Module Objectives
With the advancement of mobile technology, mobility has become the key parameter for internet usage. People's lifestyle is becoming increasingly reliant on smartphones and tablets. Mobile devices are replacing desktops and laptops, as they enable the users to access email, Internet, GPS navigation, and the storage of critical data such as contact lists, passwords, calendars, and login credentials. In addition, recent developments in mobile commerce have enabled users to perform transactions such as purchasing goods and applications over wireless networks, redeeming coupons and tickets, and banking from their smartphones.
Believing that surfing the internet on mobile devices is safe, many users fail to enable existing security software. However, the popularity of smartphones and their moderately lax security have made them attractive and valuable targets for attackers. This module explains the potential threats to mobile platforms and provides guidelines for using mobile devices securely.
At the end of this module, you will be able to perform the following:
■ Understand mobile platform attack vectors
■ Understand various Android threats and attacks
■ Understand various iOS threats and attacks
■ Use various mobile spyware
■ Describe Mobile Device Management (MDM)
■ Apply various mobile security countermeasures
■ Use various mobile security tools
■ Perform mobile penetration testing
Mobile Platform Attack Vectors
Mobile security is becoming more challenging with the emergence of complex attacks that utilize multiple attack vectors to compromise mobile devices. These security threats exploit critical data, money, and other information from mobile users and sometimes damage the reputation of mobile networks and organizations.
This section discusses vulnerable areas in mobile business environment, OWASP top 10 mobile risks, the anatomy of mobile attacks, mobile attack vectors, associated vulnerabilities and risks, security issues arising from app stores, app sandboxing issues, mobile spam, pairing mobile devices on open Bluetooth, and Wi-Fi connections, and others.
Vulnerable Areas in Mobile Business Environment Source: https://www-935.ibm.com
At present, smartphones are being widely used for both business and personal purposes. Thus, they are a treasure trove for attackers to steal corporate or personal data. Security threats to mobile devices have increased because of Internet connectivity, use of business and other applications, different methods of communication available, and so on. Apart from the security threats that are specific to mobile devices, mobile devices are also susceptible to many other threats that are applicable to desktop and laptop computers.
Nowadays, smartphones offer broad Internet and network connectivity via varying channels, such as 3G/4G, Bluetooth, Wi-Fi, or a wired computer connection. Security threats may arise at different places along these varying paths while transmitting data.
OWASP Top 10 Mobile Risks Source: https://www.owasp.org
According to OWASP, following are the top 10 mobile risks:
■ Ml—Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform security controls. It includes Android intents, platform permissions, misuse of TouchlD, the Keychain, or some other security control that is part of the mobile's OS. There are several ways that mobile apps can experience this risk.
■ M2—Insecure Datastorage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
Insecure data storage vulnerability arises when development teams assume that users and malware will not have access to a mobile device's file system and subsequently to sensitive information in the device's data stores. "Jailbreaking" or rooting a mobile device bypasses encryption protections. OWASP recommends analyzing platforms' data security application programing interfaces (APIs) and calling them appropriately.
Unintended data leakage occurs when a developer unintentionally places sensitive data in a location on the mobile device that is easily accessible by other apps on the device. Unintended data leakage is normally caused due to vulnerabilities in the OS, frameworks, compiler environment, new hardware, and so on without a developer's knowledge. It is a significant threat to OSs, platforms, and frameworks; thus, it is important to understand how they handle features such as URL caching, browser cookie objects, and HTML5 data storage.
■ M3—Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, and so on. This flaw exposes an individual user's data and can lead to account theft. If the adversary intercepts an admin account, the entire site could be exposed. Poor Secure Socket Layer (SSL) setup can also facilitate phishing and man-in-the-middle (MITM) attacks.
■ M4—Insecure Authentication
This category captures notions of authenticating the end user or bad session management such as the following:
o Failing to identify the user when that should be required, o Failure to maintain the user's identity when it is required, o Weaknesses in session management.
■ M5—Insufficient Cryptography
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. This category is for issues where cryptography was attempted, but it was not done correctly. This vulnerability will result in the unauthorized retrieval of sensitive information from the mobile device. In order to exploit this weakness, an adversary must successfully return encrypted code or sensitive data to its original unencrypted form due to the weak encryption algorithms or flaws within the process of encryption.
