How to perform penetration testing on mobile devices?
BYOD and mobile devices pose significant challenges to enterprise security. Some enterprise IT cannot effectively control the mobile devices that store company data, applications, and communications. With the increasing number of malware targeting smartphones and tablets, this difficulty will increase. Security managers and developers should follow and use the penetration testing methods and frameworks of the industry to conduct effective penetration tests on mobile device networks as a whole.
We can find some so-called Guidelines for mobile testing. But its starting point is to divide mobile devices into several independent categories. The existing method mainly relies on the use of the device certificate, but it is not fully supported by related technologies. In fact, the certificate is just a file not bound to the device, so the identity of the device is easily stolen.
The war in the online world relies on weapons that are already possessed, rather than weapons that are expected to be obtained. Some principles and tools for penetration testing will be discussed below. Here, we will not discuss the company culture, budget restrictions, nor test the configuration of each client.
Define Policy
Policies should transform enterprise strategies into executable guides. Updating security policies to include robust mobile security is critical to enhancing the company's control over the company's data on the mobile network.
Require employees to sign the statement and claim that they will follow the company's strategy. Otherwise, they will face punishment. This is an important step to create security awareness and responsibility. Security should become a shared responsibility.
Verify as much as possible
For each policy, IT must determine which method is used for verification. IT can perform remote verification on some measures.
For example, by using the fingerprint recognition technology of a device, an unknown device is not blocked, but a trigger for capturing exceptions. When the identity of a device changes to the identity of another device, it indicates that a serious problem has occurred.
Scan device Platform
The first layer of mobile device security is the platform of mobile devices. Some platforms are safer or better than other platforms, while old versions are often defeated in the competition. Remember, some mobile platforms may be safer than standard corporate workstations.
This means to check and record the operating system of the mobile device. This step is a common step for static device penetration testing. The goal of this step is to check whether the user is not using an old system that is vulnerable to attacks. Enterprise IT should prevent communications with earlier operating system versions with significant vulnerabilities.
Device Port Security
The company allows mobile devices to access the company's wireless network, and those devices use similar ports as static devices. These include TCP and UDP ports. IT should always check the ports and scan the application versions behind these ports.
Fraudulent mobile applications
IT cannot test everything, but IT cannot be a reason for laziness. The most effective way to test the mobile platform and its applications is to verify the system's rights. Mobile applications require certain system access permissions. The compromised application version usually requires more than the actual access required.
The IT security team should check the mobile apps that users frequently download and compare the original list of permissions that the original developer allows to access with the permissions actually obtained by the mobile app. If the two do not match, enough warning should be triggered.
Application endpoint
Applications on mobile devices can use several application endpoints. The endpoint here refers to a connector connecting a mobile application to an application. For example, it can be used to download advertisements or richer content.
Undoubtedly, enterprises must strengthen these endpoints so that attackers cannot exploit system vulnerabilities through the endpoints. Enterprise IT must be aware that some mobile apps contain vulnerabilities and may cause damage.
Security Applications
In the mobile app market, there are indeed some great innovations that can enhance mobile security. Automatic Updates of mobile apps are the best security method at any time. This method can be used to install the latest security patches for applications. Some well-known vendors have also launched a number of security products, including tools that are familiar with (such as anti-virus and firewall ).
For example, the famous ZANTI is an Android-based security testing platform. administrators can use it to scan networks, simulate man-in-the-middle attacks, and evaluate the overall vulnerability status. The tool also has a free version. Zimperium is also available in iOS.
In the mobile penetration testing process, whether it is a customized tool or a ready-made method, enterprises need to evaluate which tools and technologies are suitable for themselves. Mobile reinforcement is an important issue, but monitoring cannot be ignored.
Finding a complementary mechanism that can detect abnormal activities is the key to success for defense measures in a highly complex environment. It is impossible to rely on a single scan, so it is critical to combine multiple measures for timely processing.
By applying the best feasible principles and methods in the information security field and adjusting the direction of mobile penetration testing, enterprises can obtain reliable and feasible information.