Please note that index links point to page beginnings from the print edition. Locations are approximate in e-readers, and you may need to page down one or more times after clicking a link to get to the indexed material.
0-day vulnerability, 71
2012 Mobile Threat and Security Roundup, 140
A
A5/1 authentication, 29
access
Internet, 5
offline, 217
Access Control Enforcer, 242
Access Granted Channel (AGCH), 29
access groups, 224–225
ADB (Android Debug Bridge), 88–89, 91, 248
adbd (Android Debug Bridge Daemon), 122
addJavascriptInterface function, 177–180
Address Space Layout Randomization (ASLR), 51, 52, 85, 230, 231
ADSafe, 223
Advanced RISC Machine. See ARM
AES key, 225
AGCH (Access Granted Channel), 29
agenda, 17–19
Airplane Mode, 79
AirWatch, 190
AKA authentication, 29
Allegra, Nicholas, 58
Amazon, 216
Amazon Marketplace, 219
Android apps. See also apps; specific apps
activities, 85
broadcast receivers, 85
components, 85–86
content providers, 85
data storage, 86, 110–112, 226
debugging. See debugging
decompiling, 91–92, 94, 203–204
development of. See app development
intent-based attacks, 103–105
network traffic, 95–102
NFC standards, 86–87
NFC-based attacks, 105–108
repackaging, 93–94
reverse engineering, 203–204
rooting, 89–91
sensitive data leakage, 109–118
services, 86
signing, 85
WebView and, 227–229
Android Beam, 87
Android Debug Bridge. See ADB
Android Developers website, 83
Android devices, 81–118. See also mobile devices
antivirus software, 139
command injection, 103–105
data storage, 86, 110–112, 226
disclosure vulnerability, 14
GingerBreak exploit, 90
history, 92
HTC, 14
Ice Cream Sandwich attack, 90–91
intent-based attacks, 103–105
market share, 145
network-based attacks, 95–102, 117–118
NFC standards, 86–87
NFC-based attacks, 105–108
overview, 92–983
sensitive data leakage, 109–118
Android Exploid Crew, 90
Android Intents, 231–232
Android KeyStore, 225
Android NDK, 83
Android Open Source Project (AOSP), 118
Android OS. See also OS
Application Framework, 82–83, 84
architecture, 82–83
CA certificates, 95–97
clipboard, 229
custom URI schemes, 172–174
JavaScript Bridges exploits, 177–182
log files, 229
network-based attacks, 95–102
penetration testing, 266–267
Runtime component, 82
sandboxing, 14–15
security and. See Android security
source code, 82
Android security. See also security
considerations, 222
file system protections, 225–226
fragmentation, 12–13
guidelines, 231–232
resources, 232
secure storage, 225
security model, 84–85
security patches, 220–221
trusted CA certificates, 95–97
WebView injection, 177–180
Android Security eAndroid Security Best Practices for Developers, 232
Android Security Overview, 232
Android Security Suite Premium, 133
Android system logs, 14–15
Android virtual device (AVD), 88
AndroidManifest.xml file, 84, 89, 172, 174
anti-debugging, 221
AOSP (Android Open Source Project), 118
APDU (application protocol data unit), 224, 239–240, 241
APDU commands, 239, 248–252, 250
APDU responses, 250
APIs (application program interfaces)
Enterprise Security API, 151
Java API for XML Processing, 153, 154–155
keychain, 224–225
native, 219
Secure Element, 242
SmartCard, 242
APKs (application package files), 89, 148
app development, 211–233
assets, 216–218
cross-platform, 219
guidance, 218–232
iOS apps, 229–231
overview, 212
preparation, 218–221
resources, 232
security guidelines, 218–232
testing, 232
writing secure code, 17
app logic-bypass attacks, 201–203
App Store
described, 51
malware, 70–73
native apps, 219
app store account owners, 216
app store curators, 216
app stores
Apple App Store. See App Store
Cydia Store, 56, 58–60, 63, 67, 207
Google Play store, 13, 93, 120, 145, 219
private, 220
third-party, 146
Apple App Store. See App Store
Apple devices. See iPhones
Apple iForgot password reset, 11
Apple iOS. See iOS
Apple iPhone. See iPhones
Apple LLVM compiler, 230
Apple market share, 145
Apple Secure Coding Guide, 230, 232
Apple TV
introduction of, 49
jailbreaking, 57
application binaries, 206
application developers. See developers
Application Framework, 82–83, 84
application package files (APKs), 89, 148
application PINs, 14
application program interfaces. See APIs (application program interfaces)
application protocol data unit. See APDU
application publishers, 216
application signing, 201
application store curators, 6
application stores. See app stores
Application Verification Service, 139
application-specific UUIDs, 217, 219
apps. See also Android apps; iOS apps; specific apps
approval process, 145–146
banking, 236
countermeasures, 76
developing. See app development
input validation, 15
jailbreaking. See jailbreaking
legacy parts of, 222
logic-bypass attacks, 201–203
maintaining, 220–221
malicious. See malware
for mobile payments, 243–255
modification attacks, 201–203
patches. See security patches
penetration testing, 263–267
PINs. See PINs
publication, 7