■ M6—Insecure Authorization
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, and forced browsing). It is distinct from authentication issues (e.g., device enrolment and user identification).
If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.
■ M7—Client Code Quality
This is the "Security Decisions Via Untrusted Inputs," one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client, which is distinct from server-side coding mistakes. This would capture things such as buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that is running on the mobile device. Most exploitations that fall into this category result in foreign code execution or denial-of- service (DoS) on remote server endpoints (and not the mobile device itself).
■ M8—Code Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.
Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.
■ M9—Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Softwares such as IDA, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back-end servers, cryptographic constants and ciphers, and intellectual property.
■ MIO—Extraneous Functionality
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of two-factor authentication during testing.
Typically, an attacker seeks to understand extraneous functionality within a mobile app in order to discover hidden functionality in the backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by the end users.
Anatomy of a Mobile Attack
Sou rce: https://www.nowsecure. com
Because of extensive usage and implementation of bring your own device (BYOD) policies in organizations, mobile devices have become a prime target for attacks. Attackers scan these devices for vulnerabilities. These attacks can involve the device and the network layer, the data center, or a combination of these.
Attackers exploit vulnerabilities associated with the following to launch malicious attacks:
■ The Device
Vulnerabilities in mobile devices pose significant risks to sensitive personal and corporate data. Attackers targeting the device itself can use various entry points.
Following are the device-based attacks: o Browser-Based Attacks
Following are the browser-based points of attack:
• Phishing: Phishing emails or pop-ups redirect users to fake web pages of mimicking trustworthy sites that ask them to submit their personal information such as usernames, passwords, credit card details, address, and mobile number. Mobile users are more likely to be victims of phishing sites because of the small size of the devices, which display only short URLs, limited warning messages, scaled-down lock icons, and so on.
• Framing: Framing involves a web page integrated into another web page using iFrame elements of HTML. An attacker exploits iFrame functionality used in target website, embeds his/her malicious web page, and uses clickjacking to steal users* sensitive information.
• Clickjacking: Clickjacking, also known as a user interface redress attack, is a malicious technique used to trick web users to click something different from what they think they are clicking. Consequently, attackers obtain sensitive information or take control of the device.
• Man-in-the-Mobile: Attacker implants malicious code into the victim's mobile device to bypass password verification systems that send one-time passwords (OTPs) via Short Message Service (SMS) or voice calls. Thereafter, the malware relays the gathered information to the attacker.
• Buffer Overflow: Buffer overflow is an abnormality whereby a program, while writing data to a buffer, surfeits the intended limit and overwrites the adjacent memory. This results in erratic program behavior, including memory access errors, incorrect results, and crash mobile device.
• Data Caching: Data caches in mobile devices store information that is often required by mobile devices to interact with web applications, thereby saving scarce resources and resulting in better response time for the client application. Attackers attempt to exploit these data caches to gain sensitive information stored in them. GSM/3GPP baseband processor, which sends and receives radio signals to cell towers.
• SMiShing: SMS phishing (also known as SMiShing) is a type of phishing fraud in which an attacker utilizes SMS to send text messages to a victim that contains a deceptive link of a malicious website or a telephone number. The attacker tricks the victim into clicking the link or calling the phone number and revealing his or her personal information such as social security numbers (SSNs), credit card numbers, and online banking username and password.
o Application-based Attacks
Following are the application-based points of attack:
• Sensitive Data Storage: Some apps installed and used by mobile users employ weak security in their database architecture, which make them targets for attackers to hack and steal sensitive user information stored in them.
• No Encryption/Weak Encryption: Apps that transmit data unencrypted or weakly encrypted are susceptible to attacks such as session hijacking.
• Improper SSL Validation: Security loopholes in an application's SSL validation process may allow attackers to circumvent the data security.
• Configuration Manipulation: Apps may use external configuration files and libraries, modifying those entities or affecting apps' capability of using those results in a configuration manipulation attack. This includes gaining unauthorized access to administration interfaces, configuration stores, and retrieval of clear text configuration data.
• Dynamic Runtime Injection: Attackers manipulate and abuse the runtime of an application to circumvent security locks, logic checks, access privileged parts of an app, and even steal data stored in memory.
