1 00:00:00,900 --> 00:00:05,810 In this lecture, we will see one of the most important tools for any penetration testing and Gedmin 2 00:00:05,820 --> 00:00:11,400 not only for mobile security, but for any application assessment, and that is batsuit. 3 00:00:11,610 --> 00:00:18,570 OK, and you can set up so to actually view the traffic coming from an Android emulator docking to potentially 4 00:00:18,570 --> 00:00:19,670 beacon infrastructure. 5 00:00:20,020 --> 00:00:26,250 OK, now mobile applications of any kind, such as banking, social networking or any application that 6 00:00:26,250 --> 00:00:31,710 actually contains a lot of functionality that requires Internet communication, they basically have 7 00:00:31,710 --> 00:00:33,930 a typical client server architecture. 8 00:00:34,290 --> 00:00:39,130 So in other words, they actually communicate potentially to the cloud to communicate Wilbekin. 9 00:00:39,450 --> 00:00:39,870 OK. 10 00:00:40,380 --> 00:00:46,050 So whenever you want to understand the exact sort of face for these kind of apps, it is required to 11 00:00:46,050 --> 00:00:51,780 consider all the possibilities of the application, which includes the client application itself, the 12 00:00:51,780 --> 00:00:57,330 API that is actually using to connect to the backend and the server related vulnerabilities and the 13 00:00:57,330 --> 00:00:58,530 database as well. 14 00:00:58,800 --> 00:01:04,440 That is why it's important that you actually have a good security open lifecycle whenever you are creating 15 00:01:04,440 --> 00:01:06,270 your application infrastructure. 16 00:01:06,510 --> 00:01:08,970 But unfortunately, that's not always the case. 17 00:01:09,180 --> 00:01:14,670 And you as a tester may take advantage of the different and that not only the users are actually running 18 00:01:14,670 --> 00:01:18,270 on those applications, but the actual backend infrastructure. 19 00:01:18,270 --> 00:01:24,510 And that's where you can actually use things like Bulbasaur to actually proxy out and evaluate and assist 20 00:01:24,510 --> 00:01:28,020 the victim security posture of that backend infrastructure. 21 00:01:28,240 --> 00:01:34,980 OK, so looking for API abuse, looking for CROSSEYED scripting potentially in some backend servers 22 00:01:34,980 --> 00:01:36,860 or potentially lethal injection. 23 00:01:36,960 --> 00:01:41,970 So don't limit yourself just by looking at the app itself, if not the infrastructure. 24 00:01:41,970 --> 00:01:46,680 As a matter of fact, that's what you are going to probably find most of the vulnerabilities. 25 00:01:46,720 --> 00:01:52,440 OK, now on the defensive side, this is why it's important to have a good trade modeling methodology, 26 00:01:52,870 --> 00:01:53,280 OK? 27 00:01:53,520 --> 00:01:59,790 And this is actually done to identify the traits your application has by defining the assets, the value 28 00:01:59,790 --> 00:02:05,220 that actually provides and the perspective threat actors who might actually be interested to attack 29 00:02:05,220 --> 00:02:06,140 those assets. 30 00:02:06,450 --> 00:02:10,980 And in this case, not only the app or the backend infrastructure, as I mentioned before. 31 00:02:11,520 --> 00:02:16,210 Now, threat modeling ideally needs to be done during the design phase of the application. 32 00:02:16,530 --> 00:02:20,440 However, you as a tester can also build your own tech modeling. 33 00:02:20,880 --> 00:02:25,980 This is actually often considered as the part of the Oregonian's phase in European test engagement. 34 00:02:26,340 --> 00:02:32,340 OK, now let's explore some common threads to mobile apps that have to be addressed during the design 35 00:02:32,340 --> 00:02:37,520 phase for the mobile applications or that you can take advantage of during your testing. 36 00:02:37,800 --> 00:02:43,860 So the first one is the application data at risk of an application store data in the plane side, many 37 00:02:43,860 --> 00:02:47,570 mobile application store sensitive data on the device without any encryption. 38 00:02:47,910 --> 00:02:51,150 This is one of the major problems of mobile applications. 39 00:02:51,180 --> 00:02:54,200 These data can be sensitive, confidential and private. 40 00:02:54,480 --> 00:02:58,810 So data at rest on the device can definitely be exploited in many ways. 41 00:02:58,850 --> 00:03:04,740 OK, so an attacker who actually got physical access to the device can gain access to this data with 42 00:03:04,740 --> 00:03:06,390 pretty much not doing anything. 43 00:03:06,630 --> 00:03:12,330 And potentially also a malicious application that it's actually compromised may gain access to this 44 00:03:12,330 --> 00:03:15,330 data if the device is actually routed or broken. 45 00:03:15,600 --> 00:03:21,030 And from attempt and testing perspective, this is a little tricky because you actually need physical 46 00:03:21,030 --> 00:03:27,660 access to the device or to create a malicious app and then the user to install it in his device, which 47 00:03:27,660 --> 00:03:30,870 in some cases may be out of the scope of your engagement. 48 00:03:31,170 --> 00:03:36,930 But if you are actually doing some type of a more in-depth security research or more in-depth assessment 49 00:03:36,930 --> 00:03:38,970 for your client, absolutely. 50 00:03:38,970 --> 00:03:41,640 You can do this as long as it's the part of the scope. 51 00:03:41,880 --> 00:03:44,670 Now, let's talk about application data in-transit. 52 00:03:45,270 --> 00:03:50,190 Mobile applications that communicate with the backend are highly exposed to attacks that target the 53 00:03:50,190 --> 00:03:51,120 data in transit. 54 00:03:51,300 --> 00:03:56,520 So it is actually quite common to find end users basically joining a public available network. 55 00:03:57,240 --> 00:04:03,960 And you can combine some methodologies like fake access points or even screens and then eavesdrops on 56 00:04:03,960 --> 00:04:11,280 the data using two tools like Boxwood or many proxy or SSL management or the pineapple and many more 57 00:04:11,280 --> 00:04:11,670 ones.