Module 17: Hacking Mobile Platforms

 

Module 17: Hacking Mobile Platforms

Scenario

With the advancement of mobile technology, mobility has become a key feature of Internet usage. People’s lifestyles are becoming increasingly reliant on smartphones and tablets. Mobile devices are replacing desktops and laptops, as they enable users to access email, the Internet, and GPS navigation, and to store critical data such as contact lists, passwords, calendars, and login credentials. In addition, recent developments in mobile commerce have enabled users to perform transactions on their smartphones such as purchasing goods and applications over wireless networks, redeeming coupons and tickets, and banking.

Most mobile devices come with options to send and receive text or email messages, as well as download applications via the Internet. Although these functions are technological advances, hackers continue to use them for malicious purposes. For example, they may send malformed APKs (application package files) or URLs to individuals to entice victims to click on or even install them, and so grant the attackers access to users’ login credentials, or whole or partial control of their devices.

Mobile security is becoming more challenging with the emergence of complex attacks that utilize multiple attack vectors to compromise mobile devices. These security threats can lead to critical data, money, and other information being stolen from mobile users and may also damage the reputation of mobile networks and organizations. The belief that surfing the Internet on mobile devices is safe causes many users to not enable their devices’ security software. The popularity of smartphones and their moderately lax security have made them attractive and more valuable targets to attackers.

As an expert ethical hacker or penetration tester, you should first test the mobile platform used by your organization for various vulnerabilities; then, using this information, you should secure it from possible attacks.

In this lab, you will obtain hands-on experience with various techniques of launching attacks on mobile platforms, which will help you to audit their security.

Objective

The objective of the lab is to carry out mobile platform hacking and other tasks that include, but are not limited to:

  • Exploit the vulnerabilities in an Android device
  • Obtain users’ credentials
  • Hack Android device with a malicious application
  • Use an Android device to launch a DoS attack on a target
  • Exploit an Android device through ADB
  • Perform a security assessment on an Android device

Overview of Hacking Mobile Platforms

At present, smartphones are widely used for both business and personal purposes. Thus, they are a treasure trove for attackers looking to steal corporate or personal data. Security threats to mobile devices have increased with the growth of Internet connectivity, use of business and other applications, various methods of communication available, etc. Apart from certain security threats that are specific to them, mobile devices are also susceptible to many other threats that are applicable to desktop and laptop computers, web applications, and networks.

Nowadays, smartphones offer broad Internet and network connectivity via varying channels such as 3G/4G/5G, Bluetooth, Wi-Fi, or wired computer connections. Security threats may arise while transmitting data at different points along these various paths.

Lab Tasks

Ethical hackers or penetration testers use numerous tools and techniques to attack target mobile devices. The recommended labs that will assist you in learning various mobile attack techniques include:

  1. Hack android devices

    • Hack an Android device by creating binary payloads using Parrot Security
    • Harvest Users’ Credentials using the Social-Engineer Toolkit
    • Launch a DoS attack on a target website using Low Orbital Cannon (LOIC) on the Android mobile platform
    • Exploit the Android platform through ADB using PhoneSploit

  2. Secure Android Devices using Various Android Security Tools

    • Analyze a malicious app using online Android analyzers
    • Analyze a malicious app using Quixxi vulnerability scanner
    • Secure Android devices from malicious apps using Malwarebytes Security

Comments

Post a Comment

Popular posts from this blog

Lab 7: Perform Enumeration using Various Enumeration Tools

Image
  Lab 7: Perform Enumeration using Various Enumeration Tools Module 04: Enumeration Lab 7: Perform Enumeration using Various Enumeration Tools Task 1: Enumerate Information using Global Network Inventory Task 2: Enumerate Network Resources using Advanced IP Scanner Task 3: Enumerate Information from Windows and Samba Hosts using Enum4linux The details obtained in the previous steps might not reveal all potential vulnerabilities in the target network.  There may be more information available that could help attackers to identify loopholes to exploit. As an ethical hacker,  you should use a range of tools to find as much information as possible about the target network’s systems. This lab activity  will demonstrate further enumeration tools for extracting even more information about the target system. refer to blog Lab Scenario The details obtained in the previous steps might not reveal all potential vulnerabilities in the target network. There may be more information ...
Read more

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools

Image
  Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools Module 05: Vulnerability Analysis Lab 2: Perform Vulnerability Assessment using Various Vulnerability Assessment Tools Task 1: Perform Vulnerability Analysis using OpenVAS OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability  scanning and vulnerability management solution. Its capabilities include unauthenticated testing, authenticated testing,  various high level and low-level Internet and industrial protocols, performance tuning for large-scale scans, and a powerful  internal programming language to implement any vulnerability test. The actual security scanner is accompanied with a regularly  updated feed of Network Vulnerability Tests (NVTs)—over 50,000 in total. Vulnerability Analysis to identify security loopholes using Parrot Security / OpenVAS // Vulnerability Assessment  - Applications --> Pentesting --> Vu...
Read more