HOW TO PENTEST MOBILE APPS? – PENTEST REGULAR 04/2013 TEASER

SMARTPHONE PENTESTING

Smartphone a Win-Win Product for Both Consumers and Sellers
By Rajiv Ranjan
In a world where technology can be used for multiple exchanges, the use of mobile phones is no longer limited to simple voice communication functions. Mobiles are now providing access to a growing number of services due to Smartphone.

Pentesting of Android & iOS Apps
By Francisco Caballero & Francisco Gonzalez
Today, due to the strong and increasing popularity of mobile devices, the demand and market for compatible applications has grown tremendously. With this growth there has been an elevated risk for vulnerabilities. This article focuses on the analysis of applications for Android and iOS.

Mobile Devices Pentesting
By Bruno Rodrigues
The amount of time spent by pentesters all over the world in trying to gain privileged access to networks and data can sometimes be a time consuming task with few results. You might wonder why this is relevant. Let’s establish some basic considerations. pentesting (or even hacking) is about finding an attack vector and exploiting it. It definitely is not just running any kind of auto discovery and test tool, and presenting a pre-drafted auto created report.

STRATEGIES

Do No Harm
By Jack Jones
There is no question that penetration testing, done well, can be incredibly valuable in helping executives make well-informed decisions to better manage their company’s risk landscape. A pentest, however, can be worse than useless if it results in wasted resources and unnecessary business impact. The difference often hinges on the critical thinking you apply when interpreting test results.

Weighing Active Scanning of Industrial Control Systems
By Ernest Hayden
Vulnerability scans are a key practice typically used on information technology networks. These scans – normally performed using tools like NMAP or NESSUS – are invaluable for identifying open ports, open services and other vulnerabilities in the network. But what about Industrial Control Systems?

Upgrade Your SCADA System Gradually – Without Throwing Away Your Current Investment
By Andrew Erickson
A legacy SCADA system is not generally an emergency. If it is functioning normally, you will maintain situational awareness and remote control capability. Still, you need to gradually move away from legacy technology that could become a problem at any moment.

TECHNIQUES & TRICKS

Hunting Malware with System Monitors
By Adam Kujawa
System monitoring is one of the staples of malware analysis, as well as application testing and penetration testing. All applications, regardless of their purpose, perform their operations behind the scenes and hidden from the user’s notice, so the best way to understand what is happening on a system is through the use of tools like those mentioned in this article.

AV Evasion 101 for Pentesters
By John Woods
On a pen-test you will most likely encounter Anti-Virus software on almost every Windows endpoint and server you find. At the moment AV software is easily evaded using a large number of techniques and tools. Any legitimate targeted attack today will evade AV, and that is what your pentest should be mimicking.

Shoulder Surfing 2.0
By Federico Pacheco
Old techniques can be powered by technology. We often tend to forget old techniques due to their obsolescence, but if we see new attacks, we can see that most of them are based on the same principles and basic rules, and researchers use to apply the same way of thinking as they did decades ago. If we rethink some old stuff by looking it through new technologies glasses, we will find many applications and discoveries. One of the main differences between the past technology and the present one, are the multimedia capabilities of small gadgets and devices, and here is an example how to approach old problems.

PLUS

Titania’s Paws Studio Review
By Jim Halfpenny
Whether you see compliance as a burden or an aspiration we are frequently mandated to meet a certain set of security requirements around our information assets. One important aspect is being able to demonstrate to yourself and to others that your systems meet the criteria set by your compliance regime. How do you ensure that your systems are compliant with your policies or those mandated by compliance standards? A program of auditing your systems will help you understand the state of your estate.