You are on page 1of 14

WHAT IS A GOOD FUZZING TOOL?

Fuzz testing is the most efficient method for discovering both known and unknown vulnerabilities in software. It is
based on sending anomalous (invalid or unexpected) data to the test target - the same method that is used by hack-
ers and security researchers when they look for weaknesses to exploit. There are no false positives, if the anomalous
data causes abnormal reaction such as a crash in the target software, then you have found a critical security flaw.
In this article, we will highlight the most important requirements in a fuzzing tool and also look at the most common
mistakes people make with fuzzing.







Documented test cases: When a bug is found, it needs to be
documented for your internal developers or for vulnerability
management towards third party developers. When there are
billions of test cases, automated documentation is the only possi-
ble solution.
Remediation: All found issues must be reproduced in order to fix
them. Network recording (PCAP) and automated reproduction
packages help you in delivering the exact test setup to the develop-
ers so that they can start developing a fix to the found issues.
MOST COMMON MISTAKES IN
FUZZING
Not maintaining proprietary test scripts: Proprietary tests
scripts are not rewritten even though the communication interfaces
change or the fuzzing platform becomes outdated and unsupported.
Ticking off the fuzzing check-box: If the requirement for testers
is to do fuzzing, they almost always choose the quick and dirty
solution. This is almost always random fuzzing. Test requirements
should focus on coverage metrics to ensure that testing aims to
find most flaws in software.
Using hardware test beds: Appliance based fuzzing tools
become outdated really fast, and the speed requirements for the
hardware increases each year. Software-based fuzzers are scalable
in performance, and can easily travel with you where testing is
needed, and are not locked to a physical test lab.
Unprepared for cloud: A fixed location for fuzz-testing makes it
hard for people to collaborate and scale the tests. Be prepared for
virtual setups, where you can easily copy the setup to your
colleagues, or upload it to cloud setups.
PROPERTIES OF A GOOD
FUZZING TOOL
There are abundance of fuzzing tools available. How to distin-
guish a good fuzzer, what are the qualities that a fuzzing tool
should have?
Model-based test suites: Random fuzzing will certainly give you
some results, but to really target the areas that are most at risk, the
test cases need to be based on actual protocol models. This results
in huge improvement in test coverage and reduction in test execu-
tion time.
Easy to use: Most fuzzers are built for security experts, but in QA
you cannot expect that all testers understand what buffer
overflows are. Fuzzing tool must come with all the security know-
how built-in, so that testers only need the domain expertise from
the target system to execute tests.
Automated: Creating fuzz test cases manually is a time-consuming
and difficult task. A good fuzzer will create test cases automatically.
Automation is also critical when integrating fuzzing into regression
testing and bug reporting frameworks.
Test coverage: Better test coverage means more discovered
vulnerabilities. Fuzzer coverage must be measurable in two
aspects: specification coverage and anomaly coverage.
Scalable: Time is almost always an issue when it comes to testing.
User must also have control on the fuzzing parameters such as test
coverage. In QA you rarely have much time for testing, and therefore
need to run tests fast. Sometimes you can use more time in testing,
and can select other test completion criteria.


4 01/2011
01/2011 (01)
4
team
Editor in Chief: Grzegorz Tabaka
grzegorz.tabaka@hakin9.org
Managing: Angelika Gucwa
angelika.gucwa@hakin9.org
Senior Consultant/Publisher: Pawe Marciniak
Marketing Director: Angelika Gucwa
angelika.gucwa@hakin9.org
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@hakin9.org
Proofreaders: Michael Munt, Nick Baronian, Bob Folden,
Aby Rao, Rebecca Wynn
Top Betatesters: Keith Applegarth, Nick Baronian, David Bohm,
Rodrigo Branco, Ivan Burke, Shayne Cardwell, Sieng Chye,
Julin Estevz, Shane Hartman, Jos Herrera, Abhishek Kar,
Flemming Laugaard, Lou Lombardy, Michael Munt, Aby Rao,
Francisco Rodrguez, Osvaldo Salazar, Jeffrey Smith, Eric Stalter,
John Webb, Rebecca Wynn
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 Expoiting Software magazine.
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by

Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
Dear Readers,
We are giving in your hands the first issue devoted to Mobile Security.
Nowadays, computer and mobile security are very important.
Therefore, we have decided to dedicate it the entire magazine of
Hakin9.
Our mobile phones often replace us the computers. We use them to
store many private and important data and information. Unfortunately,
very often we forget about securing our phones as carefully as we
secure our computers, that is why our information are very easy to
steal for hackers and malicious software.
In our issue you can read many interesting articles which help to
protect your mobile phones and show how many surprises Android
hides.
In the first issue of Hakin9 Mobile Security you can read an article
written by Carla Hough. She explores how destructive has been
development of malicious individuals, cyber criminals, organized
crimes, and rogue nations.
The next articles concern some of the most dangerous virus and
malware. In the article written by Dhawal Desai the users of Android
phone will learn about the Trojans Geinimi. From the article written by
Prashant Verma they will broaden their knowledge about the ZITMO
virus.
Oliver Karow describes the security mechanisms available on iOS
with its strength and weaknesses and shows how a company can
adopt the mechanisms to keep up with the latest security threats and
targeting mobile devices.
Mike Haworth explains what is and how the PhoneGap framework
works.
Joey Peloquin provides a high-level view of some of the bridge
prevalent threats to the Android platform. He writes about the
security-related changes that come to Android 4.0 and additional
security controls.
Enjoy the reading!
Angelika Gucwa
and Hakin9 Team