• Unintended Permissions: Misconfigured apps can at times open doors to attackers by providing unintended permissions.
• Escalated Privileges: Attackers engage in privilege escalation attacks, which take advantage of design flaws, programming errors, bugs, or configuration oversights to gain access to resources usually protected from an application or user.
Other application-based points of attack include Ul overlay/pin stealing, third-party code, intent hijacking, Zip directory traversal, clipdoard data, URL schemes, GPS spoofing, weak/no local authentication, integrity/tempering/repackaging, side channel attack, App signing key unprotected, App transport security, XML specialization, and so on.
o The System
Following are the OS-based points of attack:
• No Passcode/Weak Passcode: Many users choose not to set a passcode, or use a weak PIN, passcode or pattern lock, which an attacker could easily guess or crack to compromise sensitive data stored in the mobile.
mechanisms set by Apple to prevent malicious code from running on the device. It provides root access to the OS and removes sandbox restrictions. Thus jailbreaking, such as rooting, comes along with many security and other risks to the iOS device including poor performance, malware infection, and so on.
• Android Rooting: Rooting allows Android users to attain privileged control (known as "root access") within Android's subsystem. Like jailbreaking, rooting can result in the exposure of sensitive data stored in the mobile device.
• OS Data Caching: An OS cache stores used data/information in memory on temporary basis in the hard disk. An attacker can dump this memory by rebooting the victim's computer to a malicious OS and can extract sensitive data from the dumped memory.
• Passwords and Data Accessible: iOS devices store encrypted passwords and data using cryptographic algorithms that have certain known vulnerabilities. Attackers exploit these vulnerabilities to decrypt the device's keychain, exposing user passwords, encryption keys, and other private data.
• Carrier-loaded Software: Pre-installed software or apps on devices may contain vulnerabilities that an attacker can exploit to perform malicious activities such as delete, modify, or steal data on the device, eavesdrop on calls, and others.
• User-initiated Code: User-initiated code is an activity that tricks the victim to install malicious applications or clicking links where an attacker can install malicious code to exploit a user's browser, cookies, and security permissions.
Other OS-based points of attack include no/weak encryption, confused deputy attack, TEE/secure enclave processor, side channel leak, multimedia/file format parsers, kernel driver vulnerabilities, resource DoS, GPS spoofing, device lockout, and so on.
■ The Network
Following are the network-based points of attack:
o Wi-Fi (weak encryption/no encryption): Some applications fail to encrypt or use weak algorithms to encrypt data in transmission across wireless network. An attacker may intercept data by eavesdropping on the wireless connection. Though many applications use SSL/TLS, which offers protection for data in transit, attacks against these algorithms are reputed to expose users' sensitive data.
o Rogue Access Points: Attackers install an illicit wireless access point by physical means, which allows them to access a protected network by hijacking the connections of legitimate network users.
o Packet Sniffing: An attacker uses sniffing tools such as Wireshark and Capsa Network Analyzer to capture and analyze all data packets in network traffic, which generally includes sensitive data such as login credentials sent in clear text.
o Man-in-the-Middle (MITM): Attackers eavesdrop on existing network connections between two systems, intrude into that connection, and thereafter read, modify, or insert fraudulent data into the intercepted communication.
o Session Hijacking: Attackers steal valid session IDs and use them to gain unauthorized access to user and network information.
o DNS Poisoning: Attackers exploit network DNS servers, resulting in the substitution of false IP addresses at the DNS level, thereby directing website users to another website of the attacker's choice.
o SSLS trip: SSLStrip is a type of MITM attack in which attackers exploit vulnerabilities in the SSL/TLS implementation on websites. It relies on the user validating the presence of the HTTPS connection. The attack invisibly downgrades connections to HTTP, without encryption, which is hard for users to detect in mobile browsers.
o Fake SSL Certificates: Fake SSL certificates represent another kind of MITM attack, in which an attacker issues a fake SSL certificate to intercept traffic on a supposedly secure HTTPS connection.
■ The Data Center/CLOUD
Data Center has two primary points of entry: a web server and a database, o Web server-based attacks
Following are the web server-based vulnerabilities and attacks:
• Platform Vulnerabilities: Attackers exploit vulnerabilities in the OS, server software such as IIS, or application modules running on the web server. Sometimes, attackers can expose vulnerabilities associated with protocol or access controls by monitoring communication established between a mobile device and a web server.