Remote Lock feature, 209
Remote Wipe feature, 209
risks, 11–17
sandboxing, 14–15
screenshots, 231
security of. See security
side-loading, 14
signing, 85
testing, 232
third-party, 14, 51, 71, 74–75, 77
Trojan horse, 7
vulnerable, 73–76
web. See web apps
WebView and, 227–229
ARC (Automatic Reference Counting), 230–231
architecture risk analysis, 7
ARM (Advanced RISC Machine), 50
ARM code, 184
ARM executable, 178–179
ARM processors, 50
Arxan tool, 94
Asian Child virus, 144
ASLR (Address Space Layout Randomization), 51, 52, 85, 230, 231
Astley, Rick, 65–66, 141, 144, 145
attacks. See also exploits; hackers; malware
app logic-bypass, 201–203
app patching, 201–203
base stations, 35–39
Billion Laughs, 152
client-side, 63
control-bypass, 205
debugging. See debugging attacks
flooding, 30–31
FOCUS 11, 68–70
iKee, 65–68
intent-based, 103–105
iOS vs. Android, 12–13
jailbreak detection-bypass, 208–209
JSON injection, 186
local network-based, 63
logic-bypass, 201–203
man-in-the-browser, 5, 128, 214
man-in-the-middle. See man-in-the-middle attacks
NFC-based, 105–108
reflection-based, 228–229
relay, 249–253
rogue base station, 35–39
rogue femtocell, 39–43
SAML and, 165
session hijacking, 165
signature exclusion, 166
skimming, 253–254
SMS flooding, 30–31
SSL stripping, 227
URL redirection, 158–161
WS-Attacks project, 149
XML DoS, 165
XML entity expansion, 152–154
XML entity reference, 154–155
XML injection, 150–151
XML signature wrapping, 165–169
against XML-based services, 149–155
authentication. See also authorization; credentials
cellular networks, 29
considerations, 221
IPC, 175–177
mobile services, 226–227
password-based. See passwords
weak, 16
web services, 155–169
authentication data, 228
authentication frameworks, 155–169
authentication PINs, 14
authentication protocols, 226
authorization
considerations, 221
mobile services, 226–227
OAuth. See OAuth
web services, 155–169
authorization code grant type, 157–158
authorization frameworks, 155–169
authorization protocols, 226
authorization server, 156
autocomplete attribute, 228
autocorrectionType property, 230
Automatic Reference Counting (ARC), 230–231
AVD (Android virtual device), 88
B
banking apps, 236
banking malware, 120, 128–140, 145
base station controller (BSC), 24–26
base station receivers. See BTS
base station subsystem (BSS), 26
base stations
malicious, 214–215
overview, 24–26
rogue attacks, 35–39
BCCH (Broadcast Control Channel), 27–29
Bergeron, Doug, 238
Berkeley Software Distribution. See BSD
Billion Laughs attack, 152
Black Hat 2011, 254
Blackberry devices
JavaScript code and, 184
MDM solutions, 190
NFC card emulation, 249
Zitmo and, 133
BlackBerry Enterprise, 190
Bluetooth vulnerabilities, 213–214
Bonjour support, 67
boot-based jailbreak, 53, 54–62
Borgaonkar, Ravi, 171–172
“bricking,” 53
Bring Your Own Device (BYOD), 17
Broadcast Control Channel (BCCH), 27–29
broadcast intents, 85
broadcast receivers, 85
browsers. See web browsers
BSC (base station controller), 24–26
BSD (Berkeley Software Distribution), 34
BSD Unix, 49
BSS (base station subsystem), 26
BTS (base station receivers), 24–26, 29, 39
BTS emulation, 37–38
bug lists, 149
Burp Proxy, 134
BYOD (Bring Your Own Device), 17
C
C language, 204, 206, 230, 231
CA (certificate authority), 95–97, 227
CA certificates, 95–97
CA private keys, 227
Cabir worm, 120
cache
app screenshots, 231
JavaScript bridges and, 221
keyboard, 230
cached credentials, 227
Caja, 223
caller ID spoofing, 33
C-APDU (command), 239–240
Captain Hook framework, 202
Carberp Trojan horse, 134
card verification value (CVV), 239
Carrier IQ, 15
Carrier IQ incident, 15
Carrier IQ service, 117
CAVE authentication, 29
C&C numbers, 133
C&C server, 136
CDMA (Code Division Multiple Access) network, 22
CDMA networks. See also cellular networks
interoperability, 23–24
security issues, 118
simplified view of, 22
CDMA stack, 39
cell phones. See also mobile devices; specific brands
early years, 35–37
jamming, 27
cellular carriers, 35, 82, 216
cellular networks. See also networks
attacks on, 33–43
authentication, 29
basic functionality, 23–33
CDMA. See CDMA networks
GSM. See GSM networks
interoperability, 23–26
overview, 22–23
rogue base station attacks, 35–39
rogue femtocell attacks, 39–43
rogue mobile devices, 34–35
short message service, 30–33
targets, 24
trust model, 35
voice calls, 26–27
voice mailboxes, 30
voicemail hacking, 33
certificate authority. See CA
certificate pinning, 101–102, 221, 227
certificates
self-signed, 201
server, 227
China Mobile SMS Payment system, 125
chmod/chown vulnerability, 90–91
Cigital Threat Modeling, 213
Citi Mobile app, 74
Citmo malware, 134
ClassDump, 204–205
CLDC (Connected Limited Device Configuration), 31
clearCache() method, 228
client applications, 156
client credentials grant type, 161
confidential, 161
native, 228
RIA, 222
thin, 148
client-side attacks, 63
client-side validation, 100
code
HTML5, 169
