1 00:00:00,900 --> 00:00:05,810 In this lecture, we will see one of the most important tools for any penetration testing and Gedmin 2 00:00:05,820 --> 00:00:11,400 not only for mobile security, but for any Web application assessment, and that is batsuit. 3 00:00:11,600 --> 00:00:18,570 OK, and you can set up so to actually view the traffic coming from an Android emulator docking to potentially 4 00:00:18,570 --> 00:00:19,660 beacon infrastructure. 5 00:00:20,020 --> 00:00:26,250 OK, now mobile applications of any kind, such as banking, social networking or any application that 6 00:00:26,250 --> 00:00:31,710 actually contains a lot of functionality that requires Internet communication, they basically have 7 00:00:31,710 --> 00:00:33,930 a typical client server architecture. 8 00:00:34,290 --> 00:00:39,210 So in other words, they actually communicate potentially to the cloud to communicate to a beckon. 9 00:00:39,500 --> 00:00:45,900 OK, so whenever you want to understand the exact sort of face for these kind of apps, it is required 10 00:00:45,900 --> 00:00:51,390 to consider all the possibilities of the application, which includes the client application itself, 11 00:00:51,540 --> 00:00:57,210 the API that is actually using to connect to the backend and the server related vulnerabilities and 12 00:00:57,210 --> 00:00:58,510 the database as well. 13 00:00:58,770 --> 00:01:04,440 That is why it's important that you actually have a good security open lifecycle whenever you are creating 14 00:01:04,440 --> 00:01:06,290 your application infrastructure. 15 00:01:06,510 --> 00:01:08,970 But unfortunately, that's not always the case. 16 00:01:09,180 --> 00:01:14,670 And you as a tester may take advantage of the different and that not only the users are actually running 17 00:01:14,670 --> 00:01:18,270 on those applications, but the actual backend infrastructure. 18 00:01:18,270 --> 00:01:24,510 And that's where you can actually use things like Bulbasaur to actually proxy out and evaluate and assist 19 00:01:24,510 --> 00:01:28,020 the victim security posture of that backend infrastructure. 20 00:01:28,230 --> 00:01:35,850 OK, so looking for abuse, looking for crosseyed scripting potentially in some backend servers or potentially 21 00:01:36,090 --> 00:01:36,860 lethal injection. 22 00:01:36,990 --> 00:01:41,970 So don't limit yourself just by looking at the app itself, if not the infrastructure. 23 00:01:41,970 --> 00:01:46,680 As a matter of fact, that's what you are going to probably find most of the vulnerabilities. 24 00:01:46,720 --> 00:01:52,440 OK, now on the defensive side, this is why it's important to have a good trade modeling methodology, 25 00:01:52,880 --> 00:01:53,280 OK? 26 00:01:53,520 --> 00:01:59,790 And this is actually done to identify the traits your application has by defining the assets, the value 27 00:01:59,790 --> 00:02:05,220 that actually provides and the perspective threat actors who might actually be interested to attack 28 00:02:05,220 --> 00:02:06,140 those assets. 29 00:02:06,450 --> 00:02:10,980 And in this case, not only the app or the backend infrastructure, as I mentioned before. 30 00:02:11,520 --> 00:02:16,230 Now, threat modeling ideally needs to be done during the design phase of the application. 31 00:02:16,530 --> 00:02:20,440 However, you as a designer can also build your own tech modeling. 32 00:02:20,880 --> 00:02:25,980 This is actually often considered as the part of the Oregonian's phase in your best engagement. 33 00:02:26,350 --> 00:02:32,340 OK, now let's explore some common threads to mobile apps that have to be addressed during the design 34 00:02:32,340 --> 00:02:37,520 phase for the mobile applications or that you can take advantage of during your testing. 35 00:02:37,800 --> 00:02:43,410 So the first one is the application data at rest of an application store, data in the plane side, 36 00:02:43,440 --> 00:02:47,580 many mobile application store sensitive data on the device without any encryption. 37 00:02:47,910 --> 00:02:51,150 This is one of the major problems of mobile applications. 38 00:02:51,180 --> 00:02:54,200 These data can be sensitive, confidential and private. 39 00:02:54,480 --> 00:02:58,740 So data at rest on the device can definitely be exploited in many ways. 40 00:02:58,880 --> 00:03:04,740 OK, so an attacker who actually got physical access to the device can gain access to this data with 41 00:03:04,740 --> 00:03:06,390 pretty much not doing anything. 42 00:03:06,630 --> 00:03:12,330 And potentially also a malicious application that it's actually compromised may gain access to this 43 00:03:12,330 --> 00:03:15,330 data if the device is actually routed or broken. 44 00:03:15,600 --> 00:03:21,030 And from attempt and testing perspective, this is a little tricky because you actually need physical 45 00:03:21,030 --> 00:03:27,660 access to the device or to create a malicious app and then the user to install it in his device, which 46 00:03:27,660 --> 00:03:30,870 in some cases may be out of the scope of your engagement. 47 00:03:31,170 --> 00:03:36,930 But if you are actually doing some type of a more in-depth security research or more in-depth assessment 48 00:03:36,930 --> 00:03:38,970 for your client, absolutely. 49 00:03:38,970 --> 00:03:41,640 You can do this as long as it's the part of the scope. 50 00:03:41,880 --> 00:03:44,670 Now, let's talk about application data in-transit. 51 00:03:45,270 --> 00:03:50,190 Mobile applications that communicate with the backend are highly exposed to attacks that target the 52 00:03:50,190 --> 00:03:51,120 data in transit. 53 00:03:51,300 --> 00:03:56,510 So it is actually quite common to find end users basically joining a public available network. 54 00:03:57,240 --> 00:04:03,960 And you can combine some methodologies like fake access points or even twins, and then eavesdrops on 55 00:04:03,960 --> 00:04:11,280 the data using two tools like Boxwood or many proxy or SSL management or the pineapple and many more 56 00:04:11,280 --> 00:04:11,670 ones.