• Server Misconfiguration: Misconfigured web servers may allow an attacker to gain unauthorized access to its resources.
• Cross-site Scripting (XSS): XSS attacks exploit vulnerabilities in dynamically generated web pages, which enable malicious attackers to inject client-side script into web pages viewed by other users. It occurs when invalidated input data is included in dynamic content sent to the user's web browser for rendering. Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash for execution on a victim's system by hiding it within legitimate requests.
• Cross-Site Request Forgery (CSRF): CSRF attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send unintended malicious requests. The victim holds an active session with a trusted site and simultaneously visits a malicious site that injects an HTTP request for the trusted site into the victim's session, compromising its integrity.
• Weak Input Validation: Web services excessively trust the input coming from mobile applications, depending on the application to perform input validation. However, attackers can forge their own communication to the web server or circumvent the app's logic checks, allowing them to take advantage of missing validation logic on the server to perform unauthorized actions.
Attackers exploit input validation flaws so that they can perform cross-site scripting, buffer overflow, injection attacks, and so on that lead to data theft and system malfunctioning.
• Brute-Force Attacks: Attackers perform trial and error method in an attempt to guess the valid input to a particular field. Applications that allow any number of input attempts are generally prone to brute-force attack.
Other web server-based vulnerabilities and attacks include cross origin resource sharing, side channel attack, hypervisor attack, VPN, and so on.
o Database Attacks
Following are the database-based vulnerabilities and attacks:
nonvalidated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. SQL injection is a basic attack used either to gain unauthorized access to a database or to retrieve information directly from the database.
• Privilege Escalation: This happens when an attack leverages some exploit to gain high-level access, resulting in the theft of sensitive data stored in the database.
• Data Dumping: An attacker causes the database to dump some or all of its data thereby uncovering sensitive records.
• OS Command Execution: An attacker injects OS-level commands into a query, causing certain database systems to execute these commands on the server thereby providing an attacker with unrestricted/root-level system access.
How a Hacker Can Profit from Mobile when Successfully Compromised? Source: https://www.sophos.com, https://securelist.com
Nowadays, pictures, contact lists, banking apps, social media, email accounts, financial information, business information, and so on reside on our smartphone devices. Thus, smartphones are a treasure trove of information for potential exploitation by attackers. Among all smartphones, Android devices are most likely to be hacked, as they occupy most of the mobile market share.
Upon compromising a smartphone, an attacker could spy user activities on mobile, misuse the sensitive information stolen, impersonate the user by posting on social media accounts, or enlisting the device in a botnet (a network of many hacked smartphones).
Mobile Attack Vectors and Mobile Platform Vulnerabilities
■ Mobile Attack Vectors
The enormous usage of mobile devices has grabbed the attention of attackers. Mobile devices access many of the resources that traditional computers use. Apart from that, mobile devices also have some unique features that add new attack vectors and protocols to the mix. All these mobile attack vectors make mobile phone platforms susceptible to malicious attacks both from the network and upon physical compromise. Given below are some of the attack vectors that allow an attacker to exploit vulnerabilities present in mobile's OS, device firmware, or mobile apps.
■ Mobile Platform Vulnerabilities and Risks
Increased usage of smartphones with ever-evolving technological features has made mobile device security a primary security concerns for the IT sector. Mobile devices are becoming privileged targets for cyber criminals because of significant improvements in both mobile OSs and hardware. In addition, the enhancements in smartphone features introduce new types of security concerns. As smartphones are surpassing PCs as preferred devices to access the Internet, manage communications, and so on, attackers are more attracted toward research and implement possible attack schemes against mobile platforms to compromise users1 security and privacy, or even gain complete control over the victim's devices.
Following are some of the mobile platform vulnerabilities and risks:
o Malicious apps in stores
o Mobile malware
o App sandboxing vulnerabilities
o Mobile application vulnerabilities
o Privacy issues (Geolocation)
o Weak data security
o Weak device and app encryption
o Excessive permissions
o OS and app updates' issues
o Jailbreaking and rooting
o Weak communication security
o Physical attacks
Security Issues Arising from App Stores
Mobile applications are computer programs designed to run on smartphones, tablets, and other devices. These include text messaging, email, video play, music play, voice recording, games, and many others. In general, apps are made available via application distribution platforms, which could be official app stores operated by the owner of mobile's OS such as Apple's App Store, Google Play app store, and Blackberry App World, or third-party app stores such as Handango, GetJar, and MobiHand.
