Road to CEH Masters Week 17: Hacking Mobile Platforms

Hacking Mobile Platforms (CEH)

Introduction: Mobile security is increasingly complex due to the rise of multifaceted attacks targeting mobile devices. These threats can compromise critical data, financial information, and user privacy, as well as damage the reputation of mobile networks and organizations.

Mobile Platform Attack Vectors:

1. Vulnerable Areas:
   • Smartphones are used for both business and personal purposes, making them rich targets for attackers.
   • Increased internet connectivity and diverse communication methods elevate the risk of security threats.
   • Security threats span various connectivity channels, including 3G/4G/5G, Bluetooth, and Wi-Fi.
2. OWASP Top 10 Mobile Risks – 2016:
   • Improper Platform Usage: Misuse of platform features or security controls.
   • Insecure Data Storage: Exposure of sensitive information due to improper storage.
   • Insecure Communication: Risks from poor handshaking, incorrect SSL versions, and cleartext communication.
   • Insecure Authentication: Issues with user authentication and session management.
   • Insufficient Cryptography: Weak cryptographic implementations.
   • Insecure Authorization: Failures in authorization distinct from authentication.
   • Client Code Quality: Code-level issues like buffer overflows.
   • Code Tampering: Modifications to app code and data resources.
   • Reverse Engineering: Analyzing the app’s binary to find vulnerabilities.
   • Extraneous Functionality: Hidden backdoor functionality.
3. Anatomy of a Mobile Attack:
   • Device Attacks: Browser-based, phone/SMS-based, application-based, and OS-based attacks.
   • Network Attacks: Wi-Fi vulnerabilities, rogue access points, packet sniffing, MITM attacks, and DNS poisoning.
   • Data Center/CLOUD Attacks: Web-server and database vulnerabilities like SQL injection and cross-site scripting.
4. How Hackers Profit from Compromised Devices:
   • Surveillance: Monitoring user activities.
   • Financial Exploitation: Sending premium-rate SMS messages, making expensive calls.
   • Data Theft: Stealing account details, call logs, contacts.
   • Botnet Activity: Launching DDoS attacks.
   • Impersonation: Posting on social media, sending emails.
5. Mobile Attack Vectors and Vulnerabilities:
   • Mobile Malware: Viruses, rootkits, application modifications, OS modifications.
   • Data Tampering and Loss: Unauthorized modifications, data extraction, jailbreaking, rooting.
6. Security Issues from App Stores:
   • Malicious Apps: Repackaging legitimate apps with malware and distributing them through third-party app stores.
7. App Sandboxing Issues:
   • Sandboxing Vulnerabilities: Malicious apps exploiting sandbox weaknesses to access sensitive data.
8. Mobile Spam:
   • SMS Phishing (SMiShing): Fraudulent SMS messages tricking users into revealing personal information.
9. Pairing Mode Risks:
   • Bluetooth and Wi-Fi Vulnerabilities: Bluesnarfing, bluebugging, and MITM attacks.
10. Advanced Attacks:
    • Agent Smith Attack: Infecting devices through malicious apps from third-party app stores.
    • SS7 Vulnerability Exploits: Eavesdropping on communications.
    • Simjacker Attack: Exploiting SIM card vulnerabilities for malicious activities.
    • OTP Hijacking: Intercepting one-time passwords for unauthorized access.

With my study notes I have create a set of 8 flashcards that can be accessed here: Module 17 – Flash Cards

I have also created this visual Mind map: Module 17 – Mindmap

If you have any questions or any feedback feel free to comment or leave a message on the homepage as that will send directly to me!

Thanks for reading!