View
72
Download
5
Category
Tags:
Preview:
Citation preview
© Copyright 2015 Coveros, Inc. All rights reserved.
Testing with a RootedMobile Device
STAREAST 2015
© Copyright 2015 Coveros, Inc.. All rights reserved.
Max Saperstone has been working as a Software and Test Engineer for almost a decade, with a focus on Test Automation and the CI/CD process. He specializes in open source tools, including the Selenium Tool Suite, JMeter, AutoIT, Cucumber, and Chef. Max has lead several testing automation efforts, including developing an automated suite focusing on web-based software to operate over several applications for Kronos Federal. He also headed a project with Delta Dental, developing an automated testing structure to run Cucumber tests over multiple test interfaces and environments, while also developing a system to keep test data 'ageless.' He recently released a new testing architecture for SecureCI™ to allow testing of multiple interfaces, custom reporting, and minimal test upkeep. He also is providing support to the Cucumber community by building software to make BDD test steps buildable, accessible, and searchable across an entire testing team. He is currently engaged in CI/CD work, working to create full automated delivery using open source tools including Jenkins, SonarQube, and Nexus.
Max Saperstone
2
© Copyright 2015 Coveros, Inc.. All rights reserved.
• Coveros helps organizations accelerate the delivery of secure, reliable software
• Our consulting services:– Agile software development– Application security– Software quality assurance– Software process improvement
• Our key markets:– Financial services– Healthcare – Defense– Critical Infrastructure
About Coveros
Development Capabilities
3
© Copyright 2015 Coveros, Inc. All rights reserved.
Introduction
● Typical testing on a mobile device only exposes the GUI● Testing on a modified device can expose additional test
interfaces● Some advantages:
○ Alter or replace system applications
○ Run specialized apps
○ Full customization
○ Access normally inaccessible data
● Precautions:○ Voids your phone's warranty
○ Risk of "bricking" your phone
○ Exposes phone to viruses
© Copyright 2014 Coveros, Inc. All rights reserved.
Obtaining Elevated Privileges
© Copyright 2015 Coveros, Inc. All rights reserved.
JailBreaking Devices● Term for removing hardware restrictions on iOS devices● Goal is to get access to apps otherwise
unavailable
Rooting Devices● Term for gaining complete access on Android devices● Goal is to overcome limitations of devices
Different Devices
© Copyright 2015 Coveros, Inc. All rights reserved.
Legality
● As of July 2010, rooting and jailbreaking has been ruled by the U.S. government to be legal
● Apple and cell carriers can still take action to stop these devices running on their networks
● We will NOT cover how to root or jailbreak devices
© Copyright 2015 Coveros, Inc. All rights reserved.
Manual Data Inspection
● Android Data Storage Options○ Shared Storage
■ Primitive data in key-value pairs○ Internal Storage
■ Private data on the device memory■ Application data in private sandbox■ Application data is deleted when the application is uninstalled
○ External Storage■ Public data on the shared external storage■ No Security on external media
○ SQLite Database■ Structured data in a private database
○ Network Connection■ Data stored on the web
● Android data is provided through content providers
© Copyright 2014 Coveros, Inc. All rights reserved.
Tooling
© Copyright 2015 Coveros, Inc. All rights reserved.
zANTI2
● Network analyzer and penetration suite● Ability to:
○ map your network
○ fingerprint host OS and services
○ search for vulnerabilities
○ crack logon procedures
○ perform man in the middle attacks
● Recently merged in dSploit
© Copyright 2015 Coveros, Inc. All rights reserved.
Shark for Root
● Traffic sniffer for wireless and WiFi networks● Lets you log network traffic● Ability to analyze data on or off your device
© Copyright 2015 Coveros, Inc. All rights reserved.
DroidSQLi
● Automated MySQL Injection tool● Supports the below injection techniques
○ Time based
○ Blind
○ Error based
○ Normal
© Copyright 2014 Coveros, Inc. All rights reserved.
Conclusion
© Copyright 2015 Coveros, Inc. All rights reserved.
Conclusion
● Above tooling and techniques are for testing from your physical device
● They can also be run or performed on emulators● There are MANY more tools out there● Additional tools exist to test from your desktop to your
rooted device
© Copyright 2014 Coveros, Inc. All rights reserved.
Questions
Recommended