
Attacker in s t a l l t h e .c o d f ile
H o s ts m a lic io u s .c o d a p p lic a t io n f i le
o n a w e b s e rv e r: h ttp : / / w w w .
O
ju g g y b o y .c o m /g a m e .c o d a lo n g w i t h
m a t c h i n g .j a d f i l e :
h t t p : / / w w w . ju g g y b o y .c o m / S
g a m e .ja d
i 0 3 i ! 3 < .c o d f i le e n u m e r a t e s
t h e c o n t a c t li s t , a n d
fo r w a r d s t h e e m a il to
■‫י י‬ e v e r y o n e o n t h e lis t
S 2 l
Web Server Users Contact List
—
C o p y r ig h t © b y E & C a u a c tl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
E m a il E x p lo its
In BlackBerry mobile, all th e email is sent, received, and read through th e

net.rim.blackberry.api.mail package and this package can be used only on signed applications.
BlackBerry a t t a c h m e n t service supp ort s only files with extensions such as .doc, .pdf, .txt, .wpd,
.xls, and .ppt, but it can send any kind of file via email. An a t t a c h m e n t with file type .cod is not
s u pp ort ed by BlackBerry.

.c o d f i l e in s t a l ls it s e lf
as a s ta rt-u p p ro c e ss
w i t h n o Ic o n
S e n d s an
e m a il to a From: <maryJDcomoany.com>
B la c k B e r r y u s e r T o :' Bob Brickhaus* <bb wcomoony.com>
& Subject :Cool borne
Hey, check out this cool newgamel P ro m p ts to ,

Imp 7/www iuRRyboy c !^d d o w n lo a d a n d K l
in s t a l l t h e c o d f i le
H o s t s m a li c io u s .c o d a p p l ic a t io n f i le
0
ar*30
o n a W e b s e r v e r : h ttp :/ / w w w .
j u g g y b o y . c o m / g a m e . c o d a lo n g w i t h
m a t c h in g .ja d f ile :
h ttp :/ / w w w . j u g g y b o y . c o m /
g a m e .ja d __________
13 12 .c o d f i l e e n u m e r a t e s
ar* ar*
t h e c o n t a c t lis t , a n d
fo rw a rd s t h e e m a il to
e v e r y o n e o n t h e lis t
Web Server Users Contact List
FIGURE 16.60: Em ail Exploits

P I M D a t a A t t a c k s a n d T C P / I P
C E H
C o n n e c t i o n s V u l n e r a b i l i t i e s
T C P /I P C o n n e c t io n s
P IM D a t a A t t a c k s
V u ln e r a b ilit ie s
J P e rs o n a l I n f o r m a tio n M a n a g e m e n t (P IM ) d a ta in J If th e d e v ic e fir e w a ll is o ff, s ig n e d a p p s c a n o p e n

t h e P IM d a ta b a s e o f a B la c k B e rry d e v ic e in c lu d e s TCP c o n n e c tio n s w it h o u t t h e u s e r b e in g
a d d re s s b o o k s , c a le n d a rs , ta s k s , a n d m e m o p a d s p r o m p te d
in f o r m a t io n
J M a lic io u s a p p s in s ta lle d o n t h e d e v ic e c a n
J A tta c k e rs c a n c r e a te m a lic io u s s ig n e d a p p lic a t io n c r e a te a r e v e r s e c o n n e c tio n w it h t h e a tta c k e r
t h a t re a d a ll t h e P IM d a ta a n d s e n d i t t o a n e n a b lin g h im t o u tiliz e t h e in fe c te d d e v ic e as a
a tta c k e r u s in g d if fe r e n t t r a n s p o r t m e c h a n is m s TCP p r o x y a n d g a in a cce ss t o o r g a n iz a tio n 's
in t e r n a l re s o u rc e s
J T h e m a lic io u s a p p lic a t io n s ca n a ls o d e le t e o r
m o d if y t h e P IM d a ta J A tta c k e r s c a n a ls o e x p lo it t h e re v e rs e TCP
c o n n e c tio n f o r b a c k d o o rs a n d p e r f o r m v a r io u s
m a lic io u s i n f o r m a t io n g a t h e r in g a tta c k s
aH i
M
y 5®‫־‬
C o p y r ig h t © b y E C -C a u a c tl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
P IM D a ta A tta c k s a n d T C P /IP C o n n e c tio n s
V u ln e ra b ilitie s
P IM D a ta A tta c k s
Personal Information M a n a g e m e n t (PIM) data in t h e PIM d a ta b a s e of a BlackBerry device

includes address books, calendars, tasks, and m e m o p a d s information. Attackers can create
malicious signed applications th at read all t h e PIM d a ta and send it t o an attacker using th e
different t r a n s p o r t m ech an ism s. The malicious applications can also de lete or modify th e PIM
data.
T C P /IP C o n n e c tio n s V u ln e ra b ilitie s
If th e device firewall is off, signed apps can open TCP c o nn ect ion s w it ho ut t h e user being
pr om pt e d. Malicious a pp s installed on t h e device can create a reverse connection with th e
attacker enabling him or her t o utilize infected device as a TCP proxy and gaining access to
organization's internal resources. Attackers can also exploit th e reverse TCP connection for
backdoors and perform various malicious information gathe ring attacks.

B la c k b e rry S p y w a r e : F in S p y M o b i l e C E H
It p r o v id e s t h e r e m o t e u s e r w i t h :
Name: rlc_channel_mode_updater
V ersion: 4.1
V endor: TellCOM Systems LTD
Size: 139.0KB R ec o rd in g o f c o m m o n c o m m u n ic a tio n s lik e Voice
D e s c rip tio n :
Common Communication Update DSCH/
<N> Calls, S M S /M M S and Em ails
USCH V32
■ Set application permissions.
Download I Cancel <M> t Live S u rv e illa n c e th ro u g h S ile n t Calls
O O - File D o w n lo a d (C o n ta c ts , C alendar, P ic tu re s , Files)
<M> - C o u n try Tracing o f T a rg et (GPS and C ell ID)
Full R e c o rd in g o f a ll B la c k B e rry M e s s e n g e r
O O c o m m u n ic a tio n s
<M> S C o v e rt C o m m u n ic a tio n s w it h H e a d q u a rte rs
C o p y rig h t© b y EC‫־‬C0111cfl. A ll Rights R eserved Reproduction is S trictly Prohibited.
B la c k b e rry S p y w are : F in S p y M o b ile
FinSpy Mobile provides th e r e m o t e user with:
Q Recording of c o m m o n communications such as voice calls, SMS/MMS, and emails
e Live surveillance th rough silent calls
Q File download (contacts, calendar, pictures, files)
Q Country tracing of targ et (GPS and cell ID)
9 Full recording of all BlackBerry M e ss e n g e r c om m un ica tio ns
© Covert communications with he a d q u ar te rs
Module 16 Page 2511 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

G u i d e l i n e s f o r S e c u r i n g
C E H
B l a c k B e r r y D e v i c e s
Use c o n te n t p ro te c tio n fe a tu r e fo r p ro te c tin g data on th e BlackB erry