JavaScript, 75, 136, 169, 181–187
PIE, 231
unknown, 78
Code Division Multiple Access. See CDMA
code execution vulnerabilities, 3
code obfuscation, 94, 204, 206, 221
code signature verification, 51
collusion, 164
command injection, 103–105
Common Weakness Enumeration website, 149
communications, secure, 221, 227
Comodo, 227
Connected Limited Device Configuration (CLDC), 31
Consumer Security Checklist, 257–261
contactless payment systems, 236, 238
contactless smartcards, 238–243
content providers, 85
‘content://’ URI scheme information disclosure, 114–116
control-bypass attacks, 205
CookieManager, 228
credentials
cached, 227
OAuth, 161
OpenSSH, 65–68
SAML and, 163
sensitive, 14
session, 14
SSH, 65–68
stealing, 158
user, 227
crime, organized, 215
cross-platform development, 219
cross-site request forgery (CSRF), 162, 169
cryptographic keys, 223
CSRF (cross-site request forgery), 162, 169
CSRs (Customer Support Representatives), 213
curators, 6
custom URI scheme exploits, 169–176
customer reset vulnerabilities, 10
Customer Support Representatives (CSRs), 213
customer-support trickery, 10–11
CVV (card verification value), 239
CWE/SANS Top 25 Most Dangerous Software errors, 149
Cydia Store, 56, 58–60, 63, 67, 207
D
Dalvik byte codes, 201–202, 203
Dalvik Executable (.dex) files, 92
Dangerous permissions, 84
data. See also information entries
authentication, 228
call, 224
form, 228
leakage of. See information leakage
logs, 221
security checklist, 257–261
sensitive. See sensitive data
storage of. See storage
data field, 224
data masking, 223
encryption, 225
mobile, 225
SQLite. See SQLite databases
WebView cookies, 228
data-centric MDM model, 191
dCVV (dynamic CVV), 239
debugging Android apps, 88–89, 91, 244, 248
debugging attacks
anti-debugging, 221
debugging iOS apps, 204, 205, 207
decompiling Android apps, 91–92, 94, 203–204
denial of service (DoS) attacks, 153, 165
design review, 7
developer fees, 146
developers
attracting, 13
considerations, 212
countermeasures to consider, 19–20
data leakage and, 117–118
writing secure code, 16, 17, 221–232
Device Firmware Update (DFU) mode, 55–57
device identifiers, 216–218
device provisioning, 191, 192–195
device-centric MDM model, 190–191
devices. See mobile devices
.dex (Dalvik Executable) files, 92
dex2jar tool, 92
DFU (Device Firmware Update) mode, 55–57
Dhanjani, Nitesh, 170
dialer applications, 170–172
DigiNotar breaches, 227
digital signatures, 164
dmcrypt implementation, 226
dmesg command, 112
dmesg executable, 14
document type definitions (DTDs), 152, 153, 154–155
dojox.secure, 223
DoS (denial of service) attacks, 153, 165
DroidDream malware, 121–123
Dropbox app, 75
DTDs (document type definitions), 152, 153, 154–155
duh worm, 141
dynamic CVV (dCVV), 239
dynamic SQL queries, 225
E
Eckhart, Trevor, 15
embedded SE, 238
emulation
BTS, 37–38
SMS, 88
telephony, 88
EMV specifications, 252
encryption
database, 225
device, 259
files, 225
file-system, 226
iOS, 259
password-based, 225
XML, 165
end users, 6
EnsureIT, 207
Enterprise Security API (ESAPI), 151
EntityResolver object, 155
ESAPI (Enterprise Security API), 151
ESPN ScoreCenter app, 75
exploid exploit, 122
exploits. See also attacks
custom URI scheme, 169–176
exploid, 122
GingerBreak, 90
JavaScript Bridges, 177–187
mempodroid, 244
privilege escalation, 244
RageAgainstTheCage, 122
Samsung Exynos kernel, 244
UIWebView, 182–184
URI scheme, 169–176
external-general-entities feature, 154–155
external-parameter-entities feature, 154–155
F
Facebook app, 75
Facebook SDK, 112–113
FakeToken malware, 134–140
FEATURE_SECURE_PROCESSING feature, 153
federated identity, 163
femtocell attacks, 39–43, 214–215
femtocells, 214
file system protections, 225–226
files
.dex, 92
encryption, 225
log. See log files
.odex, 92
WSDL, 150
file-system encryption, 226
Find and Call malware, 141
Firefox browser, 91–94
firmware image, iOS, 54
flooding attacks, 30–31
FOCUS 11 attacks, 68–70
font-related bugs, 64
form data, 228
forms, 227–228
Franken, Zac, 254
G
Galaxy Nexus, 238
GCC (GNU Compiler Collection), 230
GFan, 125
GingerBreak exploit, 90
Global System for Mobile. See GSM
GlobalPlatform association, 239
GlobalPlatform specifications, 239
GNU Compiler Collection (GCC), 230
GOOD app, 203
Google, 82
Google Android. See Android
Google market share, 145
Google Play store, 13, 93, 120, 145, 219
Google Wallet
card emulation, 87
overview, 236–237
PIN storage vulnerability, 243–248
Google Wallet Cracker, 245, 247–249
grant types, 156–162
GSM (Global System for Mobile) networks. See also cellular networks
considerations, 35–36
control channels, 27–29
vs. IMS systems, 44
interoperability, 23–26
location updates, 29
MCC/MNC chart, 36
spoofing, 38–39
GSM stack, 39
“Guidelines for Managing and Securing Mobile Devices in the Enterprise,” 232
H
hacker tools, 214
hackers, 213–215. See also attacks
iOS vs. Android OS, 12–13
overview, 213–214
