Lesson 11 - Targeting Mobile Devices Flashcards
________ is a class of management software designed to apply security policies to mobile devices and apps in the enterprise
Enterprise Mobility Management (EMM)
MDM and Mobile App Management (MAM)
What is the “business logic process” and why is that important to mobile devices
Flow of information from the time the user requests access to the time the request hits a resource.
A vulnerability can exist in any of the steps taken to access the resource and can include the ability to modify cookies, escalate privelage and circumvent controls
Name the threats that face mobile devices that are physical based
Deperimerization - employees take sensitive data outside of the corp permimeter and are not properly secured - exfiltration
Strained Infrastructure - too many devices can place strain on network and lead to an unintentional DoS
Forensic Complications - BYOD can prove to be difficult and compromise any investigation
Lost or Stolen Devices
What is the threat term when mobile devices are not patched in a timely manner
Patching Fragmentation
Name the type of attacks that can impact a mobile device if it has been jail breaked
Execution of activities using root
Over-reach of permissions
What is the network that involved Bluetooth enabled devices in close proximity called
Personal Area Network
Need to use Best Practice Guidelines
What is the method used by attacker that sends out unwanted text messaged, images, or videos to a mobile phone, tablet, or laptop using a Bluetooth Connection
Bluejacking attack
typically an annoyance but can be used as a vector to carry our more insidious attacks
users will tend to trust these messages
What is the more aggressive Bluetooth attack that allows a malicious actor to read information from a victims Bluetooth device
Bluesnarfing
both Bluejacking and Bluesnarking are ineffective against devices that are set in non-discoverable mode.
T or F Apple IoS devices are less secure than Android?
False
Android is less restrictive by design and one setting can make it possible to install apps from third-party sources
What is the Metasploit Frameworks tool to create a malicious apps for Android devices
msfvenom
Name the common security suites for testing mobile devices
Kali LInux - ettercap, Android SDK, and Burpsuite
Mobile Security Framework (MobSF) - uses both Static and Dynamic Analyis
Mobile Security Testing Guide (OWASP) - intuitive assessment process. Recommendations and checklists. specs on testing resiliency against reverse engineering and tampering.
What is the open source tool that includes custom developer tools that can be used for application PenTesting and works with a wide Range of OS
Frida
Dump Process memory
In process fuzzing
Anti-jailbreak (or root) detection
Change a programs behavior
What is the runtime exploration toolkits that works on IOS Devices and what tool does it compliment
Objection
scriptable debugger and it works with custom Frida scripts and can interact with with the filesystem on non- jailbroken iOS devices
Name some common App debuggers for Android devices
Drozer - open source software for testing vulnerablilities
APK File - app designed for Android
APKX - is an APK decompiler that allows you pull and analyze the Java Source code to see what is going on inside
APK Studio - Integrated dev env (IDE) designed so you can decompile and/or edit APK file
What is an API and what is a good tool to test the level of security
Set of commands that is used to send and receive data between systems.
Postman - interactive and automatic environment for interacting and testing HTTP API’s.