E n te rp rise N e tw o rk
Use p a s s w o rd e n c ry p tio n fo r p ro te c tin g files on B lackB erry devices
Use B la c k B e rry P ro te c t o r o th e r se c u rity apps fo r se curin g c o n fid e n tia l

d ata
Enable S D -c a rd /M e d ia card e n c ry p tio n fo r p ro te c tin g data
E nterprises s h ou ld fo llo w a s e c u rity p o lic y fo r m anaging BlackBerry

devices
M a in ta in a m o n ito r in g m e c h a n is m fo r th e n e tw o rk in fra s tru c tu re on

B lackB erry E n te rp ris e N e tw o rk s
D isable u n n e c e s s a ry a p p lic a tio n s fro m B lackB erry E n te rp ris e N e tw o rk s
P ro vid e tra in in g on s e c u rity a w a re n ess and a tta c k s on h an d h e ld devices

o n B lackB erry E n te rp ris e N e tw o rk s
C o p y r ig h t © b y EC-Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G u id e lin e s for S e c u rin g B la c k B e rry D e v ic e s
Every user must follow guidelines t o protect their BlackBerry devices against various
attacks:
© Use c on te nt protection feat ure for protecting data on BlackBerry Enterprise Network
Q Use password encryption for protecting files on BlackBerry devices
Q Use BlackBerry Protect or o t h e r security apps for securing confidential d a ta
0 Enable SD-card/media card encryption for protecting data
9 Enterprises should follow a security policy for managing BlackBerry devices
Q Maintain a monitoring mechanism for network infrastructure on BlackBerry Enterprise

Network
© Disable u n n e c es s a ry applications from BlackBerry Enterprise Network
Q Provide training on security a w a r e n e s s and attacks on handheld devices on BlackBerry

Enterprise Network
Module 16 Page 2 5 12 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

i
U i
talI
U<h
•
*
C opyright © by EC-Council. A ll Rights R eserved Reproduction is S trictly Prohibited.
M o d u le F lo w
So far, we have discussed various mobile platform attack vectors, how to hack
Android OS, iOS, Windows Phone OS, and BlackBerry. Now, we will discuss Mobile Device
M a n a g e m e n t (MDM), software th at secures, monitors, manage s, and su pports mobile devices.
M o b ile P la tfo rm A tta c k V e c to rs *■ -W 1 H a c k in g B la c k B e rry

T
H a c k in g A n d r o i d iO S ^ f M o b ile D e v ic e M a n a g e m e n t
H a c k in g iO S M o b ile S e c u rity G u id e lin e s a n d T o o ls
H a c k in g W in d o w s P h o n e OS ^ M o b ile P e n T e s tin g

This section introduces you to MDM and its logical architecture. It also covers various MDM
solutions.

M o b ile D e v ic e M a n a g e m e n t ( M D M ) C E H
M o b ile Device M a n a g e m e n t (M D M ) p ro vid e s

J I t helps syste m a d m in is tra to rs to d e p lo y and
p la tfo rm s fo r o v e r-th e -a ir o r w ire d d is tr ib u tio n o f
m anage s o ftw a re a p p lic a tio n s across all
a p p lic a tio n s , data and c o n fig u ra tio n se ttin g s fo r all
e n te rp ris e m o b ile devices to secure, m o n ito r,
typ e s o f m o b ile devices, in clu d in g m o b ile p hones,
m anage, and s u p p o rts m o b ile devices
s m a rtp h o n e s , ta b le t c o m p u te rs , etc.
J I t can be used to m anage b o th c o m p a n y -o w n e d
M D M helps in im p le m e n tin g e n te rp ris e -w id e p o lic ie s
and e m p lo y e e -o w n e d (BYOD) d e v ic e s across th e
to re du ce s u p p o rt costs, business d is c o n tin u ity , and
e n te rp ris e
s e c u rity risks
Windows
SmartPhone Symbian OS
□ ‫״‬3
Tablet PC
M o b ile D e v ic e M a n a g e m e n t (M D M )
Mobile Device M a n a g e m e n t software is a vital c o m p o n e n t t h a t monitors, safeguards,

manages, and su pports different typ es of mobile devices and tablets including iPhone, iPad,
Android, and BlackBerry, along with th e applications th at run on th em . It mo nitors all mobile
devices with different operating system such as Android, Windows, and Symbian mobile.
Mobile Device M a n a g e m e n t (MDM) provides platforms for over-the-air or wired distribution
of applications, data, and configuration settings for all types of mobile devices along with
mobile pho nes, s m ar tph on es , tablet comp ute rs, etc. With th e help of MDM, enterprise-wire
policies can be im pl em en ted easily to reduce s upp ort costs, time, and business and security
threats. All th e compan y-o wne d, co ns um e r-o w ne d , as well as th e e m p l o y e e - o w n e d ( B Y O D )
devices across th e e n te r p ri s e can be easily mana ge d with th e help of it. The MDM can reduce
support cost and can minimize business t h r e a t s just by sa feguarding and controlling all th e
data and configuration setting of all t h e mobile devices in t h e network.
Module 16 Page 2 5 15 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

File Directories and

System Databases
Administrative MDM
Console Server
Tablet PC iPhone
FIG U R E 1 6 .6 1 : M o b ile D e v ic e M a n a g e m e n t ( M D M )

Message Routing Publish Synchronous/ Quality of Service

M ediation Transport Subscribe Asynchronous Integration
C e n tra l M a s te r D a ta In fo r m a tio n E n te rp ris e

M anagem ent O O M anagem ent In te g ra tio n M e ta d a ta
S e rv ic e s S e rv ic e s S e rv ic e s M anagem ent
A A A
: Initial and Incremental Loads ■(Batch extract, transform , load)
■•■■■■■■■a■■■■..................a■■■■■■■■■■■■■■ ■ ■ ■a■■•■•■■■■■■■■■■■■■■■■■■■■■■.................../
C o p y r ig h t © b y E&Cauactl. A ll R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M D M L o g ic al A rc h ite c tu re
E x te rn a l In te rn a l
P a it u e is 1
P a r t ic ip a n t s P a r t ic ip a n t s
E x te r n a l D a ta
P r o v id e r s
“ ‘‫ל‬
t t t $ $
M essage R o u t in g P u b li s h S y n c h ro n o u s / Q u a l it y o f S e r v ic e
SOA
M e d ia t io n
J
T ra n s p o rt S u b s c r ib e A sy n c h ro n o u s S e r v ic e I n t e g r a t io n
% t t $ t
C e n tra l M a s te r D a ta I n f o r m a t io n E n t e r p r is e
A n a ly t ic s
M anagem ent M anagem ent I n t e g r a t io n M e ta d a ta
S e r v ic e s < M >
S e r v ic e s S e r v ic e s < w > S e r v ic e s M anagem ent
A•
A
I n itia l a n d I n c r e m e n t a l L o a d s
A
: ( B a t c h e x t r a c t , t r a n s f o r m , lo a c f f
FIGURE 16.62: M D M Logical A rch ite ctu re

