Penetration testing is an important step in securing a network. “A penetration test, also known as a pen test, is a simulated cyber attack against your computer system to check for exploitable vulnerabilities.” (What is Penetration Testing: Step-By-Step Process & Methods: Imperva). Pen testing is performed by highly skilled people trained in ethical hacking.
Although phones enable great availability of data to people for business and personal purposes, it comes at high requirement for security. Phones have the capability to make make phone calls, access the internet, connect to networks, and have their own complex operating systems. “These tools and features not only increase the device’s functionality but also introduce new security issues or increase existing risks. Attackers take advantage of this to launch various kinds of attacks to extract sensitive personal or business information stored on smartphones.” Phones also require high security features because many people own their own unique smart phone. In the CIA triad, phones are high in availability, but require high security to help their integrity and confidentiality (EC-Council 2018).
These reasons are how pen testing for mobile devices is different from pen testing for other devices. Mobile devices are in a rapid state of development and innovation and new devices such as smart watches, Apple CarPlay, Android Auto, and smart glasses are making the process of securing a network more and more complex. Some cars (such as Teslas) have advanced technical features, such as advanced operating systems and self-driving capabilities. It may be easy for viruses to spread from one device to another. Some people have their phones connected to their cars, making an open door for malicious code to spread. All of these things need to be considered and integrated into a mobile pen test. Also, some web applications behave differently on phones then on computers. Therefore, it is good to test the usage of web applications through phones.
Some pen testing methods include external texting, internal testing, blind testing, double-blind testing, and targeted testing. (What is Penetration Testing: Step-By-Step Process & Methods: Imperva) For mobile pen testing, it is good to use a combination of all of the different types of pen testing. Some pen testing organizations have their own protocols and procedures, and it may be best to leave it up to the requirements of the test. If the author could chose a single method of testing for mobile devices, it would be internal testing because it can simulate an inside attacker, as well as an outside attacker.
Pen testing has seven stages: information gathering, reconnaissance, discovering and scanning, vulnerability assessment, exploitation, final analysis and review, and utilize resting results. In the information gathering stage, the pen testers will be provided with general information about in-scope targets. In reconnaissance stage, the information gathered is used to collect additional information from publicly accessible sources. This is an important step because it can reveal if sensitive information is available to the public. IN the discovery and scanning phase, things like ports and services are determined about the target networks. In the vulnerability assessment, potential weaknesses are discovered that may allow an attacker to gain access to the network maliciously. Exploitation is when the pen testers use techniques to exploit the vulnerabilities found in the previous step. In the final analysis and review stage, a report is given to the customer. It will describe methodologies and results of the testing. The final stage, utilizing the test results, is where the organization uses the findings from the tests to build a network with better security. (Kersten, 2019)
There are differences in pen testing Android phones and iPhones. The android pen testing process involves rooting an android phone, DOS/DDOS attacks, check for vulnerabilities in android browser, check for vulnerabilities in SQLite, check for vulnerabilities in Intents, and detect capability leaks in Android devices. The iPhone pen testing process involved Jailbreaking, unlocking, use SmartCover to bypass passcode, hack using Metasploit, check for access point, check iOS device data transmission in Wi-Fi networks, and check wether the malformed data can be sent to the device (EC-Council 2018).
One challenge that presents itself in testing Androids is the hardware can vary from manufacturer to manufacturer, but Apple develops both the operating system and hardware. There is only a few new iPhones released each generation, but there are many types of android phones released continually. Therefore, it is simpler to develop pen tests for for multiple iPhones, but more complex to test multiple types of Android phones.
There are many companies that offer pen testing services. Some of the better rated pen testing companies are ScienceSoft, Acunetic, Netsparker, CyberHunter, Raxis, ImmuniWeb, and HackerOne. (Top 10 Penetration Testing Companies and Service Providers (Rankings)).
There are many tools used in a pen test, and some tools used specifically for pen testing. The most important tool is the skilled ethical hacker, and no hardware or software can replace him/her, no matter how advanced. One tool used for mobile pen testing is Hackode. “Hackode is the hacker’s toolbox. It is an application for penetration testers, ethical hackers, IT administrators, and cyber security professionals to perform different tasks such as reconnaissance, scanning for exploits, and so on. It contains modules including reconnaissance, scanning, exploits, and security feed” (EC-Council 2018).
Some other tools are ImmuniWeb MobileSuite, Zed Attack Proxy, Kiuwan, QARK, Micro Focus, and Android Debug Bridge. ImmuniWEb offsers both mobile app and backend testing. It covers Mobile OWASP top 10 for the mobile app and SANS Top 25 for PCI DSS 6.5.1-10 for the backend. Zed Attack Proxy “supports sending malicious messages, hence it is easier for the testers to test the security of the mobile apps. This type of testing is possible by sending any request or file through a malicious message and test that if a mobile app is vulnerable to the malicious message or not” (10 Best Mobile APP Security Testing Tools in 2020). There are many other tools available, but these are just a few of the more commonly used ones.
There are many guidelines available for securing mobile devices. General guidelines include the following: “Do not load too many applications and avoid auto-upload of photos to social network Perform a Security Assessment of the Application Architecture Maintain configuration control and management Install applications from trusted application stores Securely wipe or delete the data disposing of the device Do not share the information within GPS-enabled apps unless they are necessary Never connect two separate networks such as Wi-Fi and Bluetooth simultaneously Disable wireless access such as Wi-Fi and Bluetooth, if not in use “
This link is a great example of a pen test for mobile devices. This report provides detailed information about the results of the pen test. The whole report is 51 pages long and provides many diagrams and sources. Below is a screenshot of the report for mobile applications (PENETRATION TEST REPORT):
In conclusion, there are many similarities and differences in pen testing mobile devices from other types of devices. Pen testing is a very detailed process that requires great skill and diligence to create a detailed report to increase security. Although no pen test may be perfect, it is an important foundation for securing a network. Pen testing is a field of its own that is growing at a fast rate. Hopefully, soon pen testing will be advanced enough to protect a network from many more types of attacks.
References: 7 Penetration Testing Phases to Achieve Amazing Results. (n.d.). Retrieved November 22, 2020, from https://cyberx.tech/penetration-testing-phases/
10 Best Mobile APP Security Testing Tools in 2020. (2020, November 13). Retrieved November 22, 2020, from https://www.softwaretestinghelp.com/mobile-app-security-testing-tools/
EC-Council. (2018). Certified Ethical Hacker (CEH) Version 10 eBook w/ iLabs (Volume 4: Ethical Hacking Concepts and Methodology). [[VitalSource Bookshelf version]].
Kersten, J. (2019, July 27). The 7 Penetration Testing Steps & Phases: A Checklist: KirkpatrickPrice. Retrieved November 22, 2020, from https://kirkpatrickprice.com/blog/7-stages-of-penetration-testing/
Top 10 Penetration Testing Companies and Service Providers (Rankings). (n.d.). Retrieved November 22, 2020, from https://www.softwaretestinghelp.com/penetration-testing-company/
PENETRATION TEST REPORT. (n.d.). Retrieved November 22, 2020, from https://static1.squarespace.com/static/589316f3cd0f68e6bd715655/t/5d7ce2ed69433d1c3e3f7021/1568465657128/SAMPLE+Security+Testing+Findings.pdf
What is Penetration Testing: Step-By-Step Process & Methods: Imperva. (n.d.). Retrieved November 22, 2020, from https://www.imperva.com/learn/application-security/penetration-testing/