security patches and, 220–221
Hacking Exposed Web Applications, 149
Hamcke, Gerhard, 249
handleOpenURL method, 175, 176
Handy Light app, 70–73
hard code cryptographic keys, 223
hardware, security, 224
HLR (Home Location Register), 29
Home Location Register (HLR), 29
Honan, Mat, 11
hostname validation, 227
HTC Android devices, 14
HTC keystroke logging incident, 15
HTML native functionality, 177
HTML5 code, 169
HTTP redirects, 163
HTTP responses, 154
HTTPS traffic, 95, 97, 99, 102
hybrid MDM model, 191
I
IBM X-Force, 3
Ice Cream Sandwich OS version, 95–96
Ice Cream Sandwich vulnerability, 90–91
ICMP requests, 67
identifiers, 226–227
identify provider. See IdP
identity federation, 163
IdP (identify provider), 163
IdP private key, 166–167
iExplorer app, 77
iForgot password reset, 11
IMAP mailboxes, 30
IMEI (International Mobile Station Equipment Identity), 121
implicit grant type, 158–160
IMS (IP multimedia subsystem), 43–46
IMSI (International Mobile Subscriber Identity), 121
information gathering, 264. See also data
information leakage, Android, 109–118
mitigation strategies, 117–118
shared preferences, 117
SMS messages, 118
SQLite databases, 109–110, 117
via external storage, 110–112, 226
via insecure components, 113–116
via internal files, 109–110
WebKit/WebView, 117
information leakage, general, 14–15, 221, 229
infrastructure operators, 216
init vulnerability, 90–91
input validation, 15, 151, 229
Instagram app, 75
InstaStock app, 70–73
instrumentation, 264
Integrated Services Digital Networks (ISDN), 24
intent-based attacks, 103–105
interface extractors, 204–205
International Mobile Station Equipment Identity. See IMEI
International Mobile Subscriber Identity (IMSI), 121
Internet
cellular connections to, 71
Internet access, 5
interoperability, 23–26
inter-process communication. See IPC
IO bus, 7
iOS, 47–79. See also iPhones
BSD and, 34
clipboard, 229
code execution vulnerabilities, 3
custom URI schemes, 175–176
fragmentation and, 12
hacking other people’s phones, 62–77
history, 49–50
jailbreaking devices. See jailbreaking
JavaScript Bridges exploits, 182–184
kernel-level exploits, 53, 63–65, 75
log files, 229
malware, 140–146
network-based attacks, 62–63, 67, 68–70
overview, 48
penetration testing, 264–266
WebView JavaScript Bridge exploit, 182–184
iOS application snapshots, 14
iOS apps. See also apps; specific apps
debugging. See debugging
development of. See app development
reverse engineering, 204–207
secure coding guidelines, 205–207
UIWebView and, 227–229
iOS class dump, 206
iOS Developer Library, 232
iOS devices. See also iPhones
iOS encryption, 259
iOS kernel, 146
iOS keyboard cache, 14
iOS security. See also security
considerations, 222
file system protections, 225
fragmentation, 12–13
guidelines, 229–231
iOS apps, 205–207
resources, 232
secure storage, 224–225
iOS UDH reply-to hack, 32
iOS-based devices. See iPhones
IP multimedia subsystem (IMS), 43–46
IP networks, 44
IP-based voicemail, 30
IPC (inter-process communication), 103, 117, 175
IPC authentication, 175–177
iPhone apps. See iOS apps
iPhones. See also iOS; mobile devices
considerations, 48
data storage. See storage
firmware “prep” software malware, 140
FOCUS 11 attacks, 68–70
hacking other iPhones, 62–77
history of, 49
iKee attacks, 65–68
jailbreaking. See jailbreaking
know your iPhone, 49–50
market share, 145
passcodes, 77
physical access, 9–10, 76–77, 78
third-party apps and, 51
IPSec-protected endpoints, 43
IPSW (iOS firmware) files, 54, 56
IPv4, 43
IPv6, 43
ISDN (Integrated Services Digital Networks), 24
Isis Mobile Wallet, 16, 237, 238
IT department, 216
J
J2ME devices, 120
jailbreak detection-bypass attacks, 208–209
jailbreak software, 52–53
jailbreak tools, 208
jailbreaking, 52–62
Apple TV, 57
apps and, 215
detecting, 207–209
DFU mode, 55–57
kernel bug, 63–64
overview, 52–53
Redsn0w app, 54–57
remote, 57–59
risks, 215
JailbreakMe. See JBME
jailbreakme.com, 53
jammer, cell phone, 27
JAR archives, 92
jarsigner tool, 94
Java API for XML Processing (JAXP), 153, 154–155
Java Card Runtime Environment (JCRE), 224, 239
Java Card smartcards, 239
Java decompiler, 92
Java Mobile Information Device Profile (MIDP), 31
Java Standard Edition, 239
Javagator browser, 184
JavaScript
Mozilla Rhino and, 184–187
native functionality and, 177
password stealing and, 158
URI scheme disclosure, 116
WebView injection and, 177–180
JavaScript Bridges
addJavascriptInterface function, 177–180
Android WebView exploitation, 177–182
cache and, 221
exploiting, 177–187
iOS UIWebView exploitation, 182–184
Mozilla Rhino engine, 184–187
shouldInterceptRequest function, 180–182
WebView injection, 177–180
WebView interaction, 228–229
JavaScript code, 75, 136, 169, 181–187
JavaScript Object Notation. See JSON
JavaScript subsets, 223
JAXP (Java API for XML Processing), 153, 154–155
JBME 3.0 app, 58–59
JBME (JailbreakMe) 3.0 vulnerability, 64–65
JCRE. See Java Card Runtime Environment