www.hakin9.org/en 5

CONTENTS
ANDROID
06 Android Insecurities
by Joey Peloquin
The article will begin with a focus on what the author
calls Offensive Mobile Forensics, an analysis technique
that mimics the approach an attacker would take in the
event they acquired a lost or stolen device. Readers will
notice some stark differences between iOS and Android
analysis. Next, the author will discuss exploits on the
Android system. Lastly, the article will wrap up with a
discussion regarding mobile malware, which is far more
pertinent due to the ongoing mobile malware epidemic
facing Android mobile devices.
IOS
14 Phun with PhoneGap
by Mike Haworth
PhoneGap now (Apache Callback) allows web developers
to use their current skills to build mobile apps, instead
of having to learn Java for Android or Objective C for
iPhone. The advantage to developers is they now have
a means of bundling web apps and selling them in the
AppStore or Android market. PhoneGap achieves this by
providing framework on which a mobile application can
be built from HTML and JavaScript.
18 Apple iOS security in the enterprice
by Oliver Karow
This article will describe the security mechanisms
available on iOS with its strength and weaknesses, and
show how a company can adopt this mechanisms to
keep up with the latest security threats, targeting mobile
devices.
MOBILE HACK
28 The Hacker: A once innocent identity is
now an identity in crisis
by Carla Hough
I touch on the early generations of computer scientists,
engineers and software developers, who were and are a
rich and diverse culture. This paper explores how this
identity has been eroded by malicious individuals, cyber
criminals, organized crime, and rogue nations.
MOBILE VIRUSES AND
MALWARES
34 Android security ZITMO malware
by Prashant Verma
We have computers and we also have viruses, worms and
malwares. We have Smartphone and we have malwares
there too. Oh yes! You read it right. The shift of the hacker
communitys attention towards Smartphone has been
alarming. They are increasingly being attracted towards
the mobile platforms and the transactions happening
through the mobile platforms. Today phones are not just
the phones; they are mini computers in your hand. Your
Smartphone could do pretty much anything a computer
can do.
42 Android Trojan Geinimi
by Dhawal Desai
This malware has been identified as another variant of
the most popular Geinimi, which targeted a significant
number of Android Phone users. The Trojan was
originally used as a package namely com.geinimi, but
over the period of time the variants took more advanced
obfuscated form.
6
ANDROID
01/2011
C
harlie single-handedly brought Apples security
model for iOS to its knees by submitting a
legitimate application to the AppStore which he
was able to control by flipping a bit on the server-side
code that lives outside of Apples control. In addition to
this news, two separate threat reports were published
for Q3 one from Juniper and one from McAfee. The
threat report from Juniper uses the sensationalist
statistic of a 472% increase in mobile malware, which is
obviously designed to get attention, but are misleading,
thus the otherwise accurate undertones of report fail to
materialize. The threat report from McAfee provides a
more realistic view of the current state of mobile security,
but is obviously also written with the end goal of selling
software, so youre mileage may vary (YMMV).
Representing the opposite side of the spectrum from
the most recent threat reports is Chris DiBona, Googles
open-source programs manager. Chris calls peddlers of
antivirus software for mobile devices charlatans and
scammers. If Chris Google+ update had come out
early this year, the author likely would have jumped on
the bandwagon, but as of the end of Q2 the number of
legitimate trojanized applications in the Android Market
has increased from around 80 in Q1 to over 400 at
the end of Q2. If you add to this the fact that third-
party Markets, especially those in China, are veritable
cesspools, you have to wonder if Chris is even remotely
in-touch with the current state of mobile security. Even
Googles own Android Market is out-of-control enough
the author has the opinion that enterprises should
not even consider Android devices for their BYOD or
corporate-owned enterprise mobility programs without
providing AntiMalware (Yes, Chris, trojans and worms
affect Android, not viruses) to protect them.
Finally, there is a great deal of changes in store for
the next version of the Android operating system, code-
named ice cream sandwich. There are obviously a
ton of interface and usability improvements, but along
with new features come inevitable opportunities for
identifying new security concerns and flaws. What
follows are some of the highlights the author is keeping
an eye on.
General Security Concerns
Android Beam Near Field Communications
device2device sharing; everyone in the security
community agrees, its only a matter of time before
we find some severe flaws with NFC. What about
transport security? Can we MiTM the connection
and eavesdrop?
Face Unlock can this be fooled? With photos?
What about 3D-modeled photos? It didnt work with
Windows Mobile, but time will tell.
Theres been a lot going on in the world of mobile security since last
months article on iOS Insecurities (Hakin9, Nov. 2011). In fact, the
community saw arguably the most devastating vulnerability discovered
to-date for iOS, care of the amazing Charlie Miller.
Android Insecurities
What you will learn
How to root an Android device to get to the underlying le-
system
How to locate data leakage on Android devices
Where Android security is today
What you should know
Moderate to Advanced Linux knowledge
Experience using an Android device
That you will void your warranty by violating your OEM agre-
ement
14
IOS
01/2011
T
he advantage to developers is they now have a
means of bundling web apps and selling them
in the AppStore or Android market. PhoneGap
achieves this by providing framework on which a mobile
application can be built from HTML and JavaScript.
The framework provides an API that allows access to
native functionality via a JavaScript. However this API
provides a much richer set of options to an attacker that
can inject JavaScript into a PhoneGap application. The
JavaScript API provides everything youd expect from a
mobile app, access to microphone, camera, GPS, file
reading and writing.
So what about getting XSS? Often PhoneGap
apps are alternatives to a web interface so they
communicate over HTTP to a webserver and XSS
issues are extremely common in web applications.
Also mobile applications are likely to be used on
public WiFi so any HTTP communications to the
server over a public WiFi could potentially be MiTMd
by an attacker and altered to insert attacker supplied
JavaScript.
The upshot of all this is an attacker can use an XSS
on an app built using PhoneGap to eavesdrop using
the microphone, geolocate a user and even give
PhoneGap now (Apache Callback) allows web developers to use their
current skills to build mobile apps, instead of having to learn Java for
Android or Objective C for iPhone.
Phun with
PhoneGap
What you will learn
How the PhoneGap framework works
Same Origin Policy Bypass
What you should know
Cross Site Scripting
Same Origin Policy
Figure 1. Diagram-ios Figure 2. Diagram-android
















