Hacking Mobile Devices

Schedule · Powerpoints · Projects · Links · Home Page

Surveys: Mon, Wed, Fri


Hall of Fame

Real Vulnerabilities Found by Students

Chris Marshall

Doctor's Android app --plaintext credential transmission

Rajiv Malkan

Conference schedule Android app -- plaintext credential transmission
Jeweler's Android app -- plaintext credential transmission
Community college sending SSNs through broken SSL
Fundraising coupon book uses plaintext authentication
Rewards app with plaintext authentication
Attorney site with plaintext authentication

Scott Stephenson

Pizza retail app--broken HTTPS
Emergency medical service in Texas--broken HTTPS

Mequanint Moges

Construction company plaintext
Realtor HTTP + MD5

John Byers

An important community college app breaks HTTPS

Mehmet Kilinc & Rafat Elsharef

Arabic Medical App plaintext credential transmission
Mehmet Kilinc & Rafat Elsharef -- Mortgage company with broken HTTPS
Mehmet Kilinc & Rafat Elsharef -- Nigerian cellphone company with plaintext authentication
Major ticket sales site using plaintext authentication

Jim Evans

Major television channel watching app with plaintext password transmission
Dating app with plaintext password transmission
Major university broken HTTPS
Major TV sports watching app broken HTTPS
Internet Service Provider with broken HTTPS

Carolyn Lightfoot

Major news app plaintext authentication
Foinancial planner plaintext authentication
Self--publisher plaintext authentication

Sean Che

A whole product line University reward apps that use plaintext authentication

Judy Ligocki

Major sports channel plaintext authentication

Catalog Description

Mobile devices such as smartphones and tablets are now used for making purchases, emails, social networking, and many other risky activities. These devices run specialized operating systems have many security problems. This class will cover how mobile operating systems and apps work, how to find and exploit vulnerabilities in them, and how to defend them. Topics will include phone call, voicemail, and SMS intrusion, jailbreaking, rooting, NFC attacks, malware, browser exploitation, and application vulnerabilities. Hands-on projects will include as many of these activities as are practical and legal.

Prerequisite skills: Security knowledge at the Security+ level, and familiarity operating mobile devices such as smartphones and tablets

Upon successful completion of this course, the student will be able to:
  1. Describe the risks of using mobile devices for common activities such as making phone calls, emailing, and shopping
  2. Explain cellular network functions, attacks, anbd countermeasures for voice calls, voicemail, and SMS
  3. Perform and analyze jailbreaks for iOS devices
  4. Analyze the Android security model and rooting
  5. Recognize types of mobile malware and anti-malware options
  6. Identify Web browser services and attacks on mobile platforms and recommend countermeasures
  7. Configure and defeat locking, remote location and wiping services
  8. Explain common mobile app risks and make intelligent decisions when installing and using them
  9. Evaluate the functions and risks of mobile payment services, such as Google Wallet

Textbook

"Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018 Buy from Amazon

Example Vulnerability Report

Example Proof of Concept Page for Plaintext

Example Proof of Concept Page for Broken SSL




Schedule

Date Topics Projects

Mon 7-13    Motivation: Android Security Auditing
Android and iOS Vulnerabilities Research

1: The mobile risk ecosystem
2: Hacking the cellular network

    Proj. 1-3

Tue 7-14 3: iOS
4: Android (Part 1)
Proj. 4-6

Wed 7-15 4: Android (Part 2)
5: Mobile malware
6: Mobile services and mobile Web
Proj. 7-8

Thu 7-16 7: Mobile Device Management
8: Mobile development security
9: Mobile payments
Proj. 10, 6x, 11

Fri 7-17 To Be Announced To Be Announced






Powerpoints

Android Security Auditing
Android Trojans
Android and iOS Vulnerabilities Research

1: The mobile risk ecosystem
2: Hacking the cellular network
3: iOS
4: Android
5: Mobile malware
6: Mobile services and mobile Web (part 1)
6: Mobile services and mobile Web (part 2)
7: Mobile Device Management
8: Mobile development security
9: Mobile payments

If you do not have PowerPoint you can use Open Office.


