Testing mobile apps is becoming more challenging by the day. So what is the effect they are causing on pen testing? Does anybody still remember those days when a pen tester could just use rogue 802.11b access to attack any infrastructure? Now those were the days. Cracking WEP keys was all it took making it easier to protect the system as everybody knew where uninvited guests would be taking their entrance. Sure those issues are still to be checked and double-checked today but there is quite a load of new work emerging along mobile apps and wireless networks. Now, to be certain (as much as it gets) that there are no security breaches one must attack the system of the client as well as mobile devices and other wireless techs as there might be a hidden door somewhere (and many of those often are in the most unexpected places).
Where to await the newest of hackers?
PEAP (Protected Extensible Authentication Protocol) network security relies and depends on client configuration security. Thus all wireless clients are to be properly configured. I’d call that step 1. Or even step Zero. Yes, that sounds cooler. Let’s consider one of the most effective attack types. Any attacker may set up a wireless access point of his own as a rogue RADIUS server and users will be tricked into logging into this foul man’s scheme. When the login takes place the attacker simply captures the credentials and uses them to access any network. And all that because users were not correctly configured from, let’s say, a MS Windows device to validate RADIUS’s identity. Why does this approach work? Many clients will be attempting to get connected with a network called as something they’ve already been acquainted to. And a user will know nothing of the scam. There are many more examples of such attacks and all a pen tester has to be sure of is that if there’s any slightest crack a hacker will be using it as they are a really creative kind of guys.
Mobile devices – the weakest link?
Sure there are many available tools that will be making laptops (not even mentioning PC’s) extremely tough nuts to crack, yet mobile devices are left without such software as for now. Thus if you are testing something and traditional methods are not letting you in – go mobile. Tablets and smartphones are rarely configured for proper RADIUS server validation. There is a reason, as you know to why most, if not all, of the protections that are deployed to an agency network include systems preventing wireless IDN intrusions, systems that are detecting intrusions, etc. are not offering any public network and mobile device protection. All that may be advised if you are with mobile apps penetration testing you are to do your best, consider all the hacking options available and never stop studying.