Jensen, Meiko, 166
Jiang, Xuxian, 139
Jobs, Steve, 49
jSMSHider malware, 135
JSON injection attacks, 186
K
Kampmann, Marco, 166
Keefe, John, 33
kernel
Samsung Exynos, 244
kernel bugs, 63–64
kernel exploits, 63–65, 73, 244
keyboard cache, 230
keychain access APIs, 224–225
Keychain Dumper, 266
keystrokes, 230
keytool utility, 94
Kindle, 216
L
Laurie, Adam, 254
Liao, Lijun, 166
LibertyCrack, 120
LiveConnect, 184–188
LLVM compiler, 230
local network-based attacks, 63
location updates, 29
Android, 229
data leakage via, 112–113, 117, 221, 229
data logs, 221
iOS, 229
precautions, 117
logcat command, 113
logcat tool, 94
logging statements, 93
logging URLs, 93
logical control channels, 28, 31
logic-bypass attacks, 201–203
Logo framework, 202
long-term evolution (LTE) model, 44
LTE (long-term evolution) model, 44
M
Mac OS X systems, 145
magnetic stripe cards, 238
magnetic stripe reader, 253
malicious HTML code, 169
malicious JavaScript code, 169
malware, 119–146. See also attacks
Android vs. iOS, 144–146
App Store, 70–73
considerations, 7
countermeasures, 73
iOS, 140–146
trend reports, 3–4
MAM (Mobile Application Management), 17, 220
man-in-the-browser (MiTB) attacks, 5, 128, 214
man-in-the-middle (MiTM) attacks
considerations, 5
FOCUS 11 attacks, 68–70
SAML and, 165
session timeouts and, 222–223
manual static analysis, 91
manufacturers, 216
market share, 145
mashups, 226
MasterCard payment applets, 242
Mayer, Andreas, 166
McAfee Mobile Security, 78
McAfee Threats Report, 3
MCX (Merchant Customer Exchange), 237
MDM (mobile device management), 189–210
advantages of, 220
bypassing MDM policies, 196–203
considerations, 17, 78–79, 220
device provisioning, 192–195
device/runtime integrity, 220
overview, 190
Remote Lock feature, 209
Remote Wipe feature, 209
MDM client apps, 192, 197–198, 200
MDM client-server interaction model, 200, 201
MDM control-bypass attacks, 202, 205
MDM policy files, 196–198
MDM servers, 192, 195, 197–201
MDN (mobile device number), 16, 226
memory
flash, 87
No eXecute bit, 85
nonvolatile, 86
memory cards, 110. See also SD cards
memory corruption attacks, 85
mempodroid exploit, 244
Merchant Customer Exchange (MCX), 237
message-level encryption, 165, 250
microSD cards, 238
microSD SEs, 242
Microsoft, 13
Microsoft Threat Modeling, 212
Microsoft Web Sandbox, 223
MIDP (Mobile Information Device Profile), 31
Miller, Charlie, 12, 67, 71, 139
MiTB (man-in-the-browser) attacks, 5, 128, 214
MiTM attacks. See man-in-the-middle attacks
MITRE’s Common Weakness Enumeration website, 149
MNOs (mobile network operators), 6, 24, 41–43, 141, 172
mobile application developers. See developers
Mobile Application Management (MAM), 17, 220
mobile apps. See apps
mobile databases, 225
mobile development security. See app development
mobile device management. See MDM
mobile device number (MDN), 16, 226
mobile devices. See also specific devices
Airplane Mode, 79
Android. See Android devices
“bricking,” 53
data storage. See storage
device provisioning, 192–195
integrity, 220
iOS. See iPhones
location updates, 29
networks. See cellular networks
on-device storage insecurity, 15–16
perceived insecurity of, 3–4
physical access, 9–10, 76–77, 78
risks. See risks
rogue, 34–35
runtime environment integrity, 220
scale of, 2–3
session timeout, 222–223
Mobile Directory Number (MDN), 226
mobile ecosystem, 2–4
Mobile Information Device Profile (MIDP), 31
mobile malware. See malware
mobile network operators (MNOs), 6, 24, 41–43, 141, 172
mobile OS vendors, 6
mobile payments, 235–256
applications, 243–255
contactless smartcards, 238–243
current technology, 236–238
Google Wallet. See Google Wallet
Google Wallet Cracker, 248–249
magnetic stripe cards, 238
MCX, 237
overview, 236
PINs. See PINs
relay attacks, 249–253
replay attacks, 254–255
scenarios, 236
Secure Element, 238–242
skimming attacks, 253–254
mobile phenomenon, 3
mobile phones. See cell phones
mobile risk model, 4–17
Mobile Safari browser, 63, 65, 74
mobile security. See security
mobile services. See also web services
authentication/authorization, 226–227
timeouts, 227
Mobile Switching Center (MSC), 26, 29
mobile terminals (MTs), 24
mobile threat modeling, 6–7, 212–218, 219
mobile transaction authentication numbers (mTANs), 129, 130, 133, 134, 138
mobile web browsers. See web browsers
mobile web design, 219
mobile WebView. See WebView
MobileSubstrate, 202
mobithinking.com, 2
modems, 37
MODE_WORLD_READABLE mode, 110, 226
MODE_WORLD_WRITEABLE mode, 110, 226
Mozilla Firefox, 91–94
Mozilla Rhino JavaScript Bridges, 184–187
MSC (Mobile Switching Center), 26, 29
mTANs (mobile transaction authentication numbers), 129, 130, 133, 134, 138
MTs (mobile terminals), 24
NAI (Network Access Identifier), 118
naming conventions, 206
NAND flash technology, 86, 110
native APIs, 219
native code, 5
Native Development Kit (NDK), 83
NDK (Native Development Kit), 83