M D M S o l u t i o n : M a a S 3 6 0 M o b i l e
C E H
D e v i c e M a n a g e m e n t ( M D M ) (•rtifwd ithiul •UtkM
MaaS360 supports the com plete m o bile device m a n a g e m e n t(M D M ) lifecycle fo r sm artphones and
tab le ts including iPhone, iPad, Android, W indow s Phone, BlackBerry, and Kindle Fire
J As a fu lly in te g ra te d cloud p la tfo rm , MaaS360 sim plifies M D M w ith rapid deploym ent, and
com prehensive visib ility and co n tro l th a t spans across m obile devices, applications, and docum ents
X Cancel Q Save * « Put*6*
U«lli9«p« PiUCotf* Potty
h ttp : //w w w .m a a s 3 6 0 .c o m
S y M D M S o lu tio n : M a a S 3 6 0 M o b ile D e v ic e
M a n a g e m e n t (M D M )
Source: ht tp : // w w w .m aa s 3 6 0 .c o m
MaaS360 Mobile Device M a n a g e m e n t (MDM) solution is a so ftware technology t h a t allows you

to monitor and gov ern mobile devices arriving into th e organization, w h e t h e r th ey are
provided by t h e co mp an y or part of a Bring Your Own Device (BYOD) program. This tec h n i q u e
allows organizations to implement th e MDM lifecycle for devices such as s m a r tp ho ne s and
tablets including iPhones, iPads, Androids, Windows Phones, BlackBerrys, and Kindle Fires.
Using th e integrated cloud platform, t h e MaaS360 str e a m lin e s MDM with imp ro ve d visibility
and control t h a t spans across mobile devices, applications, and doc um en ts .

FIG U R E 1 6 .6 3 : M a a S 3 6 0 M o b ile D e v ic e M a n a g e m e n t ( M D M )

M D M S o l u t i o n s C E H
C itrix X e n M o b ile M D M G o o d M o b ile M a n a g e r

http://www.zenpris e.com http://wwwl.good, com
F ^ l
A b s o lu te M a n a g e M D M M o b ile lr o n
-1 j g
http://www.abs olute.com http://www.mobileiron,com
- ‫•_____ ׳‬
SAP A fa ria Rule M o b ilit y

http://www.sybase.com http://www.tangoe.com
D e vice M a n a g e m e n t C e n tre TARMAC

http://www.sicap.com http://www.tarmac-mdm. com
A irW a tc h M e d ia C o n ta c t
http://www.air-watch,com ko m http://www.device-management-software.com
V __ *
M D M S o lu tio n s
w In addition to MaaS360 Mobile Device M a n a g e m e n t (MDM), software technologies

th at offer integrated mechanisms of all mobile devices in an organization for MDM include:
© Citrix XenMobile MDM available at http://w ww .z en pri se. co m
Q Absolute Manag e MDM available at http :// w w w .a bs ol ut e .c om
Q SAP Afaria available at ht tp :// ww w. sy ba se .c om
0 Device M a n a g e m e n t Centre available at ht tp: //www.sicap.com
Q AirWatch available at http: //www .air-wa tch.c om
Q Good Mobile Manager available at h t t p : / / w w w l . g o o d . c o m
0 Mobilelron available at ht tp: //www .mobileiron.com
© Rule Mobility available at h ttp : // w w w . t a n g o e . c o m
© TARMAC available at ht tp : // w w w .t a r m a c - m d m . c o m
9 MediaContact available at h ttp :// w w w .d e vi c e - m a n a g em e n t- s o ftw a r e .c o m

i
U i
talI
U<h
•
*
C opyright © by EC-G0IIICil. A ll Rights R eserved Reproduction is S trictly Prohibited.
M o d u le F lo w
- So far, we have discussed various topics such as mobile platform attack vectors,
hacking m e t h o d s of Android OS, iOS, Windows Phon e OS, BlackBerry, and how t o m an ag e
mobile devices. All t h e s e topics discussed so far help in testing mobile devices. Now, w e will
discuss mobile security guidelines and tools t h a t help in securing t h e mobile devices.
M o b ile P la tfo rm A tta c k V e c to rs -f H a c k in g B la c k B e rry
% H a c k i n g A n d r o i d iO S M o b ile D e v ic e M a n a g e m e n t
9
v___ 1
H a c k in g iO S M o b ile S e c u r ity G u id e lin e s a n d T o o ls
S '

This section is dedicated to mobile security guidelines

G e n e r a l G u i d e l i n e s f o r M o b i l e
E H
P l a t f o r m S e c u r i t y
Do not add location-based apps such as

Google Maps unless there is GPS radio
that supports the application
Do not load too many
applications and avoid Maintain configuration
auto-upload of photos control and management
Do not share the information
to social networks within GPS-enabled apps
unless those are necessary 4
Never connect tw o
separate networks such
Install applications from as Wi-Fi and Bluetooth
trusted application stores simultaneously
Perform a Security Assessment Ensure that your Bluetooth is

of the Application Architecture " o ff" by default. Turn it on when
ever it is necessary.
^ G e n e ra l G u id e lin e s for M o b ile P la tfo rm S ecu rity
Q Do not load to o many applications and avoid au to - u p l o ad of photos to social networks
© Perform a security as se s s m e nt of t h e application arc hitecture
Q Maintain c onfiguration control and m a n a g e m e n t
Q Install applications from tr u s te d application stores
0 Do not add location-based fe a t u re s such as Google Maps unless t h e r e is a c o m p o n e n t

th at su pports th e application
Q Ensure t h a t your Bluetooth is ‫ ״‬off" by default; turn it on wh e n ever it is necessary
Q Do not share information within GPS-enabled a p p s unless necessary
© Never connect tw o s e p ar a te networks such as Wi-Fi an d Bluetooth simultaneously

C E H
P l a t f o r m S e c u r i t y ( C o n t ’d )
U se Passcode
» Configure a strong passcodc with maximum possible
length to gain access to your mobile devices
‫ט‬ D o n o t a ll o w R o o tin g o r
J a ilb r e a k in g
e Set an idle timeout to automatically lock the phone » EnsureyourMDM solutions prevent or detect
when not in use rooting/jailbreaking
9 Enable lockout/wipe feature after a certain number e Include this clause in your mobile security policy
of attempts
U p d a te O S a n d A p p s
e Use re m o te w ip e services such as Remote
W ipe (Android) and Find M y iPhone o r
FindMyPhone (Apple iOS) to loca te your
» M &
device should it be lost o r stolen
E n a b le R e m o te M a n a g e m e n t
® I f s u p p o rte d , c o n fig u re y o u r m o b ile device
‫ט‬ In an enterprise environment, use Mobile Device
to e n c ry p t its s to ra g e w ith h a rd w a re
Management (MDM) software to secure,
monitor, manage, and support mobile devices e n c ry p tio n
deployed across the organization
G e n e ra l G u id e lin e s for M o b ile P la tfo rm S ec u rity