18
IOS
01/2011
T
heir early versions were mainly designed
for private usage, and therefore missing
fundamental security mechanisms which are
required for a use within enterprises. Understanding
these requirements, Apple did some homework and
added a lot of functionality, helping companies to use
Apple devices in a secure way. This article will describe
the security mechanisms available on iOS with its
strength and weaknesses, and show how a company
can adopt mechanisms to keep up with the latest
security threats, targeting mobile devices.
Enterprise Requirements
Following the trend of mobility, companies have to think
about a solid mobile strategy, including security as well
as device management. Companies usually spend
a lot of resources to protect their valuable assets. At
one hand, they want to prevent putting those on risk,
by introducing a new technology like Smartphones and
Tablet PCs, and on the other hand, they want to enable
their mobile users. In order to keep or even improve
their level of security, a mobile device platform has to
meet the companies security requirements and should
be compliant to its security standards. If a company
has to ensure, that its mobile devices are secure and
compliant over time, they need a way to manage
hundreds or even thousands of them in a uniform
way. This is where Mobile Device Management (MDM)
comes into place. While it seems to be mainly a cost
consideration, to have a capability of managing a large
number of devices from a centralized management
platform, a solid MDM solution is key to mobile device
security.
The iOS Security Model
In comparison to other mobile device platforms like
Android or Windows Mobile, Apple designed their
operating system to provide security without the need of
(or in many cases even the possibility to use) 3rd party
security products like antivirus- or encryption software.
In order to realize this approach, the underlying security
model is based on the four pillars Device Security,
Data Security, Network Security and App Security,
which are intended to protect against all known mobile
security threats. In the following I will describe the
basic concepts behind each pillar. Throughout this
document I will use the term iPhone, for both iPhone
and iPad, because both device types a build upon the
iOS operating system, where the security mechanisms
are implemented.
Device Security
When talking about device security, the first line of
defense against unauthorized access to an iPhone is
Whether supplied by the company or owned by employees,
smartphones and tablet PCs are making their way into enterprise
mobility. One of the important vendors to consider, when talking about
mobile devices is Apple, with its iOS based iPhone and iPad platforms.
Apple iOS Security
in the Enterprise
What you will learn
Details of the iOS security model
Overview about todays mobile security threats
About Mobile Device Management
Common business models of malware developer
Information about the latest attacks against iPhones
What you should know
Basic knowledge about Apples iPhone and iPad
Basic knowledge about encryption and usage of certicates
Familiar with it security terms






