Todo
%% https://github.com/ashishb/android-security-awesome
%% OWTF: https://www.owasp.org/index.php/OWASP_OWTF
%% Secure Messaging: %% https://briarproject.org/ %% https://briarproject.org/manual/ %% https://twitter.com/BriarApp
%% Learn react native, functional programming, web assembly
Some resources to start with:
https://bluebox.com/business/bluebox-and-nist-addressing-mobile-threats/
https://media.blackhat.com/bh-us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
%% Memory extractor http://www.kitploit.com/2015/11/lime-linux-memory-extractor.html
%% https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
%% https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
%% I will probably use NetHunter to get up and running quickly on a mobile device.
%% JavaScript coding on Android: https://www.npmjs.com/package/androidify
Todo
%% https://labs.mwrinfosecurity.com/tools/drozer/ %% https://www.google.co.nz/search?q=genymotion %% https://inteltechniques.com/wp/2017/03/24/installing-android-apps-in-chrome-browser/
Take results from higher level Asset Identification. Remove any that are not applicable. Add any newly discovered. Here are some to get you started:
- Taking the confidential business and client information from the "Starting with the 30,000' view" chapter, we have another set of attack vectors that threaten the information that may be carried around on laptops and mobile devices such as smart-phones, tablets and other devices, which can and do of course get taken away from an organisations premises. Many forms of confidential information may reside on or be accessible via these transient devices. Everything that could reside on your internal network could also reside on or be accessible from these transient devices.
- Email on any number of devices
- Data-stores: These could reside on a laptop being transported by a developer, sales person, executive, whoever really.
- Documents: Any number of these could reside on many types of transient device.
- VPNs, SSH tunnels terminating on a transient device, or even logged in web applications. It is very common for the owners of mobile devices to keep their applications logged in for convenience sake. Thus making mobile devices a very attractive asset, even if only to use as a stepping stone.
- User credentials. These could be stored in many forms. In documents, memory, credential data stores.
- Identity information such as: Email addresses, physical addresses, phone numbers
- Credit card numbers and similar
- Reputation is again a biggie.
Kali Linux NetHunter can be very useful for identifying risks in the mobile landscape. zANTI can also be very useful.
Verint (a USA company) sells a cell phone tracking system called SkyLock with a subtitle of "Locate. Track. Manipulate" to both corporations and governments worldwide. SkyLock not only finds people but also tracks them over time periods.
The UK company Cobham sells a system that allows someone to send a "blind" call to a phone. A blind call does not ring and is not detectable by casual visual inspection of the phone. "The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter"
Then there is Infiltrator from Defentek, a real-time global tracking system that enables the end-user to monitor the targeted individual(s) activities and collect geo-location data to profile the subject(s) pattern of life and habits. This allows one too to derive to a plan of action or a motion for a warrant for further surveillance, investigation, apprehension, or decommissioning. Infiltrator claims to be able to locate and track any phone number in the world. with abilities such as being able to infiltrate and be undetected by the network, carrier or the target.
Many of the applications installed on our phones are collecting your personal information such as location, sex and your phones unique identification number (UID). Applications such as Angry Birds and even the flash-light app. Even apps that deliver bible quotes.
Tobias Engel discussed in his presentation at the 25th Chaos Communication Congress how to locate mobile phones using SS7. His slide deck is here. Recording of the presentation here. There are various open implementations that use the same technique such as Nicholas Skinners PHP application.
There are many offerings available to allow people to spy on other individuals activities and location in regards to mobile phones. Even though the CEO and maker of StealthGenie which was a mobile app used for spying, was indicted and arrested for selling it in the USA, there are many other options for doing the same like HelloSpy, Highster, MySpy, FlexiSPY
The USA National Security Agency (NSA) and its UK counterpart, Government Communications Headquarters (GCHQ), use location data to track people.
Todo
Useful OWASP projects:
%% Email received from Johanna Curiel from OWASP
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project http://project-imas.github.io/ https://www.owasp.org/index.php/OWASP_SeraphimDroid_Project
Todo
Todo