Near Field Communication. See NFC
Nessus information disclosure, 111–112
Nessus server, 111–112
Network Access Identifier (NAI), 118
network sockets, 117–118
network-based attacks
Android platform, 95–102, 117–118
iOS platform, 62–63, 67, 68–70
networks. See also cellular networks
Ask To Join, 78
cellular. See cellular networks
GSM. See GSM networks
IP, 44
ISDN, 24
PSTN, 22
wireless. See wireless networks
News of the World break-ins, 33
NeXT, Inc., 49
NeXTSTEP, 49
NFC (Near Field Communication), 86–87, 236
NFC card emulation, 249
NFC events, 107–108
NFC guidelines, 232
NFC radio, 238
NFC standards, 86–87
NFC tags, 86, 87, 105–107, 232
NFC-based attacks, 105–108
NickiSpy malware, 123–125
No eXecute (NX) bit, 85
no-cache HTTP header, 228
Normal permissions, 84
NSHTTPCookieStorage classes, 228
NSLog statements, 229
NSURLCache class, 228
NX (No eXecute) bit, 85
O
OAuth 2 protocol, 156–162
OAuth client credentials grant type, 161
OAuth code grant type, 157–158
OAuth implicit grant type, 158–160
OAuth (Open Authorization) protocol
components, 156–157
grant types, 157–161
sensitive data storage, 162
threats, 162
OAuth resource owner password credentials grant type, 160
Oberheide, Jon, 139
obfuscation, code, 94, 204, 206, 221
Objective-C, 175, 204, 206, 230
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), 212
.odex (Optimized DEX) files, 92
offline access, 217
Open Authorization. See OAuth
open source, 82
Open Web Application Security Project. See OWASP
OpenBTS, 39
OpenSSH default credentials, 65–68
OPENSTEP, 49
operating system. See OS
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 212
Optimized DEX (.odex) files, 92
organizational IT, 6
organized crime, 215
OS (operating system). See also Android OS; iOS
closed vs. open, 13
cross-platform development framework, 219
Mac OS X, 145
OS access, 5
OTA (over-the-air), 2
out-of-band password reset, 217
output encoding, 151
over-the-air (OTA), 2
OWASP (Open Web Application Security Project), 148–149
OWASP Testing Guide, 149
OWASP Top 10 bug list, 149
P
packet unit control (PCU), 26
password reset, 217
password-based encryption, 225
Password-Based Key Derivation Function 2 (PBKDF2), 111–112, 225
passwords. See also authentication; credentials
considerations, 155–156
device theft and, 155–156
iForgot password reset, 11
reset vulnerabilities, 10
voicemail, 33
P.A.S.T.A (Process for Attack Simulation and Threat Analysis), 213
patches. See security patches
payment applets, 239, 241, 242, 250, 252
payments. See mobile payments
PayPal app, 74–75
PBKDF2 (Password-Based Key Derivation Function 2), 111–112, 225
PCU (packet unit control), 26
PDUs (protocol description units), 130–131
penetration testing, 149
penetration testing toolkit, 263–267
permissions, 84, 105, 107, 174
persisted credentials, 217, 224
phone calls. See voice calls
phones, cell. See cell phones
physical access, 9–10, 76–77, 78
physical access-based attacks, 63
physical risks, 9–10
physical storage, 7
PIE (position-independent executable), 51, 230
PIE code, 231
PIN try counter, 224
PINs
application, 14
authentication, 14
data field, 224
mobile apps, 243
storage vulnerability, 243–248
virtual wallet, 224
Play store. See Google Play store
plutil app, 175
policy enforcement, 192
POS hardware, 238
position-independent executable (PIE), 51, 230, 231
PPSE (Proximity Payment System Environment), 239
preferences, shared, 117
private app stores, 220
privilege escalation exploits, 244
Process for Attack Simulation and Threat Analysis (P.A.S.T.A), 213
profile installation, 194
ProGuard tool, 94
Protocol Buffers library, 246
protocol description units (PDUs), 130–131
provisioning profiles, 192–195, 197, 198, 200
Proximity Payment System Environment. See PPSE
ProxyDroid app, 98–100
PSTN (public switched telephone network), 22
public switched telephone network (PSTN), 22
PUSH notification services, 191
QR codes, 237
R
RACH (Random Access Channel), 29
radios, 7
RageAgainstTheCage exploit, 122
Random Access Channel (RACH), 29
ransomware, 140
Redbrowser, 120
redirection URIs, 158–161
redirects, 163
Redsn0w app, 54–57
reflection-based attacks, 228–229
relay attacks, 249–253
remote jailbreak, 57–59
Remote Lock feature, 209
remote shell, 89
Remote Wipe feature, 209
replay attacks, 165, 250, 254–255
resource owner, 156
resource owner password credentials grant type, 160
resource server, 156
reverse engineering
Android apps, 203–204
iOS apps, 204–207
RFID tags, 86
Rhino JavaScript Bridges, 184–187
Rhode & Schwartz (R&S), 37
“rickrolling,” 145
risks. See also threats
app, 11–17
BYOD phenomenon, 17
external data storage, 110–112
fragmentation, 12–14
identifying, 212–213
improper spec implementation, 16
insecure code, 17
jailbroken phones, 215
mobile disk management, 17
on-device storage, 15–16, 223–226
physical, 9–10
sensitive data leakage, 14–15, 109–118
service, 10–11
weak authentication, 16
rogue base station attacks, 35–39