App stores are a common target for attackers to distribute malware and malicious apps. Attacker may download a legitimate app, repackage it with malware, and upload it to a third- party app store, from which users download it, thinking it to be genuine. Malicious apps installed on user systems can damage other applications or stored data and send sensitive data such as call logs, photos, videos, sensitive docs, and so on to the attacker without users' knowledge. Attackers may use the information gathered to exploit the devices and launch many more attacks. Attackers can also perform social engineering which force the users to download and run apps outside the official app stores. Insufficient or no vetting of apps usually leads to malicious and fake apps entering the marketplace. Malicious apps can damage other applications and data and send your sensitive data to attackers.
App Sandboxing Issues
Smartphones are increasingly gaining the focus of cyber criminals. Mobile app developers must understand the threat to security and privacy to mobile devices by running a nonsandboxed app and should therefore develop sandboxed apps.
App sandboxing is a security mechanism that helps protect systems and users by limiting resources the app can access to its intended functionality on the mobile platform. Often, sandboxing is useful in executing untested code or untrusted programs from unverified third parties, suppliers, untrusted users, and untrusted websites. This is to enhance security by isolating an application to prevent intruders, system resources, malwares such as Trojans and viruses, and other applications from interacting with the protected app. As sandboxing isolates applications from one another, it protects them from tampering with each other; however, malicious applications may exploit vulnerabilities and bypass the sandbox.
A secure sandbox environment provides an application with limited privileges intended for its functionality to restrict it from accessing other users' data and system resources, whereas a vulnerable sandbox environment allows a malicious application to exploit vulnerabilities in the sandbox and breach its perimeter, resulting in the exploitation of other data and system resources.
Mobile Spam
Nowadays, mobile phones are widely being used for both personal and business purposes. Spam is the generic term for unsolicited messages sent via electronic communication technologies such as SMS, Multimedia Message Service (MMS), Instant Messaging (IM), and email IDs without having requested them.
Mobile Phone Spam, also known as SMS spam, text spam, or m-spam is any unsolicited message sent in bulk form to known/unknown phone numbers/email IDs that targets a mobile phone.
Following are the typical messages delivered via spam to mobile phones:
■ Spam messages contain advertisements or malicious links that can trick users to reveal confidential information
■ Attractive commercial messages advertising products/services
■ SMS and MMS messages that claim victim has won a prize and asks him/her to place a call to a provided premium rate telephone service number for further details
■ Malicious links, which may lure users to divulge sensitive personal or corporate data
■ Phishing messages that lures the recipient into revealing personal or financial data such as name, address, date of birth, bank account number, credit card number, and so on, which an attacker can use later to commit identity or financial fraud against the recipient
Due to spam messages, a significant amount of bandwidth is wasted. Consequences of mobile spam include financial loss, malware injection, and corporate data breach incidents.
SMS Phishing Attack (SMiShing) (Targeted Attack Scan)
Text messaging is the most prevalent nonvoice communication on a mobile phone. Users send and receive some billions of text messages around the world within a day. With that amount of huge data, there is also increase in spam or phishing attacks.
SMS phishing (also known as SMiShing) is a type of phishing fraud in which an attacker utilizes SMS systems to send bogus text messages. It is the act of trying to acquire personal and financial information by sending SMS (or IM) containing deceptive link. Often, these bogus text messages contain a deceptive website URL link or telephone number to lure victims into revealing their personal or financial information, such as SSNs, credit card numbers, and online banking username and password. In addition, attackers implement SMiShing to infect victims' mobile phones and associated networks with malware.
Attackers buy a prepaid SMS card using a fake identity. Then, they send SMS bait to a user. The SMS may seem attractive or scary. For example, it may include a lottery message, gift voucher, online purchase, or notification of account suspension, along with a malicious link or phone number. The user clicks the link, thinking it to be legitimate, and is redirected to the attacker's phishing site, where the user provides the requested information (e.g., name, phone number, date of birth, credit card number or PIN, CVV code, SNNs, and email address). The attacker may use the acquired information to perform malicious activities such as identity theft and online purchases, among many others.