Y * ( C o n t ’d )
The following guidelines will help you to secure your mobile device from many type of attack:
1. U se a p a s s c o d e fo r m o b ile d e v ic e s e c u rity
© Configure a stron g passc ode with maximum possible length t o gain access to your
mobile devices
© Set an idle ti m eo u t t o automatically lock t h e ph one w h e n not in use
Q Enable lo ck o u t /w ip e fea t u re after a certain n u m b e r of a t t e m p t s
2. U p d a te OS and a p p s re g u la rly
3. E n a b le R e m o te M a n a g e m e n t
Q In an enterprise environment, use Mobile Device M a n a g e m e n t (MDM) software to

secure, monitor, manage, and s up po rt mobile devices deployed across th e
organization
4. D o n o t a llo w ro o tin g o r ja ilb re a k in g
© Ensure your MDM solutions p r e v e n t or d e t e c t rooting/jailbreaking
© Include this clause in your mobile security policy

5. Use r e m o t e wipe services such as Remote Wipe (Android) and Find My iPhone or
FindMyPhone (Apple iOS) to locate your device should it be lost or stolen
6 . If supp orte d, configure your mobile device t o encrypt its storage with ha rdwa re
encryption


( C o n t ’d )
P e rfo rm p e rio d ic b a c k u p a n d s y n c h ro n iz a tio n
© Use a secure, ove r-the-air b a c ku p- a nd -re s to re tool th at performs periodic background

synchronization
F ilte r e m a il- f o r w a r d in g b a rrie rs
© Filter emails by configuring server-side settings of t h e corp o ra te email system
© Use commercial data loss pr ev e n tio n filters
C o n fig u re a p p lic a tio n c e rtific a tio n ru le s
© Allow only signed applications t o install or execute
H ard e n b r o w s e r p e rm is s io n ru le s
© Harden browser permission rules according to company's security policies to avoid

attacks

D e s ig n a n d im p le m e n t m o b ile d e v ic e p o lic ie s
© Set a policy t h a t defines th e accep ted usage, levels of support, type of information
access on different devices

E H
P l a t f o r m S e c u r i t y ( c o n t ’d )
C o p y r ig h t © b y E&Ctincfl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
G e n e ra l G u id e lin e s for M o b ile P la tfo rm S ecu rity

( c o n t ’d )
Q Set Require Passcode to Immediately
e Thwart passcode guessing: Set Erase Data to ON
e Enable Auto-Lock and set t o on e minute
e Encrypt th e device and backups
e Control t h e location of backups
e Configure wireless to Ask t o Join Networks
e Software m a i n te n a n c e
e Data stays in th e data cen ter
e App/device control
© No USB key capability
0 Encrypted backups
e Email not cached locally
e Application/data sandboxing

C E H
P l a t f o r m S e c u r i t y ( C o n t ’d )
D isable th e co lle ctio n o f D ia g n o s tic s and

Usage D ata u n d e r S e ttin g s /G e n e ra l/ M anaged a p p lic a tio n e n v iro n m e n t
About
Press th e p o w e r b u tto n to lock th e

device w h e n e v e r it is n o t in use
V e rify th e lo c a tio n o f p r in te r s b e fo re
p rin tin g s e n sitive d o c u m e n ts
U tilize a passcode lo c k to p ro te c t access to

th e m o b ile device - c o n s id e r th e e ig h t
c h a ra c te r n o n -s im p le passcode U U k
R ep o rt a lo s t o r s to le n d e v ic e t o IT so th e y t ^
can disa b le c e rtific a te s and o th e r access I ^‫ ׳‬, I

m e th o d s associated w ith th e device

— 1 ( C o n t ’d )
Q Disable t h e collection of Diagnostics and Usage Data und er Settings/General/About
Q Apply software u p d a t e s w h e n new releases are available
Q Logging and limited data on device
Q Device encryption and application patching
0 Managed operating environment
e Managed application environment
Q Press t h e powe r button to lock t h e device w h e n e v e r it is not in use
Q Verify t h e location of printers before printing sensitive do c u m e n ts
9 Utilize a passcode lock t o protect access to t h e mobile device; consider t h e eight

character non-simple passcode
Q Report a lost or stolen device t o IT so th ey can disable certificates and o t h e r access

m et h o d s associated with t h e device

r
I E H
P l a t f o r m S e c u r i t y ( C o n t ’d ) (
ci
ti
fwd
1 i
tkK
JlN
mI
m
% Keep sensitive data off of shared mobile

Consider the privacy implications before
devices. If enterprise information is locally
enabling location-based services and limit
stored on a device, it is recommended that
usage to trusted applications
this device not be openly shared
Ask your IT department how to use Citrix If you must have sensitive data on a mobile
technologies to keep data in the datacenter device, use follow-me data and ShareFile as
and keep personal devices personal an enterprise-managed solution
(Android) Backup to Google Account so that Configure location services to disable

sensitive enterprise data is not backed up to location tracking for applications that you do
the cloud not want to know your location information
Configure AutoFill - Auto-fill Names and

Configure notifications to disable the ability to
Passwords for browsers to reduce password
view notifications while the device is locked for
loss via shoulder-surfing and surveillance (if
applications that could display sensitive data
desired and allowed by enterprise policy)

( C o n t ’d )
Q Consider th e privacy implications before enabling location-based services and limit

usage t o trust ed applications
Q Ask your IT d e p a r t m e n t how to use Citrix tec hnol ogies to keep data in t h e d a ta c e n te r
and keep personal devices personal
Q (Android) Backup to Google Account so t h a t sensitive enterprise data is not backed up

to t h e cloud
© Configure notifications t o disable th e ability t o view notifications while t h e device is

locked for applications t h a t could display sensitive data
© Keep sensitive d a t a off of sh are d mobile devices. If en terprise information is locally

stored on a device, it is r e c o m m e n d e d t h at this device not be openly shared
Q If you must have sensitive data on a mobile device, use follow-me data and ShareFile as
an e n ter pri se- m ana ge d solution
© Configure location services t o disable location tracking for applications t h a t you do not
wa n t t o know your location information

Q Configure AutoFill; Auto-fill Names and Passwords for browsers to reduce password loss
via shoulder-surfing and surveillance (if desired and allowed by enterprise policy)
Module 16 Page 2 5 3 1 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

