Mobile Device Exploitation Cookbook
By Prashant Verma and Akshay Dixit
()
About this ebook
- Learn application exploitation for popular mobile platforms
- Discover tricks of the trade with the help of code snippets and screenshots
This book is intended for mobile security enthusiasts and penetration testers who wish to secure mobile devices to prevent attacks and discover vulnerabilities to protect devices.
Related to Mobile Device Exploitation Cookbook
Related ebooks
Android Security Cookbook Rating: 0 out of 5 stars0 ratingsLearning Pentesting for Android Devices Rating: 5 out of 5 stars5/5Kali Linux Web Penetration Testing Cookbook Rating: 0 out of 5 stars0 ratingsLearning zANTI2 for Android Pentesting Rating: 0 out of 5 stars0 ratingsAutomated Security Analysis of Android and iOS Applications with Mobile Security Framework Rating: 1 out of 5 stars1/5Penetration Testing Bootcamp Rating: 5 out of 5 stars5/5Kali Linux Cookbook Rating: 4 out of 5 stars4/5Burp Suite Essentials Rating: 4 out of 5 stars4/5Instant Apple Configurator How-to Rating: 0 out of 5 stars0 ratingsProtect Your Personal Information Rating: 0 out of 5 stars0 ratingsiOS Forensics Cookbook Rating: 0 out of 5 stars0 ratingsLearning iOS Security Rating: 0 out of 5 stars0 ratingsNear Field Communication with Android Cookbook Rating: 0 out of 5 stars0 ratingsNmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsMetasploit Penetration Testing Cookbook Rating: 0 out of 5 stars0 ratingsFlash Development for Android Cookbook Rating: 3 out of 5 stars3/5Penetration Testing with Raspberry Pi Rating: 5 out of 5 stars5/5Hacking Android Rating: 4 out of 5 stars4/5Nmap 6: Network Exploration and Security Auditing Cookbook Rating: 0 out of 5 stars0 ratingsLearning Android Forensics Rating: 4 out of 5 stars4/5Hacking and Penetration Testing with Low Power Devices Rating: 2 out of 5 stars2/5Mastering Metasploit Rating: 0 out of 5 stars0 ratingsLearning Penetration Testing with Python Rating: 0 out of 5 stars0 ratingsPenetration Testing with BackBox Rating: 0 out of 5 stars0 ratingsAndroid Forensics: Investigation, Analysis and Mobile Security for Google Android Rating: 3 out of 5 stars3/5Metasploit Bootcamp Rating: 5 out of 5 stars5/5Learning iOS Penetration Testing Rating: 0 out of 5 stars0 ratings
Security For You
CompTIA Security+ Certification Study Guide, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5Network+ Study Guide & Practice Exams Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5Mike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Practice Tests: Exam CS0-002 Rating: 0 out of 5 stars0 ratingsHow to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 4 out of 5 stars4/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsWindows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Practical Lock Picking: A Physical Penetration Tester's Training Guide Rating: 5 out of 5 stars5/5Codes and Ciphers Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5Tor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA CySA+ Cybersecurity Analyst Certification Passport (Exam CS0-002) Rating: 5 out of 5 stars5/5Ultimate Guide for Being Anonymous: Hacking the Planet, #4 Rating: 5 out of 5 stars5/5Remote/WebCam Notarization : Basic Understanding Rating: 3 out of 5 stars3/5
Reviews for Mobile Device Exploitation Cookbook
0 ratings0 reviews
Book preview
Mobile Device Exploitation Cookbook - Prashant Verma
Table of Contents
Mobile Device Exploitation Cookbook
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Getting ready
How to do it…
How it works…
There's more…
See also
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. Introduction to Mobile Security
Introduction
Installing and configuring Android SDK and ADB
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a simple Android app and running it in an emulator
Getting ready
How to do it...
See also
Analyzing the Android permission model using ADB
Getting ready
How to do it...
How it works...
There's more...
See also
Bypassing Android lock screen protection
Getting ready
How to do it...
How it works...
There's more...
Setting up the iOS development environment - Xcode and iOS simulator
Getting ready
How to do it...
How it works...
There's more...
See also
Creating a simple iOS app and running it in the simulator
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up the Android pentesting environment
Getting ready
How to do it...
How it works...
There's more...
Setting up the iOS pentesting environment
Getting ready
How to do it...
How it works...
There's more...
Introduction to rooting and jailbreaking
Getting ready
How to do it...
Rooting
Jailbreaking
How it works...
Rooting
Jailbreaking
2. Mobile Malware-Based Attacks
Introduction
Analyzing an Android malware sample
Getting ready
How to do it...
How it works...
There's more...
Using Androguard for malware analysis
Getting ready
How to do it...
There's more...
Writing custom malware for Android from scratch
Getting ready
How to do it...
How it works...
There's more...
See also
Permission model bypassing in Android
Getting ready
How to do it...
How it works...
There's more...
See also
Reverse engineering iOS applications
Getting ready
How to do it...
How it works...
Analyzing malware in the iOS environment
Getting ready
How to do it...
How it works...
3. Auditing Mobile Applications
Introduction
Auditing Android apps using static analysis
Getting ready
How to do it...
How it works...
There's more...
See also
Auditing Android apps a using a dynamic analyzer
Getting ready
How to do it...
How it works...
There's more...
See also
Using Drozer to find vulnerabilities in Android applications
Getting ready
How to do it...
How it works...
There's more...
See also
Auditing iOS application using static analysis
Getting ready
How to do it...
How it works...
There's more...
See also
Auditing iOS application using a dynamic analyzer
Getting ready
How to do it...
How it works...
There's more...
See also
Examining iOS App Data storage and Keychain security vulnerabilities
Getting ready
How to do it...
How it works...
There's more...