Why SMS Phishing is Effective?
■ Most of the consumers access the Internet through a mobile. ■ Easy to set up a mobile phishing campaign.
■ Difficult to detect and stop before they cause harm.
■ Mobile users are not conditioned to receiving spam text messages on their mobile. ■ No mainstream mechanism for weeding out spam SMS.
■ Most of the mobile anti-virus does not check the SMS.
Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections
Setting a mobile device's Bluetooth connection "open" or in "discovery" mode and turning on automatic Wi-Fi connection capability, particularly in public places, greatly increases risk rate. Attackers use this to their advantage to exploit and infect a mobile device with malware such as viruses and Trojans, or compromise unencrypted data being transmitted across untrusted networks. They may lure victims into accepting a Bluetooth connection request from a malicious device, or may perform an MITM attack to intercept and compromise all the data sent to and from the connected devices. Attacker, armed with the information gathered, engage in identity fraud and other malicious activities, thereby putting users at great risk.
Techniques such as "bluesnarfing" and "bluebugging" help an attacker eavesdrop and intercept data transmission between mobile devices paired on open connections (e.g., public Wi-Fi or unencrypted Wi-Fi routers).
■ Bluesnarfing (Stealing Information via Bluetooth)
Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, PDAs, and others. This technique allows an attacker to access victim's contact list, emails, text messages, photos, videos, business data, and so on stored on the device.
Any device with its Bluetooth connection enabled and set to "discoverable" or "discovery" mode (allowing other Bluetooth devices within range to view the device) may be susceptible to bluesnarfing if the vendor's software contains certain vulnerability. Bluesnarfing exploits others' Bluetooth connections without their knowledge.
■ Bluebugging (Taking Over a device via Bluetooth)
Bluebugging involves gaining remote access to a target Bluetooth-enabled device and use its features without a victim's knowledge or consent. Attackers compromise the target device's security to create a backdoor attack prior to returning control of it to its owner. Bluebugging allows attackers to sniff sensitive corporate or personal data; receive calls and text messages intended for the victim; intercept phone calls and messages; forward calls and messages; connect to the Internet; and perform other malicious activities such as accessing contact lists, photos, and videos.
Hacking Android OS
The number of people using smartphones and tablets is on the rise, as these devices support a wide range of functionalities. Android is the most popular mobile OS because it is a platform open to all applications. Like other OSs, Android has its vulnerabilities, and not all Android users install patches to keep OS software and apps up to date and secure. This casualness enables attackers to exploit vulnerabilities and launch various types of attacks to steal valuable data stored on the victims* devices.
This section discusses the Android OS, its architecture, and the associated vulnerabilities. It also covers the process of rooting Android phones, rooting tools, and Android Trojans. The section ends with the guidelines for securing Android devices, security controls, and device-tracking tools.
Android OS
Source: https://developer.android.com
Android is software environment developed by Google for mobile devices that includes an OS, middleware, and key applications. The Android OS relies on the Linux kernel and is an open- source platform.
Features:
■ Provides a variety of prebuilt Ul components such as structured layout objects and Ul controls that allow one to build the GUI for the app
■ Provides several options to save persistent application data:
o Shared Preferences—Store private primitive data in key-value pairs
o Internal Storage—Private data on the device memory
o External Storage—Public data on the shared external storage
o SQLite Databases—Store structured data in a private database
o Network Connection—Store data on the web with your own network server
■ RenderScript provides a platform-independent computation engine that operates at the native level. One can use it to accelerate apps that require extensive computational horsepower.
■ Provides rich APIs to let the app connect and interact with other devices over Bluetooth, near-field communication (NFC), Wi-Fi P2P, USB, and session initiation protocol (SIP), in addition to standard network connections.
■ Application framework enabling reuse and replacement of components. ■ Android runtime (ART) optimized for mobile devices.
■ Integrated browser based on the open-source Blink and WebKit engine. ■ SQLite for structured data storage.
■ Media support for common audio, video, and still image formats (e.g., MPEG4, H.264, MP3, AAC, AMR, JPG, PNG, and GIF).