M o b i l e D e v i c e S e c u r i t y
C E H
G u i d e l i n e s f o r A d m i n i s t r a t o r
n i m
Publish an enterprise policy that specifies the acceptable usage of consumer grade devices
and bring-your-own devices in the enterprise
II Publish an enterprise policy for cloud
III Enable security measures such as antivirus to protect the data in the datacenter
Implement policy that specifies what levels of application and data access are allowable
on consumer-grade devices, and which are prohibited
G u
Specify a session timeout through Access Gateway
Specify whether the domain password can be cached on the device, or whether users must
enter it every time they request access
V II Determine the allowed Access Gateway authentication methods from the following: M
M o b ile D e v ic e S e c u rity G u id e lin e s for A d m in is tra to r
The administrator should follow th e guidelines listed here to i mp lem en t mobile device
security:
1. Publish an e n te r p ri s e policy t h a t specifies t h e ac ceptable usage of c o n s u m e r grade

devices and bring-your-own devices in t h e enterprise
2. Publish an en terprise policy for cloud
3. Enable security m e a s u r e s such as antivirus to protect th e data in t h e d a ta c e n te r
4. Implement policy t h a t specifies w h a t levels of application and data access a re allowable

on c o n s u m e r -g r a d e devices, and which are prohibited
5. Specify a session t im e o u t thro ug h Access Ga te w a y
6 . Specify w h e t h e r t h e domain password can be cached on th e device, or w h e t h e r users

must e n te r it every time t he y r e q u e s t access
7. Determine th e allowed Access G a t e w a y authentication m et h o d s from th e following:
© No authentication
© Domain only

© RSA SecurlD only
Q Domain + RSA SecurlD
© SMS authentication

M o b i l e P r o t e c t i o n T o o l :
E H
B u l l G u a r d M o b i l e S e c u r i t y
B u llG u a rd M o b ile S e cu rity d e liv e rs c o m p le te m o b ile p h o n e a n tiv iru s 0

a g a in st all m o b ile p h o n e v iru s e s
It tra c k s s to le n o r lo s t m o b ile via th e b u ilt-in GPS, locks it o r w ip e s

th e d ata o ff it, to m ake su re n o -o n e can access y o u r p e rso n a l
in fo rm a tio n , p a ss w o rd s, an d fin a n c ia l data
0
Your dewc* has been remote!?

locked a* a secunty Twatue
a
A Enter >ou BullGuard Mobile
Seomty swore to unloc» your
Artitheft albws users to rerootelr serd
1
ccmmands to devces usnc the Moble
Security ManaQ*r(T an»Qw h i !!guard com)
Antivirus
Last seamed 4 mwmtts ago
j Basic Backup
I Backup dtvc• data • Wip• (!•vie• ■RwTY»t*ly(M•*• *II !1«r•anal 41
, Parental Control
1
©
Hartnui control $ enabled
Antitheft
a 4of Ctantitheft features cncbUd
Detected Hems will be listed here
Application and SD card scan

Scan ha*nr* t»m cafrpl««f4
Full devce scan
h ttp : //w w w .b u llg u a r d .c o m
C o p y r ig h t © b y E tta u ic i. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
M o b ile P r o te c tio n T o o l: B u llG u a r d M o b ile S e c u rity

&
Source: http://www.bullguard.com
BullGuard Mobile Security delivers c om pl e te mobile ph one antivirus against all mobile phone
viruses. It tracks a stolen or lost mobile via th e built-in GPS, locks it, or wipe t h e data off it, t o
make sure no one can access your personal information, passwords, and financial data.
FIGURE 16.64: B u llG u a rd M o b ile Security Screenshot

M o b i l e P r o t e c t i o n T o o l : L o o k o u t
L o o k o u t p r o t e c ts y o u r p h o n e f r o m
m o b ile t h r e a ts
J Security and Privacy

e Helps avoid risky behavior, like connecting
to an unsecured WiFi network,
downloading a malicious app or clicking
on a fraudulent link in orderto prevent
identity theft, financial fraud, and the loss
of your most personal data
J Backup
e Provides safe, secure and seamless
backup of your mobile data, automatically
over the air
- I Missing Device
» Helps you find your phone if it's lost or
stolen
J Management
6 Allows you to remotely manage your
phone
M o b ile P r o te c tio n T o o l: L o o k o u t
Source: https: //w w w. lo oko ut. co m
Lookout is a mobile protection tool th at allows you t o protect your mobile from mobile t hre ats .
It helps you to avoid risky behavior such as connecting to an unsecu red Wi-Fi network,
d o w nl oa di ng a malicious a pp or clicking on a f ra ud ul en t link in order to prevent identity theft,
financial fraud and th e loss of your most personal da ta. This provides safe, secure, and
seamless backup of your mobile data, automatically over t h e air, and allows you to find your
ph on e if it's lost or stolen. The da shboard allows you t o remotely m an a g e your phone.
FIGURE 1 6 .6 5 : L o o k o u t S c r e e n s h o t

M o b ile P r o te c tio n T o o l: W IS e lD
Source: http://www.wiseid.mobi
WISelD provides secure and easy-to-use e n c ry p t e d sto ra g e for perso na l da ta, personal
identifiable information (Pll), PINs, credit and loyalty cards, notes, an d ot her information.
WISelD allows you t o store your websites, user names, and passwords and quickly log on to
your favorite websites through your mobile device.

.... SFR ‫»־‬ 18:19 *u.SFR ‫־‬5 ‫־‬ 18:13
WISell) Premium no mor• ads! WISeKey Clinton Global Comm itment
S e ttin g s Back N ew Ite m
P re m iu m F e atu re s
‫ך‬
A c c o u n ts >
L a n gu a ge >
r ‫ך‬
D isp la y >
j
In fo rm a tio n >
■ ...... j
• • • • • •
J ? ^ * 3 a m </‫׳‬ tt
ltcm% Secure Msg Setting• Mote Kam i Secure Meg Mo#*•
FIG U R E 1 6 .6 6 : W IS e lD S c r e e n s h o t
Module 16 P ag e 2537 Ethical Hacking and Countermeasures C opyright © by EC-C0l1nCil

M o b i l e P r o t e c t i o n T o o l s CEH
. 5 ? M c A fe e M o b ile S e cu rity ► K a sp e rsk y M o b ile S e cu rity
https://www. mcafeemobiles ecurity.com http://www.kaspersky.com
|J5U AVG A n tiV iru s Pro fo r Android F-Secure M o b ile S e cu rity

http://www.avg.com http://www.f-secure.com
S lip ] T re n d M icro ™ M o b ile

a v a st! M o b ile S e cu rity
http://www.avast.com [■■‫ י‬pq S e cu rity
http://www.trendmicro.com
W e broot Secure A n y w h e re
m ^ N o rto n M o b ile S e cu rity
^ http://us. norton.com
M o b ile
http://www.webroot.com
ESET M o b ile S e cu rity N etQ in M o b ile Security

http://www.eset.com http://www.netqin.com
C o p y r ig h t © b y EfrCaincl. A l l R ig h ts R e s e rv e d . R e p ro d u c tio n is S t r ic t ly P ro h ib ite d .
1 M o b ile P ro te c tio n T o o ls
In addition t o the tools including BullGuard Mobile Security, Lookout and WISelD,
th er e are a nu m b e r of ot her tools available for mobile protection:
© McAfee Mobile Security available at https ://ww w.mc afee mo biles ecu rity.c om
Q AVG AntiVirus Pro for Android available at http: //w ww .a vg .c om
Q avast! Mobile Security available at ht tp: //w w w. av as t.c om
0 Norton Mobile Security available at http :// us .n or to n. c om
9 ESET Mobile Security available at ht tp : // w w w .e s e t. c o m
Q Kaspersky Mobile Security available at ht tp://www.kaspe rskv.com
0 F-Secure Mobile Security available at http: //www .f-sec ure.c om
Q Trend Micro Mobile Security available at ht tp :// w w w .t re nd m ic ro .c om
© W e br oo t Secure Anywhere Mobile available at h t tp : // w w w . w e b r o o t . c o m
9 NetQin Mobile Security available a t h t tp : // w w w .n e ta i n. c o m