Finding vulnerabilities in WAP-based mobile apps
Getting ready
How to do it...
There's more...
See also
Finding client-side injection
Getting ready
How to do it...
There's more...
See also
Insecure encryption in mobile apps
Getting ready
How to do it...
How it works...
An example of weak custom implementation
There's more...
See also
Discovering data leakage sources
Getting ready
How to do it...
How it works...
There's more...
See also
Other application-based attacks in mobile devices
Getting ready
How to do it...
How it works...
M5: Poor Authorization and Authentication
M8: Security Decisions via Untrusted Inputs
M9: Improper Session Handling
See also
Launching intent injection in Android
Getting ready
How to do it...
How it works...
There's more...
See also
4. Attacking Mobile Application Traffic
Introduction
Setting up the wireless pentesting lab for mobile devices
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring traffic interception with Android
Getting ready
How to do it...
How it works...
There's more...
See also
Intercepting traffic using Burp Suite and Wireshark
Getting ready
How to do it...
How it works...
There's more...
See also
Using MITM proxy to modify and attack
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring traffic interception with iOS
Getting ready
How to do it...
How it works...
There's more...
See also
Analyzing traffic and extracting sensitive information from iOS App traffic
Getting ready
How to do it...
There's more...
See also
WebKit attacks on mobile applications
Getting ready
How to do it...
How it works...
There's more...
See also
Performing SSL traffic interception by certificate manipulation
Getting ready
How to do it...
How it works...
There's more...
See also
Using a mobile configuration profile to set up a VPN and intercept traffic in iOS devices
Getting ready
How to do it...
How it works...
There's more...
See also
Bypassing SSL certificate validation in Android and iOS
Getting ready
How to do it...
How it works...
There's more...
See also
5. Working with Other Platforms
Introduction
Setting up the Blackberry development environment and simulator
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up the Blackberry pentesting environment
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up the Windows phone development environment and simulator
Getting ready
How to do it...
How it works...
There's more...
See also
Setting up the Windows phone pentesting environment
Getting ready
How to do it...
How it works...
There's more...
See also
Configuring traffic interception settings for Blackberry phones
Getting ready
How to do it...
Case 1 - Using MDS server and Blackberry simulator
Case 2 - Blackberry 10 simulators
Case 3 - Blackberry 10 phones
How it works...
There's more...
See also
Stealing data from Windows phones applications
Getting ready
How it works...
There's more...
See also
Stealing data from Blackberry applications
Getting ready
How to do it...
How it works...
There's more...
See also
Reading local data in Windows phone
Getting ready
How to do it...
How it works...
There's more...
See also
NFC-based attacks
Getting ready
How to do it...
How it works...
Eavesdropping
Data tampering
Data fuzzing
There's more...
See also
Mobile Device Exploitation Cookbook
Mobile Device Exploitation Cookbook
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2016
Production reference: 1270616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-78355-872-8
www.packtpub.com
Credits
About the Authors
Prashant Verma, Certified Information Systems Security Professional (CISSP) is a Sr. Practice Manager—Security Testing at Paladion Networks. Information security has been his interest and research area for the past 10 years. He has been involved with mobile security since 2008. One of his career achievements has been to establish mobile security as a service at Paladion Networks.
He loves to share his knowledge, research, and experience via training, workshops, and guest lectures. He has spoken at premier global security conferences such as OWASP Asia Pacific 2012 in Sydney and RSA Conference Asia Pacific and Japan 2014 in Singapore. He has shared his knowledge via webinars and trainings.
He is primary security consultant for leading financial institutions.
His banking security experience was translated into his co-authored book Security Testing Handbook for Banking Applications, IT Governance Publishing. He has written articles for Hacki9 and Palizine Magazine.
Beyond mobile platforms, he holds expertise in various other areas of InfoSec, such as Security Testing, Security Management and Consulting. He has occasionally, analyzed security incidents and cybercrimes. He has conducted assessments for organizations globally at multiple locations. He is a subject matter expert and his work has earned him a distinguished position with his customers.
He can be contacted at verma.prashantkumar@gmail.com. His Twitter handle is @prashantverma21. He occasionally writes on his personal blog at www.prashantverma21.blogspot.in.
I would like to thank my parents, my wife, my sister, and my colleagues and friends for supporting and encouraging me for this book.
Akshay Dixit is an information security specialist, consultant, speaker, researcher, and entrepreneur. He has been providing consulting services in information security to various government and business establishments, specializing in mobile and web security. Akshay is an active researcher in the field of mobile security. He has developed various commercial and in-house tools and utilities for the security assessment of mobile devices and applications. His current research involves artificial intelligence and mobile device exploitation. He has been invited to several international conferences to give training, talks and workshops. He has written articles for various blogs and magazines on topics such as mobile security, social engineering, and web exploitation.
Akshay co-founded and currently holds the position of Chief Technology Officer at Anzen Technologies, an information security consulting firm specializing in providing end-to-end security services.
Anzen Technologies (http://www.anzentech.com) is a one-stop solution for industry-leading services, solutions and products in the cyber security, IT governance, risk management, and compliance space. Anzen's vision is to instill end-to-end security in organizations, aligned to their business requirements, in order to ensure their lasting success.
I would like to thank my Baba, a scholar, an inspiration, and one of the best storytellers I've met. I thank my parents, my brother, my sister, all the people who think well of and for me, and my wife Parul, a dreamer and a friend.
About the Reviewer
Ajin Abraham is a product security consultant for IMMUNIO with over 6 years of experience in application security, including 3 years of security research. He is passionate about developing new and unique security tools than depending on pre existing tools that never work. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, NodeJsScan, and so on, to name a few. He is the cofounder of X0RC0NF, an annual security conference conducted in Kerala. He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit,