Mobile Device Penetration Testing

  • book demo
  • request trial

With Core Impact Pro’s Mobile Device Penetration Testing capabilities, you can demonstrate the exploitability of iPhone®, Android™ and BlackBerry® smart phones using the same attack techniques employed by criminals today.

Conducting mobile penetration tests with Core Impact Pro enables you to ...

  • Identify and prove critical data breach exposures created by mobile devices in your environment
  • Evaluate the security of new mobile technologies prior to deployment
  • Get actionable data required to mitigate financial, operational & reputational risks
  • Assess end-user security awareness of social engineering techniques
  • Protect end users from defamation, fraud and blackmail
  • Audit and report on mobile device security to executive management and other stakeholders

 

Assess Mobile Device Security Before Attackers Do

Core Impact’s Mobile Penetration Testing capabilities assess end users and their devices through the following real-world attack techniques:

  • Phishing
    Enables you to send emails and texts that determine whether your organization’s employees would fall prey to phishing and spear phishing attacks by clicking through to malicious sites and/or installing nefarious mobile apps.
  • Web form impersonation
    Assess data leakage threats by conducting phishing tests seeded with links to web forms designed to capture and record user-entered data, such as usernames and passwords.
  • Fake wireless access points
    Impersonate valid wireless access points in an attempt to trick users into connecting their devices to them.
  • Wireless man-in-the-middle (MITM) attacks
    Identifies and monitors wireless networks that have either no encryption or WEP-based encryption and observe any connected devices.

 

The Core Impact Mobile Device Testing Process

Core Impact’s mobile device penetration test capabilities speed the testing process, automate mundane tasks, and provide a repeatable assessment methodology for measuring mobile device security over time.

 

Attack and Penetration: Exploit Devices Using Real-World Techniques

One of the most effective ways for an attacker to take control of a mobile device is by getting the user, or the device itself, to install a malicious application. During phishing tests, you trick the user to clicking on a link and triggering the attack. For Wi-Fi tests, Impact delivers attacks in response to data requests (fake AP attacks) and inserts them into existing traffic (MITM attacks).

Attack delivery

 

  • Email phishing attacks are launched directly from Impact
  • SMS text phishing attacks are launched from Impact via an email-to-SMS gateway service
  • Wi-Fi attacks are delivered via Impact’s integration with the AirPcap ® TX Wireless Packet Capture Adapter from Riverbed Technology and the Pineapple Mark V Support for Fake AP (sold separately)

Device penetration

Impact’s mobile attacks are packaged as applications that attempt to run locally on the mobile device. In addition, some attacks attempt to leverage known vulnerabilities in the device’s operating system or built-in components, leveraging those weaknesses to run the application. All Impact attack capabilities are developed and tested in-house, are designed to maximize the target stability and integrity, and are updated as new vulnerabilities emerge and attackers hone their techniques.

Android Agent and Post Exploitation Modules

Core Impact Pro has a Java based, HTTP back communication channel Android Agent. This agent can be used standalone for phishing attacks, packed as an Android application, or as the communication channel for a post exploitation facilitator when exploiting mobile vulnerabilities. Taking advantage of our Wi-Fi Fake Access Point functionality, we have included an attack for the Android WebView addJavascriptInterface() vulnerability, modifying device traffic joined to our Fake AP in real-time and installing an Android Agent on those vulnerable devices. Our Android Agent functionality currently supports the following capabilities:

  • Shell access
  • Get/Send SMS
  • Make a phone call
  • Contacts CRUD (Create Read Update Delete)
  • Calls log info
  • Geo-location/line number info
  • Upload/Download files

 

Evidence Retrieval: Demonstrate the Implications of a Mobile Device Breach

With Core Impact Pro, you not only can demonstrate how mobile devices in your environment can be compromised, but also reveal how attackers can access and manipulate device data to obtain your organization’s intellectual property and potentially defraud, defame or blackmail its end-users.

Extract data

Once you compromise a tested device, Impact Pro enables you to extract data from the device just as an attacker would. Impact enables you to extract the following data types:

  • Phone call, SMS and MMS logs
  • GPS location
  • Contact information

 

Reporting: Gain Actionable Data to Address Critical Exposures

Core Impact Pro generates the following reports to assist in vulnerability remediation and fulfill security assessment documentation requirements:

  • Mobile Device Reports record information on all mobile devices accessed during testing
  • Executive Reports provide a high-level overview of test findings
  • Client-Side Reports present the results of security awareness assessments
  • Vulnerability Reports detail vulnerabilities exploited and provide links to remediation information
  • Activity Reports provide audit trails of all targeted devices and conducted tests
  • Delta Reports compare the results from tests repeated over time
  • Attack Path Reports graphically depict the path followed to target and exploit specific devices

Next Steps

Book DemoRequest Trial

SHARE