I
tf
c'ulI
U<h
«
C opyright © by E C -C o u id . A ll Rights R eserved Reproduction is S trictly Prohibited.
M o d u le F lo w
With t h e increasing use of s m a r tp h o n e s for business and online transactions,

attackers are concentrating on launching various kinds of attacks for financial gain. Therefore,
as a smart mobile p h o ne user, you should check your mobile security against possible attacks.
You can te s t t h e security with t h e help of mobile pen testing.______________________________
M o b ile P la tfo rm A tta c k V e c to rs H a c k in g B la c k B e rry
H a c k i n g A n d r o i d iO S M o b ile D e v ic e M a n a g e m e n t
*
‫יי‬--------- ✓
” . /
This section describes t h e step-by-step process of mobile pen testing.

A n d r o id P h o n e P e n T e s tin g CEH
(•rtifWd IthKJl IU*kM
Try t o R o o t an A n d ro id P h one t o ga in th e a d m in is tra tiv e access t o th e

j R o o t a n A n d ro id P h o n e A n d ro id d e vice s using to o ls such as S u p e rO n e C lic k , S u p e r b o o t, U n iv e rs a l
A n d r o o t, U n re v o k e d , e tc .
START ;--------------------
------------ V—____
P e r f o r m DoS Use t o o l A n D O S id t o p e r fo rm DoS a n d DDoS a tta c k s
a n d D D oS A tta c k s o n A n d ro id p h o n e
e C heck w h e th e r c ro s s -a p p lic a tio n - s c r ip tin g e r ro r is p re s e n t in th e a n d ro id

C h e c k f o r v u ln e r a b il iti e s
b ro w s e r w h ic h a llo w s hackers t o e a s ily h a ck th e A n d ro id d e v ic e a n d t r y to
in A n d r o id b r o w s e r
b re a k d o w n th e w e b b ro w s e r's s a n d b o x using in fe c te d ja v a s c rip t c o d e
O C heck w h e th e r e m a il p a s s w o rd is s to re d as p la in te x t in t h e S Q Lite d a ta b a s e
C heck fo r
and a ls o c h e c k w h e th e r Skype o n A n d ro id uses u n e n c ry p te d SQ Iite d a ta b a s e
v u ln e r a b il iti e s in S Q L ite
t o s to re c o n ta c ts , p r o file in fo r m a tio n and in s ta n t m essage logs
V
Try t o use in te n ts (s te a lin g , m o d ify o r re p la c e ) t o hack th e p h o n e and
C h e c k fo r
o b ta in th e u ser's p riv a c y in fo r m a tio n , and use C o m D ro id to o l t o d e te c t
v u ln e r a b i l i t i e s in I n te n ts
a p p lic a tio n 's c o m m u n ic a tio n v u ln e ra b ilitie s
D e t e c t c a p a b ility
© Use t o o l W o o d p e c k e r t o d e te c t c a p a b ility leaks in A n d ro id devices
le a k s in A n d r o id d e v i c e s
Copyright © by E & C a u a c i. All Rights Reserved. Reproduction is Strictly Prohibited.
Android Phone Pen Testing

w *‫־־‬-‫ י‬The security testing differs based on the mobile operating system or mechanism. Let's
begin with Android phone pen testing. The steps involved in Android phone pen testing are:
Step 1: Root an Android phone
Try to root an Android phone to gain the administrative access to the Android devices using
tools such as SuperOneClick, Superboot, Universal Androot, Unrevoked, etc.
Step 2: Perform DoS and DDoS attacks
Use tool AnDOSid to perform DoS and DDoS attacks on the Android phone.
Step 3: Check for vulnerabilities in the Android browser
Check whether cross-application-scripting error is present in the Android browser, which
allows hackers to easily hack the Android device and try to break down the web browser's
sandbox using infected JavaScript code
Step 4: Check for vulnerabilities in SQLite
Check whether an email password is stored as plaintext in the SQLite database and also check
whether Skype on Android uses an unencrypted SQIite database to store contacts, profile
information, and instant message logs

Step 5: Check for vulnerabilities in Intents
Try to use intents (steal, modify, or replace) to hack the phone and obtain the user's privacy
information and use ComDroid tool to detect application's communication vulnerabilities
Step 6: Detect capability leaks in Android devices
Use tool Woodpecker to detect capability leaks in Android devices.

iP h o n e P e n T e s t i n g CEH
S Try t o Jailbreak th e iP hone using to o ls such as

START
© RedsnOw, A b s in th e , SnOwbreeze, PwnageTool, e tc
s Unlock th e iP hone using to o ls such as

iP honeSim Free and anySIM
S H old th e p o w e r b u tto n o f an iOS o p e ra tin g device

J a ilb re a k th e iP h o n e ;■> C h e c k f o r access p o in t
t ill th e p o w e r o ff m essage appears. Close th e
s m a rt cover till th e screen s huts and opens th e
s m a rt cover a fte r fe w seconds. Press th e cancel
b u tto n t o bypass th e passw ord code sec u rity
S Use th e M e ta s p lo it to o l t o e x p lo it th e
: C h e c k iOS d e v ic e d a ta
v u ln e ra b ilitie s in iP hone. Try t o send n on -m aliciou s
U n lo c k th e iP h o n e tra n s m is s io n o n W i-F i
code as payload to th e device t o gain access to th e
n e tw o rk s
device
s Check fo r an access p o in t w ith th e sam e nam e and

e n c ry p tio n ty p e
C h e c k w h e th e r t h e
Use S m a rtC o v e r - P e rform m a n -in -th e -m id d le /S S L s trip p in g a ttack
m a lfo r m e d d a ta can by in te rc e p tin g w ireless param eters o f iOS device
to bypass passcode
b e s e n t t o t h e d e v ic e on W iFi n e tw o rk . Send m alicious packets on W iFi
n e tw o rk using Cain & A bel to o l
j Use social e n g in e e rin g te c h n iq u e s such as sending

em ails, SMS to tric k th e user t o open links th a t
H a ck iP h o n e co n ta in m alicious w eb pages
u s in g M e ta s p lo it
iPhone Pen Testing

In order to test your iPhone for Potential vulnerabilities, follow the steps here:
Step 1: Jailbreak the iPhone
Try to jailbreak the iPhone using tools such as RedsnOw, Absinthe, SnOwbreeze, PwnageTool,
etc.
Step 2: Unlock the iPhone
Unlock the iPhone using tools such as iPhoneSimFree and anySIM.
Step 3: Use SmartCover to bypass passcode
Hold the power button of an iOS operating device until the power off message appears. Close
the smart cover until the screen shuts and opens the smart cover after few seconds. Press the
cancel button to bypass the password code security.
Step 4: Hack iPhone using Metasploit
Use the Metasploit tool to exploit the vulnerabilities in the iPhone. Try to send non-malicious
code as payload to the device to gain access to the device.