Back to Top

Projects

Preparation: Do One of These

Ubuntu Prep for Android Security Auditing Using Working Connections Lab Machines

Ubuntu Prep for Android Security Auditing Using Personal Laptops

Twitter

JOIN TWITTER

Simple Insecurities

1. Genymotion and Google Play
2. Observing the TD Ameritrade Log
3. Mayo Clinic Medical Transport App Hardcoded Password Exposure

Using a Proxy to Audit SSL Traffic

4. Preparing Genymotion and Burp for Android SSL Auditing
5. GenieMD Broken SSL
6. Garland & Associates App Plaintext Data Transmission and Broken SSL

Code Modification and Smali

7. Making a Signed App with Android Studio
8. Trojaning the Charles Schwab App (NORMAL TROJAN)
8a. Trojaning the Citibank App (HTTP PARAMETERS TROJAN)
8b. Trojaning the Capital One App (APACHE CORDOVA TROJAN)
8c. Trojaning the BanCorp App (STRING BUILDER TROJAN)

8d. Auto-Trojaning the Walmart App

Auditing Local File Storage

Auditing Local File Storage for the Safeway App
Auditing Local File Storage for the Lumosity App

Defenses & Countermeasures

Project 10: Obfuscating an Android App with ProGuard (10 points)
Project 6x: Obfuscating Android Source Code with DashO (15 pts. extra credit)
Project 11: MaaS360 (15 points)

iOS Apps: SSL Auditing Proxy

Making an SSL Auditing Proxy with a Mac, Burp, and pf
Comparing Secure and Insecure iOS Apps (not public yet)

Forensics

Project 14: Acquiring a Forensic Image of an Android Phone (25 pts.)
Project X4: Acquiring an iPad image with iTunes (15 pts.) (rev. 5-6-15)
Project X6: Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder (15 pts.) (new 5-6-15)

Old Projects

Project 1: Preparing an Android Virtual Machine (25 pts.)
Project 2: Rooting Your Android Virtual Machine (10 pts.)
Project 3: Android Studio (20 pts.)

Troubleshooting Android Emulator Problems

Project 4: ExploitMe Mobile Lab 1: Sniffing Insecure Connections with Burp (15 points)
Project 5: ExploitMe Mobile Lab 2: Parameter Manipulation (15 points)
Project 6: ExploitMe Mobile Lab 3: Insecure File Storage (20 points)
Project 7: ExploitMe Mobile Lab 4: Secure Logging (10 points)
Project 8: ExploitMe Mobile Lab 7: Scraping Data from RAM (15 points)
Project 9: Decompiling and Trojaning an Android App with Smali Code (15 points)

Extra Credit Projects

Project 1x: Android Security Auditing with Genymotion and Burp (20 pts. extra credit)
Project 2x: Security Audit of the NFL Android App (15 pts. extra credit)
Project 3x: Security Audit of Another Android App (20 pts. extra credit)
Project 4x: BlueStacks Android Emulator on Windows (15 pts. extra credit)
Project 5x: Trojaning an Android App and Posting Credentials on the Web (15 pts. extra credit)
Project 7x: Making an iPhone App with Xcode (15 pts. extra credit)
Project 8x: Security Audit of ExploitMe Mobile in Xcode (25 pts. extra credit)
Project 9x: Making a Data-Stealing Android Trojan (15 pts. extra credit)
Project 10x: Find an Android Vulnerability and Report it Correctly (40 pts. extra credit)
Project 11x: Stealing Credentials from an Android App with a SSL MITM Attack (15 pts.)

