Abstract

Mobile application hacking and its security is becoming a major concern in today’s world - especially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching.

Currently scanning and vulnerability detection are two major issues for mobile applications. Attacking techniques and exploit delivery on different platforms are evolving, protection is even tougher as code bases are different. Amongst the mobile attacks, local storage being the key target for attacks which affect the security and privacy of the user. What we really need right now is a automated program to penetrate local storage of the most widely used mobile platforms (Android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file systems. On the iOS, one needs to jailbreak a device to attack local storage. Along with the presentation, free tools (Separate for android and iOS) will be released. The Android tool uses API to monitor the Android file system where the iOS tool relies on OS features. Methodology to perform the application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms. The presentation will conclude with a list of interesting spots on Android and iOS for penetration testers to exploit local storage.