Step 5: Check for Access Point
Check for access point with the same name and encryption type.
Step 6: Check iOS device data transmission on Wi-Fi networks
Perform a man-in-the-middle/SSL stripping attack by intercepting wireless parameters of iOS
device on a Wi-Fi network. Send malicious packets on the Wi-Fi network using the Cain & Abel
tool.
Step 7: Check whether the malformed data can be sent to the device
Use social engineering techniques such as sending emails or SMS to trick the user into opening
links that contain malicious web pages.

“
W in d o w s P h o n e P e n T e s tin g c EH
(citifwd ItkKJl NMkM
START .........
Try t o t u r n o f f t h e S S e n d a n S M S t o t h e p h o n e w h ic h t u r n s o f f t h e
p h o n e b y s e n d in g a n SM S m o b ile a n d r e b o o ts a g a in
Try t o j a i l b r e a k e U s e W in d o w B r e a k p r o g r a m t o ja ilb r e a k /u n lo c k Q
W in d o w s p h o n e W in d o w s p h o n e
C h e c k fo r e C h e c k w h e th e r t h e d a ta o n p h o n e c a n b e a c c e s s e d
o n ‫־‬d e v ic e e n c r y p t io n w i t h o u t p a s s w o r d o r PIN
C h e c k f o r v u ln e r a b il ity 8 C h e c k w h e th e r t h e f la w in CSS f u n c t io n in I n t e r n e t E x p lo re r a llo w s
in W in d o w s p h o n e a tta c k e rs t o g a in f u ll acc e s s o v e r t h e p h o n e t h r o u g h r e m o t e c o d e
I n t e r n e t E x p lo re r e x e c u tio n
Copyright © by E & C a u a c i. All Rights Reserved. Reproduction is Strictly Prohibited
Windows Phone Pen Testing

You can test a Windows phone for security flaws by following the Windows phone
pen testing steps mentioned here:
Step 1: Try to turn off the phone by sending an SMS
Send an SMS to the phone, which turns off the mobile and reboots it again.
Step 2: Try to jailbreak the Windows phone
Use the WindowBreak program to jailbreak/unlock the Windows phone.
Step 3: Check for on-device encryption
Check whether the data on the phone can be accessed without a password or PIN.
Step 4: Check for a vulnerability in Windows Phone Internet Explorer
Check whether the flaw in CSS function in Internet Explorer allows attackers to gain full access
over the phone through remote code execution.

B la c k B e r r y P e n T e s tin g CEH
P e r f o r m b la c k ja c k in g
( 5 ) ••••> © U s e B B P ro x y t o o l t o h ija c k B la c k B e rry c o n n e c tio n
o n B la c k B e rr y
START
C h e c k f o r f la w s in a p p lic a - 6 O b ta in c o d e - s ig n in g k e y s u s in g p r e p a id c r e d it- c a rd s a n d fa ls e d e ta ils ,

t io n c o d e s ig n in g p ro c e s s s ig n a m a lic io u s a p p lic a tio n a n d p u b lis h it o n t h e B la c k b e r r y a p p w o r ld
© S e n d m a ils o r m e s s a g e s t o t r ic k a u s e r t o d o w n lo a d m a lic io u s .c o d
P e r f o r m e m a il e x p l o it
a p p lic a tio n f i l e o n t h e B la c k B e rry d e v ic e
it
« T ry s e n d in g m a lf o r m e d S e rv e r R o u tin g P r o to c o l (SRP) p a c k e ts f r o m
P e r f o r m D O S a t ta c k
B la c k B e rry n e t w o r k t o t h e r o u t e r t o c a u s e DO S a tta c k
~ v ~
C h e c k f o r v u ln e r a b ilit ie s « S e n d m a lic io u s ly c r a f t e d w e b lin k s a n d t r ic k u s e rs t o o p e n lin k s c o n ta in in g

in B la c k B e r r y B r o w s e r m a lic io u s w e b p a g e s o n t h e B la c k B e rry d e v ic e
— 9 —
S e a rc h f o r p a s s w o r d ® U s e t o o ls s u c h as E lc o m s o ft P h o n e P a s s w o rd B r e a k e r t h a t c a n r e c o v e r
p r o t e c t e d f ile s p a s s w o r d p r o te c te d file s , b a c k u p s f r o m B la c k B e rry d e v ic e s
I f 7 BlackBerry Pen Testing

' Follow the BlackBerry pen testing steps mentioned here to test your blackberry device
to determine the potential vulnerabilities and to find the security flaws before an external
attacker finds and exploits them:
Step 1: Perform blackjacking on the BlackBerry
Use BBProxy tool to hijack the BlackBerry connection.
Step 2: Check for flaws in the application code signing process
Obtain code-signing keys using prepaid credit cards and false details, sign a malicious
application, and publish it on the BlackBerry app world.
Step 3: Perform an email exploit

Send an email or message to trick a user to download a malicious .cod application file on the
BlackBerry device.
Step 4: Perform a DoS attack
Try sending malformed Server Routing Protocol (SRP) packets from the BlackBerry network to
the router to cause a DoS attack.

Step 5: Check for vulnerabilities in the BlackBerry Browser

Send maliciously crafted web links and trick users to open links containing malicious web pages
on the BlackBerry device.
Step 6: Search for password protected files

Use tools such as Elcomsoft Phone Password Breaker that can recover password protected files
and backups from BlackBerry devices.

M o d u le S u m m a ry CEH
Urtiftetf ttku jl lUckM
□ F o cu s o f a tta c k e r s a n d m a lw a re w rite rs h a s s h ifte d t o m o b ile d e v ic e s d u e

t o t h e in c r e a s e d a d o p t io n o f m o b ile d e v ic e s fo r b u s in e s s a n d p e r s o n a l p u r p o s e s
a n d c o m p a ra tiv e ly le s s e r s e c u rity c o n tro ls
□ S a n d b o x i n g h e l p s p r o t e c t s y s t e m s a n d u s e r s b y l i m it in g t h e r e s o u r c e s t h e a p p c a n a c c e s s in t h e m o b i l e
p la tfo rm
□ A n d ro id is a s o f tw a r e s ta c k d e v e lo p e d b y G o o g le f o r m o b ile d e v ic e s t h a t in c lu d e s a n o p e r a t in g s y s te m ,
m id d le w a r e , a n d key a p p lic a tio n s
□ R o o t i n g a l l o w s A n d r o i d u s e r s t o a t t a i n p r iv i le g e d c o n t r o l ( k n o w n a s " r o o t a c c e s s " ) w i t h i n A n d r o i d 's