■ Rich development environment including a device emulator, tools for debugging, memory and performance profiling, and a plugin for the Eclipse IDE.
Android OS Architecture
Sou rce: https://developer.android. com
Android is a Linux-based OS designed especially for portable devices such as smartphones and tablets. It is a stack of software components categorized into six sections (system applications, Java application framework, Native C/C++ libraries, Android runtime, Hardware Abstraction Layer (HAL), and Linux kernel) and five layers.
■ System Applications
All Android system applications are at the top layer. Any app developed should fit in this layer. Some of the standard applications that come pre-installed with every Android device include dialer, email, calendar, camera, SMS messaging, web browsers, contact managers, and so on. Most Android apps are "written" in Java programming language.
■ Java API Framework
Android platform functions are made available to developers through APIs written in Java programming language. The application framework offers many higher-level services to applications, which developers incorporate in their development.
Following are some of the application framework blocks:
o Content Providers—Manages data sharing between applications.
o View System—For developing lists, grids, text boxes, buttons, and so on.
o Activity Manager—Controls the activity life cycle of applications,
o Location Manager—Manages location, using GPS or cell towers.
o Package Manager—Keeps track of the applications installed on the device,
o Notification Manager—Helps applications display custom messages in a status bar.
o Resource Manager—Manages various types of resources used.
o Telephony Manager—Manages all voice calls.
o Window Manager—Manages application windows.
■ Native C/C++ Libraries
The next layer is the native libraries. Libraries are "written" in C or C++ and are specific to particular hardware. This layer allows the device to control different types of data.
Following are the native libraries:
o WebKit and Blink—web browser engine to display HTML content
o Open Max AL—it is a companion API to OpenSL ES but is used for multimedia (video and audio) rather than audio only
o Libc—Comprises System C libraries
o Media Framework—provides media codecs that allows recording and playback of different media formats
o Open GL | ES—is a 3D graphics library
o Surface Manager—meant for display management
o SQLite—a database engine used for data storage purposes o FreeType—meant for rendering fonts
o SGL—is a 2D graphics library o SSL—meant for Internet security
■ Android Runtime
It includes core libraries and the ART virtual machine. o Android Runtime (ART)
For the Android versions above 5.0, apps have its own runtime process and with its own instance. Android runtime has features such as ahead-of-time (AOT) compilation, just-in-time (JIT) compilation, and optimized garbage collection (GC).
o Core Libraries
The set of core libraries allows developers to write Android applications using the Java programming language.
■ Hardware Abstraction Layer
Hardware abstraction layer is used to expose the device's hardware capabilities to the Java API framework that is sitting at higher-lever. It acts as an abstraction layer between the hardware and the software stack. HAL comprises of various modules that are required for the hardware equipments in the device such as audio, camera, Bluetooth, sensors, and so on.
■ Linux Kernel
The Android OS relies on the Linux kernel. This layer comprises low-level device drivers such as audio driver, binder (IPC) driver, display driver, keypad driver, Bluetooth driver, camera driver, shared memory driver, USB driver, Wi-Fi driver, Flash memory driver, and power management for its various hardware components. Functions of this layer include memory management, power management, security management, and networking.
Android Device Administration API
The Device Administration API introduced in Android 2.2 provides device administration features at the system level. These APIs allow developers to create security-aware applications that are useful in enterprise settings, in which IT professionals require rich control over employee devices. One can use a device administration ("admin") API to write device admin applications that users install on their devices. The device admin application enforces the desired policies.
Following are some examples of the types of applications that might use the device administration API:
■ Email clients.
■ Security applications that perform remote wipe.
■ Device management services and applications.
In addition to supporting the policies mentioned above, the device administration API lets you to perform the following:
■ Prompt user to set a new password ■ Lock device immediately
■ Wipe the device's data (i.e., restore the device to its factory defaults)
Android Rooting
The goal behind rooting Android is to overcome restrictions imposed by hardware manufacturers and carriers, resulting in the ability to modify or replace system applications and settings, run apps that require admin privileges, remove and replace a device's OS, remove applications pre-installed by its manufacturer or carrier, or perform other operations that are otherwise inaccessible to the typical Android user. Rooting allows Android users to attain privileged control (known as "root access") within Android's subsystem. Rooting process involves exploiting security vulnerabilities in the device's firmware, and copying the su binary to a location in the current process's PATH (e.g., /system/xbin/su) and granting it executable permissions with the chmod command.