rogue femtocell attacks, 39–43
rogue mobile devices, 34–35
Roland, Michael, 250
rollback journals, 109
R&S (Rhode & Schwartz), 37
RTP streams, 43
Rubin, Joshua, 243
runtime environment integrity, 220
S
SACCH (Slow Associated Control Channel), 31
salt, 246
SAML (Security Assertion Markup Language), 163–169
SAML assertion, 164
SAML threat model, 164–165
Samsung, 216
Samsung Exynos kernel exploit, 244
sandboxing
Android, 14–15
Mozilla Rhino and, 186
SANS Top 25 bug list, 149
SAXParser class, 154
Schwenk, Jörg, 166
scope, 162
screen cache, 231
screenshots, 231
script kiddies, 213, 214. See also hackers
SD cards
JSON payload and, 186
microSD, 238
WebView injection and, 179
SDCCH (Standalone Dedicated Control Channel), 29, 31
SDCCH contention, 31
SDK. See Software Development Kit
SE API, 242
SE payments, 238–242
Seas0nPass app, 57
secure communications, 221, 227
Secure Element. See SE
Secure Element Evaluation Kit (SEEK), 242
Secure Information Technology (SIT), 76
Secure JavaScript subsets, 223
secure on-device storage, 15–16
secure platform storage, 224–225
Secure Shell. See SSH
Secure Sockets Layer. See SSL
Secure Software Development Lifecycle (SSDLC), 218
security. See also risks; threats
Android. See Android security
app development, 211–233
app precautions, 78
best practices, 232
considerations, 78–79
developers and, 212
fundamentals, 5–8
guidelines, 218–232
iOS. See iOS security
McAfee Mobile Security, 78
mobile web browser, 169–187
passwords. See passwords
PINs. See PINs
risks. See risks
secure communications, 221, 227
traditional (plus), 221, 222–223
Web Application Security, 222
WebView, 169–187
Security Assertion Markup Language. See SAML
Security Checklist, 257–261
Security Engineering, 149
security hardware, 224
security patches
app patching attacks, 201–203
fragmentation and, 12–14
hackers and, 220–221
overview, 220–221
SEEK (Secure Element Evaluation Kit), 242
self-signed certificates, 201
sensitive data
data masking, 223
leakage of. See information leakage
OAuth and, 162
secure considerations, 224–225
storing externally, 110–112
storing on device, 110–112, 221, 223–226
tokenization, 223
types of, 223–224
WebView and, 227–228
server certificates, 227
servers
authorization, 156
C&C, 136
Nessus, 111–112
resource, 156
server-side vulnerabilities, 148
service provider (SP), 163
service risks, 10–11
session credentials, 14
session hijacking attacks, 165
session identifiers, 14
Session Initiation Protocol (SIP), 44
session timeout, 222–223
setShouldResolveExternalEntities method, 155
SHA-256 hash, 246
shared preferences, 117
shell users, 90–91
Short Message Peer-to-Peer (SMPP), 43
Short Message Service. See SMS
shouldInterceptRequest function, 180–182
shouldOverrideUrlLoading function, 180
side-loading apps, 14
Siegel, Mark, 33
signature exclusion attacks, 166–167
Signature permissions, 84
signature-level permissions, 84, 174
signatureOrSystem permissions, 84
signing certificate, 227
SIM cards, 238
SimpleSAMLphp, 168–169
Single Sign-On, 226
single sign-on (SSO), 163
SIP (Session Initiation Protocol), 44
SIT (Secure Information Technology), 76
skimming attacks, 253–254
Skype, 170–171
Slow Associated Control Channel (SACCH), 31
Smali assembler, 203
SmartCard API, 242
smartcards
contactless, 238–243
Java Card, 239
SMPP (Short Message Peer-to-Peer), 43
SMS (Short Message Service), 30–33
SMS flooding attacks, 30–31
SMS messages
DroidDream, 122
information leakage, 118
overview, 30–32
premium, 236
Redbrowser, 120
SMSZombie, 128
USSD codes and, 171–172
Zitmo, 129–134
SMS Service Center (SMSC), 31
SMS spam, 141
SMSC (SMS Service Center), 31
SMSZombie malware, 125–128
SOAP-based web services, 163
Software Development Kit (SDK)
Facebook, 112–113
Native Development Kit, 83
Software Security, 149
software updates, 78
Somorovsky, Juraj, 166
SP (service provider), 163
SP-Initiated Web Browser SSO profile, 163–164
Spitmo malware, 134
spoofing
caller ID, 33
Sprint, 216
SpyEye Trojan horse, 134
SQL injection attacks, 148, 225
SQLite databases
images in, 225
information leakage, 14, 109–110, 117
PIN data in, 246
SQL injection attacks, 225
third-party extensions, 225
Square mobile payment system, 238, 253–255
Square reader, 254
Square Register software, 253
SSDLC (Secure Software Development Lifecycle), 218
SSH (Secure Shell), 68
SSH daemons, 141
SSH default credentials, 65–68
SSL (Secure Sockets Layer), 68
SSL connections, 68
SSL stripping attacks, 227
SSL-protected endpoints, 43
SSLSocket class, 117
SSO (single sign-on), 163
SSP (Stack Smashing Protection), 230
Stack Smashing Protection (SSP), 230
stacks, 230
Standalone Dedicated Control Channel. See SDCCH
statistics, 2
storage
Android devices, 86, 110–112, 226
external, 110–112
leakage via external storage, 110–112
NAND flash technology, 86
physical, 7
secure, 15–16
of sensitive data, 110–112, 223–226
SuperOneClick tool, 90
Sutton, Willie, 10
T
Tags app, 105