s u b s y s te m
□ J a ilb re a k in g p ro v id e s r o o t a c c e s s t o t h e o p e r a t in g s y s te m a n d p e r m its d o w n lo a d o f th i r d - p a r ty
a p p l i c a t i o n s , t h e m e s , e x t e n s i o n s o n a n iO S d e v i c e s
□ A tta c k e r c a n o b t a i n c o d e - s i g n i n g k e y s a n o n y m o u s l y u s i n g p r e p a i d c r e d i t - c a r d s a n d f a l s e d e t a i l s , s ig n a
m a l i c i o u s a p p l i c a t i o n , a n d p u b l i s h i t o n t h e B la c k b e r r y a p p w o r l d
□ M o b i l e D e v ic e M a n a g e m e n t (M D M ) p r o v i d e s a p l a t f o r m f o r o v e r - t h e - a i r o r w ir e d d i s t r i b u t i o n o f
a p p l i c a t i o n s , d a t a , a n d c o n f i g u r a t i o n s e t t i n g s f o r a ll t y p e s o f m o b i l e d e v i c e s , in c lu d in g
m o b ile p h o n e s , s m a r t p h o n e s , t a b l e t c o m p u te r s , e tc . _____ - I
Module Summary
Q The focus of attackers and malware writers has shifted to mobile devices due
to the increased adoption of mobile devices for business and personal purposes
and comparatively lesser security controls.
Q Sandboxing helps protect systems and users by limiting the resources the app can access
in the mobile platform.
6 Android is a software stack developed by Google for mobile devices that includes an
operating system, middleware, and key applications.
e Rooting allows Android users to attain privileged control (known as "root access") within
Android's subsystem.
9 Jailbreaking provides root access to the operating system and permits download of
third-party applications, themes, and extensions on iOS devices.
Q Attacker can obtain code-signing keys anonymously using prepaid credit-cards and false
details, sign a malicious application and publish it on the BlackBerry app world.
M o d u le 16 Page 2547 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil

6 Mobile Device Management (MDM) provides a platform for over-the-air or wired

distribution of applications, data, and configuration settings for all types of mobile
devices, including mobile phones, smartphones, tablet computers, and so on.


CEHv8 Module 16 - Hacking Mobile Platform

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CEHv8 Module 16 - Hacking Mobile Platform

Uploaded by

Copyright:

Available Formats

H a c k in g M o b ile

H acking M obile Platform s

Engineered by Hackers. Presented by Professionals.

M o d u le 16: H a ck in g M o b ile P la tfo rm s

Module 16 Page 2393 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

S ecurity New s CEH

I n a r e p o r t d e t a ilin g t h e w o r l d 's m o b ile s e c u r it y , t h e c o m p a n y

h ttp ://w w w .c o m p u te rw o rld .c o m

Copyright © by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.

■at m m M o b ile M a lw a re C a s e s N e a rly T rip le in F irs t H a lf o f

In a r e p o r t d e t a i l i n g t h e w o rld 's m o b ile s e c u rity , th e c o m p a n y d e te c te d a m a jo r s p ik e in

D u rin g th is y e a r's f i r s t h a lf, N e tQ in f o u n d t h a t m o s t o f t h e d e t e c t e d m a lw a r e , a t 7 8 % , ta r g e t e d

Module 16 Page 2394 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Co pyrig ht © 1994 - 2012 C o m p u te rw o rld Inc

h a lf of 2012 says N etQ in

Module 16 Page 2395 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.

9 M o b ile A tta c k V e c to rs 9 W in d o w s P hone 8 A rc h ite c tu re

9 M o b ile P la tfo rm V u ln e ra b ilitie s 9 G u id e lin e s fo r S e c u rin g W in d o w s OS

9 S e c u r i n g A n d r o i d D e v ic e s 9 G eneral G u id e lin e s fo r M o b ile P la tfo rm

Module 16 Page 2 3 9 6 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

Copyright © by EC-Couid. All Rights Reserved Reproduction is Strictly Prohibited.

M o b ile P la tfo rm A tta c k V e c to rs ^ ' 1‫׳‬ Hacking BlackBerry

|| Hacking Android iOS M obile Device M anagem ent

Hacking iOS Mobile Security Guidelines and Tools

Hacking W indows Phone OS ^ M obile Pen Testing

T h is s e c tio n in tro d u c e s you to th e v a rio u s m o b ile a tta c k v e c to rs and th e a ss o c ia te d

Module 16 Page 2397 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Mobile Threat Report Q2 2012 CEH

Tro jan M onitoring R iskw a re A p p lic a tio n A dw are

h t t p : / / ww w.f-secure.com h ttp ://w w w .h o tfo rs e c u rity .c o m

Copyright © by E&Cauaci. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 16 Page 2398 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

2011 2011 2011 2011 2012 2012

A tta c k s o n m o b ile p h o n e s w e r e m o s tly d u e t o th e T ro ja n s , w h ic h a c c o rd in g t o t h e M o b ile

Module 16 P ag e 2399 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

Term inology CEH

Bricking the Mobile Device

Bring Your Own Device (BYOD)

Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.

© Bricking the M obile Device: A l t e r i n g t h e d e v i c e O S e s u s in g r o o t i n g o r j a i l b r e a k i n g in a

© Bring Your Own Device (BYOD): B r i n g y o u r o w n d e v i c e (B Y O D ) is a b u s i n e s s p o l i c y t h a t

Module 16 Page 2 4 0 0 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil

M obile Attack Vectors

Copyright © by E&Ctliacfl. All Rights Reserved. Reproduction is Strictly Prohibited.

S im ila r t o t r a d it io n a l c o m p u t e r s y s te m s , m o s t m o d e r n m o b ile d e v ic e s a re a lso p r o n e

9 A p p lic a tio n m o d ific a tio n

Module 16 Page 2401 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

© M o d ific a tio n by a n o th e r a p p lic a tio n

© A p p lic a tio n v u ln e ra b ilitie s

Module 16 Page 2402 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

M o b ile A p p lic a tio n

M o b ile M a lw a r e P riv a c y Issues (G e o lo c a tio n )

D e v ic e a n d A p p E n c ry p tio n E xce ssive P e rm is s io n s

M o b ile P la tfo rm V u ln e ra b ilitie s a n d R is k s

Module 16 Page 2403 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

e M o b ile A p p lic a tio n V u ln e r a b ilitie s

Module 16 Page 2404 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Call lo g s /p h o to /v id e o s /s e n s itiv e docs

Copyright © by E&Caincl. All Rights Reserved. Reproduction is Strictly Prohibited.

S e c u rity Is s u e s A ris in g fro m A p p S to re s

------- An a u th e n tic a te d d e v e lo p e r o f a c o m p a n y cre a te s m o b ile a p p lic a tio n s fo r m o b ile

Module 16 Page 2405 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil

Module 16 P ag e 2 4 0 6 Ethical Hacking and Countermeasures C opyright © by EC-C0UnCil