DeepSec 2013 Talk: Automation in Android & iOS Application Security Review

René Pfeiffer/ August 30, 2013/ Conference, Security

Even if you do not want to follow the Bring Your Own Device (BYOD) hype you might have to deal with mobile operating systems and applications running on them. Once you have a need to deploy a system, you need to know how to review the security. Hemil Shah will explain in his talk how you can deal with this problem.

Mobile application hacking and its security is becoming a major concern in today’s world – especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI jacking, tab jacking, traffic redirection, logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching.

Amongst the mobile attacks, local storage being the key target for attacks which affect the security and privacy of the user. What we really need right now is a automated program to penetrate local storage of the most widely used mobile platforms (Android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file systems. On the iOS, one needs to jailbreak a device to attack local storage. Along with the presentation, free tools (Separate for android and iOS) will be released. The Android tool uses API to monitor the Android file system where the iOS tool relies on OS features. Methodology to perform the application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms.

The process is targeted at penetration testers who intend to audit applications on Android and iOS. However everyone dealing with software or its development should know about the weaknesses of mobile computing platforms. Hemil Shah also conducts a workshop at DeepSec 2013 titled „Mobile Applications – Scan, Attack, Exploit“.