References for Projects

ExploitMe Mobile Android Labs from Security Compass
Android Assessments with GenyMotion + Burp
Back to Top

Links

Apple Platform Security
Apple Platform Security PDF
DVIA (Damn Vulnerable iOS App) | A vulnerable iOS app for pentesting
OWASP/owasp-masvs: The Mobile Application Security Verification Standard (MASVS) is a standard for mobile app security.
2019-12-29: Hybrid App Developers: Don't Store Your User's Passwords
Passwords are the biggest threat to GDPR compliance (Mar. 2019)
Chat app Knuddels fined 20 k Eurosunder GDPR regulation (Nov 24, 2018)
Remote logging for mobile apps (April, 2019)
From checkra1n to Frida: iOS App Pentesting Quickstart on iOS 13 -- spaceraccoon.dev
Project Zero: Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 (Jan. 2019)
Project Zero: Remote iPhone Exploitation Part 2: Bringing Light into the Darkness -- a Remote ASLR Bypass (Jan. 2019)
Project Zero: Remote iPhone Exploitation Part 3: From Memory Corruption to JavaScript and Back -- Gaining Code Execution (Jan. 2019)
Reverse-Engineering-and-Tampering iOS Apps OWASP
GDB to LLDB command map -- The LLDB Debugger
Google Maps Platform--Protecting API Keys
We reverse engineered 16k apps, here's what we found
Hands On Mobile API Security: Get Rid of Client Secrets
Why OAuth API Keys and Secrets Aren't Safe in Mobile Apps
Hey Developer, Give me your API keys.!!
HOW TO EXTRACT AN API KEY FROM A MOBILE APP BY STATIC BINARY ANALYSIS
Ch 2b: Hack in the (sand)Box
Android App Reverse Engineering 101 | Learn to reverse engineer Android applications!
DJI Privacy Analysis Validation--GOOD ANDROID PROJECT
Oversecured detects dangerous vulnerabilities in the TikTok Android app--USE FOR PROJECT
AndroGoat: Vulnerable Android App
Ch 6a: Encryption  |  Android Open Source Project
Ch 6b: Android versions market share
Ch 7a: Android activity manager "am" command help
2021-02-22: Virtual iPhones with Free Trial!
pidcat: Colored logcat script which only shows log entries for a specific application package.
Ch 7b: Service vs IntentService in Android
Can I Jailbreak? - Home
Jailbreaking iOS for Mobile Security Assessments (March 2021 Edition) - SANS Institute
Ch 8a: What happens if you enter the wrong PIN for many times in an Android phone? - Quora
Ch 8b: How to reset your Android lock screen password/PIN/pattern - TechRepublic
Ch 8c: Android WebView addJavascriptInterface Code execution Vulnerability
MOBISEC - Mobile Security Course
iOS Hooking With Objection - HackTricks
ZipperDown Vulnerability--Path Traversal in iOS and Android
ANDROID PT / Path Traversal Vulnerability
Ch 6c: Android OS version market share over time | AppBrain
Drozer / needle - is it still alive?
2022-10-04: Releases · abhi-r3v0/EVABS
EVABSv4 Walkthrough
Android Studio Emulator (AVD) Rooting with Magisk using rootAVD - YouTube
EVABSv4 (Part 2) - ITZone
Troubleshooting Android Studio - Android Emulator Wifi Connected with No Internet
Registers in smali
Ch 2a: Cachegrab sttack exposes secrets from ARM TrustZone
Ch 2c Citigroup says its iPhone app puts customers at risk
Ch 2d: Citi Discloses Security Flaw in Its iPhone App - WSJ
How to Reverse Engineer and Patch an iOS Application for Beginners: Part I
Guide to Reversing and Exploiting iOS binaries Part 2: ARM64 ROP Chains
Heap Overflows on iOS ARM64: Heap Spraying, Use-After-Free (Part 3)
How to instrument system applications on Android stock images with Frida and Magisk
Security of runtime process in iOS and iPadOS - Apple Support
Xamarin | Open-source mobile app platform for .NET, with iOS -- USE FOR PROJECTS

          
Back to Top
Last Updated: 7-16-15 9 am