TDM (time division multiplexing), 26
TDMA (time division multiple access), 26–27
tel URI scheme, 171–172
testing
apps, 232
considerations, 232
described, 264
penetration, 263–267
tethered device jailbreaks, 208
thieves, 215
thin clients, 148
third-party application stores, 146
threat modeling, 6–7, 212–218, 219
threats. See also risks
considerations, 6
overview, 213–215
stakeholders, 216
users as, 215
Threats Report, 3
time division multiple access (TDMA), 26–27
time division multiplexing (TDM), 26
timeouts, 227
TLS (Transport Layer Security), 162
TLS/SSL, 221
TLS/SSL connections, 227
token storage, 162
TokenGenerator app, 134
tokenization, 223
tokens
expiration, 162
FakeToken malware, 134–140
storage, 162
TokenGenerator app, 134
toll fraud, 118
Top X bug, 149
Towns, Ashley, 141
traffic channels, 27
Transport Layer Security. See TLS
Trend Micro, 3
Trike, 212
Trojan horse apps, 7
trusted CA certificates, 95–97
try counter, 224
TV channels, 44
U
UDH (user data header), 31, 32
UDH reply-to hack, 32
UIApplicationDelegate, 175
UITextField class, 230
uiwebview cache, 228
UIWebView exploitation, 182–184
UIWebView interaction, 227–229
UIWebViewDelegate, 184
uniform resource identifiers. See URIs
uniform resource locators. See URLs
universally unique identifiers (UUIDs), 217, 224
unstructured supplementary service data (USSD) codes, 171–172
updates, software, 78
URI scheme exploits, 169–176
URI scheme information disclosure, 114–116
URI schemes
abusing USSD codes, 171–172
abusing via Skype, 170–171
in Android, 172–174
exploiting, 169–176
in iOS, 175–176
URIs (uniform resource identifiers)
injection attacks, 228–229
redirection, 158–161
URL redirection attacks, 158–161
URLs (uniform resource locators)
custom URI schemes and, 172–176, 182
injection attacks, 228–229
logging, 93
web service, 149
user credentials, 227
user data header (UDH), 31, 32
user interface, 7
user-agent, 158
users
end, 6
shell, 90–91
as threats, 215
tricking, 146
USSD (unstructured supplementary service data) codes, 171–172
UUIDs (universally unique identifiers), 217, 224
V
V8 JavaScript engine, 184
virtual wallet, 224
viruses, 90, 93, 120, 139, 144
Visa payment applets, 242
voice calls, 26–27
voice mailboxes, 30
Vordel Application Gateway, 11
vulnerable apps, 73–76
W
Walled Garden, 222
WAP (wireless access point), 68–69
WDSL (Web Services Description Language), 150
The Web Application Hacker’s Handbook, 149
Web Application Security, 222
web apps
custom URI scheme exploits, 169–176
JavaScript bridge exploits, 177–187
OWASP, 148–149
“ten most critical security risks,” 148–149
threats to, 213–218
XML injection, 150–151
Web Browser SSO profile, 163–164
web browsers
Firefox, 91–94
Javagator, 184
man-in-the-browser attacks, 5, 128, 214
Redbrowser, 120
security and, 169–187
URI data disclosure, 116
WebView and, 169–187
web service endpoints, 149, 150
web service requests, 150
web service URLs, 149
web services. See also mobile services
attacks on, 149–155
authentication/authorization, 155–169
custom URI scheme exploits, 169–176
general security guidelines, 148–149
JavaScript Bridges. See JavaScript Bridges
mobile web browser/WebView security, 169–187
OAuth. See OAuth entries
SAML frameworks, 163–169
security guidelines, 148–149
SOAP-based, 163
URI schemes. See URI schemes
XML entity expansion attacks, 152–154
XML entity reference attacks, 154–155
XML injection attacks, 150–151
XML-based, 149–155
Web Services Description Language. See WSDL
WebKit, 117
WebView, 169–187
addJavascriptInterface function, 177–180
app interactions, 227–229
credential stealing, 158
information leakage, 117
JavaScript Bridge exploitation, 180–184
JavaScript bridge interaction, 228–229
sensitive data and, 227–228
shouldInterceptRequest function, 180–182
stealing credentials, 158
WebView cookies database, 228
WebView injection, 177–180
WebView objects, 177
WebView/mobile web browser security, 169–187
whitelisting, 151
Wi-Fi proxy settings, 87–88
Wi-Fi vulnerabilities, 213–214
Windows Identity Foundation, 168
Windows systems, 145
wireless access point (WAP), 68–69
wireless networks
data leakage and, 113
malicious, 78
untrusted, 70
worms
Cabir, 120
duh, 141
Writing Secure Code, 149
WS-Attacks project, 149
WSDL files, 150
X
XCode, 206
XCon app, 202–203
XDA Developers website, 243
xda-developers forum, 90
XML documents, 150
XML DoS attacks, 165
XML encryption, 165
XML entity expansion attacks, 152–154
XML entity reference attacks, 154–155
XML files, 192
XML injection attacks, 150–151
XML parsers, 151–154
.XML Signature standard, 165
XML signature wrapping (XSW) attacks, 165–169
XML signatures, 165–169
XML-based web services, 149–155
assessing security of, 149–150
attacks against, 149–155
XPath queries, 151
XSW (XML signature wrapping) attacks, 165–169
X:Y coordinate buffers, 229
Z
Zertificat, 133
Zitmo malware, 128–134
Zovi, Dino Dai, 52
Zvelo, 243
Zvelo study, 248