Rooting enables all the user-installed applications to run privileged commands such as ■ Modifying or deleting system files, module, ROMs (stock firmware), and kernels ■ Removing carrier- or manufacturer-installed applications (bloatware)
■ Low-level access to the hardware that are typically unavailable to the devices in their default configuration
■ Improved performance
■ Wi-Fi and Bluetooth tethering
■ Install applications on SD card ■ Better user interface and keyboard
Rooting also comes with many security and other risks to your device including ■ Voids your phone's warranty
■ Poor performance ■ Malware infection ■ Bricking the device
One can use tools such as KingoROOT, TunesGo Root Android Tool, and so on to root Android devices.
Rooting Android Using KingoRoot Sou rce: https://www. kingoapp. com
KingoRoot is the tool used to root android devices. This tool can be used with or without PC. KingoRoot helps users root their Android devices to the following:
■ Preserve battery life
■ Access root-only apps
■ Remove carrier "bloatware" ■ Customizable appearance ■ Attain admin level permission
Following are the steps involved in rooting android device with this tool:
Android Rooting with PC:
■ Download KingoRoot Android (PC Version) and install it on your desktop. ■ Run the tool and connect the device to the computer with USB cable. ■ Enable the USB debugging mode on android device.
■ Now the tool will install the latest drivers on your PC.
■ You will see a new screen on your desktop with your device name and "ROOT" button. ■ Click on ROOT to root your device.
Ethical Hacking and Countermeasures Hacking Mobile Platforms
Android Rooting Without PC:
■ Enable installation from unknown sources in android device. ■ Download KingoRoot.apk on your Android from play store. ■ Install and launch KingoRoot.
■ Press "One Click Root" on the main interface of the app. ■ Wait for few seconds until root result appears on the display.
■ Attempt multiple times in case of failed rooting or you can try PC version.
Android Rooting Tools
■ TunesGo Root Android Tool
Source: https://tunesgo.wondershare.com
TunesGo—This tool has an advanced android root module that recognizes and analyzes your Android device and chooses the appropriate Android-root-plan for it automatically.
Following are the steps to root android device using TunesGo Root Android tool: o Download TunesGo Root Android tool
o Connect your device to your computer
o Find "One-click Android Root" in Toolbox and click it to root your device o Android device is successfully rooted!
■ One Click Root
Source: https://www.onedickroot.com
One Click Root is Android rooting software that supports the most devices and comes with extra fail-safes (like instant unrooting) feature and offers full technical support. It allows rooting an Android smartphone or tablet and provides access to additional features such as gaining access to more apps, Install apps on SD card, preserve battery life, Wi-Fi and Bluetooth tethering, installing custom ROMs, and accessing blocked features.
Following are some of the additional android rooting tools: ■ Unrevoked (http://www.unrevoked.com)
■ MTK Droid (https://androidmtk.com)
■ Superboot (http://www.galaxynexusforum.com)
■ Superuser X [Root] (http://www.ksharkapps.com)
■ Root Uninstaller (https://play.google.com)
■ Root Browser File Manager (http://jrummyapps.com)
■ Titanium Backup Root (http://www.matrixrewriter.com)
Blocking Wi-Fi Access using NetCut Source: http://www.arcai.com
NetCut is a Wi-Fi killing application that allows the attackers in a network to identify the target devices and block the access of Wi-Fi to the victim's devices in a network.
Note: This application works effectively only on rooted devices. Follow the steps given below to block Wi-Fi access:
■ Step 1: Download and install NetCut android application on to your device. ■ Step 2: Launch the NetCut app in the mobile.
■ Step 3: After opening, it automatically scans all the devices accessing the Wi-Fi network and displays the list under CUT tab on the interface.
■ Step 4: Identify the target device and tap on it to block the Wi-Fi access to the device. The Wi-Fi propagation symbol on the left of the blocked device name turns red from blue. You can confirm this by navigating to the JAIL tab on the interface, where the list of blocked devices will be displayed.
