Welcome to securityCRUSH

Welcome to the securityCRUSH blog, a place where you can find random musings as well as postings relevant to information security, penetration testing, and my latest projects - Daniel Wood.
Showing posts with label testing. Show all posts
Showing posts with label testing. Show all posts

Thursday, March 20, 2014

Starbucks revisited

Product: Starbucks iOS mobile application
Version: v3.0 (pre-release)
Vendor: Starbucks Coffee Company
The Starbucks iOS v2.6.1 mobile application was tested in November of 2013, and publicly reported on January 13, 2014 on the Full Disclosure security mailing list here.  The findings centered on the insecure storage of user data elements within a third-party API's (Crashlytics) log file, session.clslog.

 In coordination with Starbucks, on January 17, 2014, the Starbucks iOS v2.6.2 mobile application, an emergency fix, that was pushed to address the issues identified in v2.6.1, was independently tested to confirm that the updated application was not logging sensitive user data elements to this log (or any other) file.  Results from the testing, as well as clarifications from the first round of testing were posted to the Full Disclosure security mailing list here.

 Due to the aforementioned independent testing, Starbucks extended an invitation to test their latest version of their mobile application (v3.0) prior to the public release of the application.

 Summary of Findings
Exhaustive testing was conducted on the Starbucks v3.0 iOS mobile application, covering the range of the OWASP Top 10 Mobile Risks utilizing a combination of automated and manual static and dynamic analysis methods.  No vulnerabilities were identified during the testing of the mobile application.  An exhaustive and detailed report was provided to Starbucks on March 3, 2014 prior to the public release of v3.0 of their iOS mobile application.
Posted by at No comments:
Labels: , , ,

Thursday, January 23, 2014

Workflow for Mobile App Testing

Since the publication of the Starbucks mobile iOS app vulnerability, I have received many questions by journalists, security researchers and other people interested in understanding what occurs during a mobile app security assessment and exactly just how much work is involved.

I am currently working on analyzing a few applications from the App Store that I will be publishing findings about due to their vulnerabilities.  Hopefully within a weeks time I will have a write-up complete that uses one or more of these apps as examples.   Everyone loves pretty pictures :)


DW
Posted by at No comments:
Labels: , , , , , , , , ,

Friday, February 10, 2012

iPhone as a platform for pen testing

Before I get into the nuts and bolts, please familiarize yourself with: iPhone Jailbreak Videos: A Legal Primer and a How-To (Wired) as well as U.S. Declares iPhone Jailbreaking Legal, Over Apple’s Objections.  Also bear in mind, while related, this is not about conducting penetration testing against iOS devices or applications on iOS.  Now that you understand what you’re getting into, let’s get to it.

In my case, I upgraded to a newer phone and found my iPhone 3GS was just wasting away in a drawer.  Having jailbroken it in the past, I figured I might as well get some use out of it and incorporate it into my tool chest.  If you’ve never performed an iPhone jailbreak this might be a little tough to fully understand at first, but thankfully it has gotten a lot easier lately.  Most jailbreaking these days can be performed with a single action, instead of jumping through hoops.

Check out the below links to get you started:
Tip: To find the iOS version your device is running, plug it in to your computer and open iTunes, click your device and it should tell you the current version level.

In my case, I was running iOS 4.3.5 on my iPhone 3GS.  Instead of taking time to find the right software to jailbreak it, I upgraded my phone to the latest iOS 5 version which the latest jailbreak software out there can handle no problem.  Less than 5 minutes later my device had been released from Apple’s restrictions.

Once it booted back up, I launched Cydia (see above), a package manager/repository for utilities and applications. Take a look around and see what you can find, here’s a short list of what to look for:
  • OpenSSH (great for manipulating the device remotely)
  • Inetutils (ftp, inetd, ping, rlogin, telnet, tftp)
  • Network-cmds (arp, ifconfig, netstat, route, traceroute)
  • cURL / Wget
  • Stealth MAC
  • Stunnel
  • tcpdump
  • NMAP
  • MobileTerminal
  • Ispeedtouched (wifi scanner + rainbow tables for WAP)
  • iBrowser (temporary web server from your iPhone)
  • iFile (browse contents of your device, also has web server capabilities)
  • metasploit (yup, you can put it on your phone)
Here’s a little bit of eye candy after the jailbreak was completed:
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)