3.7 Attacks & exploits: Attacks on Mobile Devices

Question 1

Enterprise Mobility Management: what is Enterprise Mobility Management (EMM)?

Answer 1

Enables centralized management and control of corporate mobile devices
● Tracking
● Controlling
● Securing

Question 2

Enterprise Mobility Management: what is Mobile Device Management (MDM)? What technical control features a MDM has?

Answer 2

Tool for securing, managing, and monitoring mobile devices within an organization:
- Application control
- Password and Passcode functionality
- MFA requirement
- Token-based access
- Patch management
- Remote wipe

Question 3

Enterprise Mobility Management: what is Remote Wipe?

Answer 3

Reverts a device back to its factory default settings and sanitizes the sensitive data from the device’s onboard storage

Question 4

Enterprise Mobility Management: what is Trust Certificates used for device? Is it a secure way to certify a device?

Answer 4

Globally identifies a trusted device within an organization. A trust certificate can be copied by an attacker

Question 5

Enterprise Mobility Management: what is User-Specific Certificates used for device?

Answer 5

Assigned to a device to uniquely identify it on the network

Question 6

Enterprise Mobility Management: what is Firmware Update?

Answer 6

Updates the baseband of the radio modem used for cellular, Wi-Fi, Bluetooth, NFC, and GPS connectivity

Question 7

Deployment Options: what are the different deployment options for MDM (5)? Explain each of them

Answer 7

o Corporate-Owned, Business Only (COBO): Purchased by the company for use by the employees only for work-related purposes (Most secure, Most restrictive, Most expensive)
o Corporate-Owned, Personally-Enabled (COPE): Provides employees with a company procured device for work-related and/or personal use
o Choose Your Own Device (CYOD): Allows employees to select a device from an approved list of vendors or devices
o Bring Your Own Device (BYOD): Allows employees to bring their own devices into work and connect them to the corporate network. BYOD brings up privacy concerns and is the most difficult to secure
o Virtual Mobile Infrastructure (VMI): Like VDI, but utilizes a virtualized mobile operating system

Question 8

Mobile Reconnaissance Concerns:

Question 9

Mobile Device Insecurity: list the potentials insecurity related to mobile devices (4)

Answer 9

o Jailbreaking
o Rooting
o Sideloading
o Unauthorized app stores

Question 10

Mobile Device Insecurity: what is Jailbreaking?

Answer 10

Enables a user to obtain root privileges, sideload apps, change or add carriers, and customize the interface of an iOS device

Question 11

Mobile Device Insecurity: what is Rooting and how can you do it (2)?

Answer 11

▪ Custom Firmware/Custom ROM: A new Android OS image that can be applied to a device
▪ Systemless Root: Does not modify system partitions or files and is less likely to be detected than a custom ROM

Question 12

Mobile Device Insecurity: what is Sideloading?

Answer 12

Installs an app on a mobile device directly from an installation package instead of an official store

Question 13

Mobile Device Insecurity: what is Unauthorized app stores?

Answer 13

Android and iOS devices block the installation of third-party applications by default

Question 14

Mobile Device Insecurity: list the security configuration to secure your mobile device (7)

Answer 14

o Device Configuration Profiles/Protocols
o Full Device Encryption
o VPN
o Location Services
o Geolocation
o Geofencing
o Geotagging

Question 15

Mobile Device Insecurity: explain Device Configuration Profiles/Protocols

Answer 15

▪ Implement settings and restrictions for mobile devices from centralized mobile device management systems
▪ Profiles are mainly used for security, but can also provide a vulnerability

Question 16

Mobile Device Insecurity: explain Full Device Encryption and their options on iOS, Android v6/v7/v9 and HSM

Answer 16

▪ iOS: 256-bit unique ID
▪ Android v6: 128-bit AES keys
▪ Android v7: File-based encryption
▪ Android v9: Metadata encryption
▪ MicroSD Hardware Security Module (HSM): Stores the different cryptographic keys securely inside the mobile device, like a TPM module in a desktop or laptop

Question 17

Mobile Device Insecurity: explain VPN

Answer 17

Some MDM solutions provide a third-party VPN client

Question 18

Mobile Device Insecurity: explain Location Services

Answer 18

Refers to how a mobile device is allowed to use cellular data, Wi-Fi, GPS, and Bluetooth to determine its physical location

Question 19

Mobile Device Insecurity: explain Geolocation, Geofencing and Geotagging

Answer 19

o Geolocation: Uses a device’s ability to detect its location to determine if access to a particular resource should be granted
o Geofencing: Creates virtual boundaries based on geographical locations and coordinates
o Geotagging: Adds location metadata to files or devices

Question 20

Multifactor Authentication: what is the difference between Identification and Authentication?

Answer 20

o Identification: Provides identity
o Authentication: Validates identity

Question 21

Multifactor Authentication: explain MFA and authentication attributes (5)

Answer 21

Uses two or more means (or factors) to prove a user’s identity:
● Knowledge (Something you know)
● Ownership (Something you have)
● Characteristic (Something you are)
● Location (Somewhere you are)
● Action (Something you do)

Question 22

Multifactor Authentication: explain FAR, FRR and CER

Answer 22

o False Acceptance Rate (FAR): Rate that a system authenticates a user as authorized or valid when they should not have been granted access to the system
o False Rejection Rate (FRR): Rate that a system denies a user as authorized or valid when they should have been granted access to the system
o Crossover Error Rate (CER): An equal error rate (ERR) where the false acceptance rate and false rejection rate are equal

Question 23

Multifactor Authentication: explain the OTP algorithms (2)

Answer 23

▪ Time-Based One-Time Password (TOTP): Computes password from a shared secret and the current time
▪ HMAC-Based One-Time Password (HOTP): Computes password from a shared secret and is synchronized across the client and the server

Question 24

Multifactor Authentication: explain In-Band Authentication and Out-of-Band Authentication. Which one is the most secure?

