Ep 88: There’s a hack for that

This week I talk to Jahmel (Jay) Harris. Jahmel is a Penetration tester/Security consultant at Digital Interruption. He also runs Manchester Grey Hats.

Things to consider before starting security testing
- App permissions?
  - Information users need to give the app
  - Push notifications?
    - Fine usually, but be aware if anything sensitive if sent – shoulder surfing

Wearables
- New ways of interacting with devices
- They are becoming more secure but issues at the start
- With Android we found lots of ways to recover the data
- Bluetooth LE and other radio protocols can be insecure.
Testing considerations iOS vs Android
- Root vs non root
- Jail break vs non jailbreak

Common vulnerabilities
- WebViews
- Sensitive data over HTTP
- Javascript vulnerabilities – used to be able to get full shell in an app via advert in webview. Coffee shop or hotel wifi
- How secure are these webview frameworks such as cordova
Vulnerable IPC (Inter-process communication)
- Things like SQL injection or file traversal
- Lack of protection/permissions
Logging
Auth
- Fin tech (financial tech) app – could steal all money. They didn’t think about the auth on web services
Binary Checks
- Is it worth checking for root detection/doing ssl pinning etc? It took someone over a year to bypass these controls on one of our client’s app. Then they need to look for vulns.
- Obfuscation? Worthwhile? When I did the research into Android Wear, it took me weeks just to RE.
They stack. Easy to bypass one but hard to bypass all. Think about the risk of the app. Does it need that protection?

Automation
- Tooling isn’t quite there. There needs to be a big push by both devs and infosec. InfoSec can’t write good code but devs aren’t always aware of the latest threats.
- Security shouldn’t be dev->pen test. Security needs to be considered at every stage. In requirements gathering etc
  https://www.digitalinterruption.com/secure-mobile-development (https://goo.gl/P1WYcV)- reduce the cost of pen testing