Thursday, May 6, 2010

Security Testing on Mobile Application

Security risks associated with mobile applications can often be identified and mitigated by subjecting them security testing. Compared to desktop or web applications mobile applications are harder to test for security and hence a bit neglected.

Application Footprint Analysis
For applications to be installed in mobiles, application footprint analysis begins much before the installation itself. Developers often assume that the phone memory is a safe location and often use it to store user id and passwords and other sensitive information.

When analyzing the phones file system, the main goals are:
1)Identify the files created on the phone by the application during installation. If option available try and install the application in external storage device like flash card etc.. Once this is achieved further analysis like reversing the application, modifying the application and extracting hidden secrets can be performed.

2)Identify changes made to existing filed over multiple application operation.

3)Analyze the info written on the phone file system during various stages of operation.

Perform the following steps to analyze the phones files system:
Step-1 Directory and File Selection: The purpose of directory selection is to reduce the number of phone file system directories and hence files to be analyzed during testing.
• Generate a recursive directory of the phone file system and store it in a different computer for future reference.
• Install the mobile application and create a second recursive directory listing of the phone file system.
• Compare both the file system pre and post installation directory listing of the phone file systems.

Step-2 Fingerprinting: In step-1 our main was to verify the pre and post installation of files and directories. Now we would verify the contents of the files. The easiest way to do this is to create content hashes (MD5, SHA1, SHA 256 etc..) and compare them against various application runs. Use tools like md5deep2 to generate a MD5 hash of all files.

A command to create the recursive file hashes of the relevant directories on the phone system would look like:
md5deep –k –r k:\system k:\shared k:\resource k:\private k:\data >
First_FingerPrint.txt
This command recursively explores the directories and calculates the MD5 hash of all the files encountered.

User-Agent Request Header
Browser Based Mobile Application: A number of applications do not require to be installed in the mobile but rather can be accessed through mobile browsers. All web browsers include a User-Agent header in their requests. This header is used to identify the browser (IE, FF, Opera etc.) and also the device on which the browser is running.

Using a web proxy: Most web proxies (like Paros and Fiddler) provide the user with an option to modify a request header. In most cases this is a onetime configuration change and requires you to know the User-Agent header of the device being tested

Example:
User-Agent : NokiaE61i-1/3.0 (1.0633.22z.05) SymbianOS/9.1 Series60/3.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
Configuring the web proxy to replace the existing User-Agent header to the one above may allow you to potentially access web applications supporting Nokia E61 phones from your desktop.

Firefox User Agent Switched add-on: This convenient add-on allows creating and storing of multiple arbitrary user agent headers. A mobile user agent profile can be activated to browse application just as you do from your mobile phone without the need for a proxy web server to change the headers.

Accept Request Header
All web browsers include a Accept header in their requests. This header is used to notify the server about the type of data the browser can accept. For example, web server can utilize the Accept header to determine whether the browser understands WML pages and thus return the appropriate content.
The WMLBrowser add-on in Firefox adds support to view pages and modifies the Accept header to reflect the same. The advantage of using such a tool is that once your desktop browser is configured, all testing can be performed as a regular web application penetration testing