Answer 24

▪ In-Band Authentication: Relies on an identity signal from the same system requesting the user authentication
▪ Out-of-Band Authentication: Uses a separate communication channel to send the OTP or PIN
o Implement 2FA or MFA that relies on out-of-band authentication system for high-security networks

Question 25

Mobile Device Attacks: which OS is the most secure and why ?

Answer 25

o iOS is considered a “walled garden” as it is more restrictive
o Android was developed to be an open operating system

Question 26

Mobile Device Attacks: explain Overreach of Permissions type of mobile attack

Answer 26

▪ Occurs when third-party apps request more permissions than they actually need
▪ Overreach of permissions can be used by penetration testers to their advantage

Question 27

Mobile Device Attacks: what Social Engineering attacks mobile device are exposed to?

Answer 27

Social Engineering
▪ Vishing
▪ Smishing
▪ Spamming

Question 28

Mobile Device Attacks: what Bluetooth attacks mobile device are exposed to? Explain them (2)

Answer 28

▪ Bluejacking: Sending unsolicited messages to a Bluetooth device. Sending information
▪ Bluesnarfing: Making unauthorized access to a device via Bluetooth connection. Taking information

Question 29

Malware Analysis: explain Sandboxing. What does it do?

Answer 29

A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled and secure fashion.
● Determine if the file is malicious
● Effects of the file on a system
● Dependencies with files and hosts

Question 30

Malware Analysis: what features can you find in a sandboxing tool (8)?

Answer 30

● Monitor system changes
● Execute known malware
● Identify process changes
● Monitor network activity
● Monitor system calls
● Create snapshots
● Record file creation/deletion
● Dump virtual machine’s memory

Question 31

Malware Analysis: what is Reverse Engineering and how it can be use in malware analysis?

Answer 31

▪ The process of analyzing the structure of hardware or software to reveal more about how it functions
▪ Malware reverse engineers can determine who wrote the code by learning their patterns
▪ Malware writers often obfuscate the code before it is assembled or compiled to prevent analysis

Question 32

Malware Analysis: how reverse engineers attempt to identify malware? What are the strings to look for (3)?

Answer 32

By finding strings to use as a signature for rule-based detection. String to look for:
● Any sequence of encoded characters that appears within the executable file
● If the malware contains a string with a function called InternetOpenUrl, and another string that is a URL, it probably attempts to download something from that web address
● The Strings tool will dump all strings with over three characters in ASCII or Unicode encoding

Question 33

Malware Analysis: what is Disassembler?

Answer 33

A computer program that translates machine language into assembly language

Question 34

Malware Analysis: what is Machine Code?

Answer 34

The binary code executed by the processor, typically represented as 2 hex digits for each byte

Question 35

Malware Analysis: what is Assembly Code?

Answer 35

The native process or instruction set used to implement a program

Question 36

Malware Analysis: what is Decompiler?

Answer 36

Software that translates a binary or low-level machine language code into higher level code

Question 37

Malware Analysis: what is High-Level Code?

Answer 37

Real or pseudocode in human readable form that makes it easier to identify functions, variables, and programming logic used in the code

Question 38

Malware Analysis: what is Program Packer?

Answer 38

▪ A method of compression in which an executable is mostly compressed and the part that isn’t compressed contains the code to decompress the executable
▪ A packed program is a type of self-extracting archive
▪ A packed program does not necessarily mean it is malicious as many proprietary software also uses packing to deter theft and piracy
▪ Packed malware can mask string literals and effectively modify its signatures to avoid triggering signature-based scanners

Question 39

Mobile Device Tools: what is Drozer?

Answer 39

A complete security audit and attack framework that provides the tools to use and share public exploits for the Android OS

Question 40

Mobile Device Tools: what is Android APK Decompiler (APKX)?

Answer 40

A tool that can extract an APK file, an Android binary, or application back to its Java source code

Question 41

Mobile Device Tools: what is APK Studio?

Answer 41

A cross-platform Integrated Development Environment (IDE) used for writing the source code to make job applications for the Android operating system

Question 42

Mobile Device Tools: what is Android SDK (APK SDK)?

Answer 42

A large set of tools, libraries, documentation, code samples, processes, and guides created specifically for the Android OS

Question 43

Mobile Device Tools: what is Frida?

Answer 43

▪ An open-source tool that provides custom developer tools for penetration testers when conducting application pentesting on mobile apps
▪ Frida supports both iOS and Android applications, as well as Windows, macOS, and Linux

Question 44

Mobile Device Tools: what is Objection?

Answer 44

A runtime mobile exploration toolkit that is built to help assess the security posture of mobile applications, without requiring the device to be jailbroken

Question 45

Mobile Device Tools: what is Needle?

Answer 45

▪ An open-source, modular framework used to streamline the security assessment process on iOS application
▪ Frida is a better choice for iOS exploitation as Needle has already been decommissioned

Question 46

Mobile Device Tools: what is Ettercap?

Answer 46

A comprehensive toolkit for conducting on-path attacks

Question 47

Mobile Device Tools: what is Mobile Security Framework (MobSF)?

Answer 47

An automated, all-in-one mobile application pentesting, malware analysis, and security assessment framework capable of performing both static and dynamic analysis

Question 48

Mobile Device Tools: what is Burp Suite?

Answer 48

▪ Allows for the interception, inspection, and modification of the raw traffic passing through
▪ Burp Suite has a special module designed to test iOS devices

Question 49

Mobile Device Tools: what is Postman?

Answer 49

An API platform for building and using APIs that simplifies each step of the API lifecycle and streamlines collaboration