28
MOBILE HACK
01/2011
T
here has been a shift of what defines a hacker
and a hacker community. There are competing
interests, motivations, and competing rogue
countries. In its earlier (1960s) history, computer hackers
were deemed cerebral enthusiasts who preferred
computer science and enjoyed a collegial bond with
other like-minded computer professionals. Today, are
all computer hackers criminals and are all criminals
hackers? Absolutely not; however, over the last several
decades, the computer hacker meant something quite
different. In its earliest form, hacking meant anyone who
had a keen interest in tinkering whether it be taking
apart of radio to see how it functioned, which I did as
a child, to someone who is interested in Citizen Band
(CB) radios, which I also liked to do. My call sign (term
used for other CB radio enthusiasts) was Hacker. Im
not sure, but I believe that those who, with other like-
minded friends, disassemble a car engine and rebuild
it to see how it functions can also be called hackers or
tinkerers.
Generations Of Hackers
We can examine the generational stages of the
computer industry to (Voiskounsky & Smyslova, 2003).
For instance, the first generation (Figure 1) of hackers
was the 1960s- the computer engineers, coders
Everyday another hacking incident is reported by news organizations,
international law enforcement authorities, or governments. The mere
reference to computer hacking conjures up a negative connotation and
anyone publically admitting they are a hacker, raises suspicions in the
minds of those who hear them.
The Hacker:
A Once Innocent Identity is Now An Identity in Crisis
What you will learn
Should All Hackers be Feared?
What you should know
Basic knowledge of hacking/ hackers
Figure 1. Positive Attributions and Contributions Figure 2. 1980s - Present
34
MOBILE VIRUSES AND MALWARES
01/2011
T
he shift of the hacker communitys attention
towards Smartphone has been alarming. They
are increasingly being attracted towards the
mobile platforms and the transactions happening
through the mobile platforms. Today phones are not just
the phones; they are mini computers in your hand. Your
Smartphone could do pretty much anything a computer
can do.
We have a personal assistant with us (Ref: Siri).
Thanks to Apple! We could just speak up what we need,
and Siri would be ready to assist you.
The primary reasons for a hacker to be attracted
towards mobile are:
People doing banking from mobiles
People shopping online using mobiles
People storing sensitive data in mobiles
People use social networking through mobiles
Where there is a will, there is a way! Where there is
money (or motive), there is a hacker attempting to
obtain (or achieve) it!
Stay tuned with this article to see how banking is done
using mobiles, how malware like ZITMO target it and
how you could stay protected.
Before entering into the main agenda i.e. ZITMO
Malware, let us build some base. For now, just note that
the ZITMO Malware was designed to capture the SMS
coming to your mobile and forward it to the bad guys
(obviously someone stealing your message can not be
a good guy).
SMS as a threat?
Is SMS a threat? No. But what if the SMS can be
stolen? It may become a source of threats for users.
Your SMS could look like any of these:
Here is the password to login to your bank!
Here is your second factor authentication token for
the bank!
Here is your account balance!
SMS from your girlfriend says: Lets catch up at
downtown. Imagine your wife reads it.
Hey I just overheard one of our Board Members
telling his plans to sell his shares.
The hero in my movie was earlier a porn star, whom
I selected based on his movie I watched.
Oh My God! I just realized my stolen SMS could have
this much impact.
But take care of these. I keep a strong password for
my phone. Moreover, I keep the data protected by file
encryption. Thank God! I am safe.
Not really, ZITMO can still steal it.
The game of cat and mouse has been going on between the White Hats
(security guys) and the Black Hats (Hackers) ever since the evolution of
the technology. We have computers and we also have viruses, worms
and malwares. We have Smartphone and we have malwares there too.
Oh yes! You read it right.
Android Security
ZITMO Malware
What you will learn
How Banking Malware work in Android
Get insights to ZITMO Malware code
Securing Android
What you should know
Security Overview
Android OS knowledge
42
MOBILE VIRUSES AND MALWARES
01/2011
T
he Trojan works as a BOT and communicates
to the Command & Control servers (C&C)
embedded within the Trojan. Just as in some
of the Trojans seen over Internet the C&C servers are
hardcoded within. However, the list of servers is not
easily identifiable as its obfuscated using DES.
The Trojan also has the DES key hardcoded within
which helped us decrypt the information.
However, on further investigation it was observed that
C&C servers are inactive which reduces the threat level
of this Trojan to a greater extent.
Based on the information available from Kindsight
Security Labs (http://www.kindsight.net/en/blog/2011/
10/25/new-versions-of-geinimi-on-loose) there have
been numerous applications injected with Geimini.
This malware has been identified as another variant of the most popular
Geinimi, which targeted a significant number of Android Phone users.
The Trojan was originally used as a package namely com.geinimi, but
over the period of time the variants took more advanced obfuscated
form.
Android Trojan
Geinimi
What you will learn
More about mobile malwares
How to analyze mobile malware
What you should know
Basics about Android platforms
Network Trafc Analysis
HTTP Trafc
Java Code Analysis
Understanding of Dalvik Bytecodes
Figure 1. Baseball Superstars 2010 Installed Figure 2. Application works perfectly ne

You might also like