This week I talk to Jahmel (Jay) Harris. Jahmel is a Penetration tester/Security consultant at Digital Interruption. He also runs Manchester Grey Hats.
- Things to consider before starting security testing
- App permissions?
- Information users need to give the app
- Push notifications?
- Fine usually, but be aware if anything sensitive if sent – shoulder surfing
- App permissions?
- Wearables
- New ways of interacting with devices
- They are becoming more secure but issues at the start
- With Android we found lots of ways to recover the data
- Bluetooth LE and other radio protocols can be insecure.
- Testing considerations iOS vs Android
- Root vs non root
- Jail break vs non jailbreak
- Common vulnerabilities
- WebViews
- Sensitive data over HTTP
- Javascript vulnerabilities – used to be able to get full shell in an app via advert in webview. Coffee shop or hotel wifi
- How secure are these webview frameworks such as cordova
- Vulnerable IPC (Inter-process communication)
- Things like SQL injection or file traversal
- Lack of protection/permissions
- Logging
- Auth
- Fin tech (financial tech) app – could steal all money. They didn’t think about the auth on web services
- Binary Checks
- Is it worth checking for root detection/doing ssl pinning etc? It took someone over a year to bypass these controls on one of our client’s app. Then they need to look for vulns.
- Obfuscation? Worthwhile? When I did the research into Android Wear, it took me weeks just to RE.
- They stack. Easy to bypass one but hard to bypass all. Think about the risk of the app. Does it need that protection?
- Tooling
- Drozer
- Needle
- Frida
- decompilers
- Automation
- Tooling isn’t quite there. There needs to be a big push by both devs and infosec. InfoSec can’t write good code but devs aren’t always aware of the latest threats.
- Security shouldn’t be dev->pen test. Security needs to be considered at every stage. In requirements gathering etc
https://www.digitalinterruption.com/secure-mobile-development (https://goo.gl/P1WYcV)- reduce the cost of pen testing