Cyber Training: Introduction to Android Forensics & Security Testing

Repost from: MITRE Cybersecurity

Mobile device security still tops the list of IT security concerns. In this post, we interview Shawn Valle about his 2-day training class, Introduction to Android Forensics & Security Testing.

[Editor]: What topics do you cover in your class?

[Shawn Valle]: The class covers exploitation of the Android operating system and applications, and a step-by-step process of gathering and analyzing data. By utilizing several open source and commercial products and data acquisition technologies, students learn and experience the role of a mobile forensics first responder, including documenting chain of custody and techniques for protecting critical data during the early stages of an investigation.

The course also covers the role of a lab forensics analyst, including minimizing evidence corruption during acquisition. Some of the highlights of the course include: learning techniques to bypass passcodes via brute force or using weaknesses in the OS; how to identify common directories/files where sensitive user data resides; and how to use reverse engineering applications. By the end of the course, students should walk away with the knowledge of how to execute a mobile forensics exercise or penetration test on an Android device or application.

[Ed.]: What kind of jobs is your training relevant for?

[SV]: This course helps security engineers, forensics analysts, and Android software engineers. It is meant to teach them the details behind breaking the security model on Android operating systems and Android applications, and give them a methodical approach to gathering and analyzing found data.

[Ed.]: Why do you think it’s important that people know the information you’re teaching?

[SV]: We’ve seen too many mobile software prototypes, or worse, production applications, with little to no security engineering. This course was initially built for software engineers to recognize the need for upfront security engineering and to understand the simplicity of attacking an insecure device and insecure applications to obtain valuable data. Alternatively, this course is a valuable source of techniques, tactics, and procedures for security engineers and digital forensic analysts looking for a crash course in Android security. The more we share this type of knowledge, the better we can protect our valuable devices, data, and applications.

[Ed.]: How would you characterize the security of the Android OS?

[SV]: There is no simple answer to this question. The Android OS is open-source, with Google as the primary contributor to the project. Smartphone and tablet manufacturers obtain the Android open-source code, customize it as they see fit, and negotiate, when necessary, additional changes to the OS with cellular service providers, then build those changes in the OS into their devices.

Historically, Google has made regular functionality and security updates to the open-source OS, although device manufacturers and cellular carriers have been reluctant to adopt the changes in existing devices. Because most smartphone users sign a two-year contract, they get locked into older versions of the OS. Like any other OS, vulnerabilities will be identified and exploited over time. Due to Android’s fragmented marketplace, more than 1/3 of Android users remain on a three-year-old version of the OS, which has more than a dozen actively exploited vulnerabilities. At least the newer versions of Android are implementing additional security controls, including full-disk encryption, address space layout randomization, and mandatory access controls. Device manufacturers and cellular carriers have also improved their record of pushing security patches to existing devices. However, this continues to be a challenge.

As far as application security, developers leverage most of the vast security capabilities of the Java programming language along with additional Android specific tools. All Android applications have an integrity challenge, due to the developer’s ability to self-sign certificates, which has led to application forgery and developer identity spoofing. Also, users have the ability to install applications to their device from any source, like Google Play or others. Google provides dynamic scanning of all apps in its app market and has removed dozens of apps from its market due to critical security flaws or malicious intent. However, third party stores have proven to be less thorough in scanning apps for security flaws.

[Ed.]: How does the security of the Android compare with other mobile operating systems?

[SV]: Each mobile OS has its own security model, application security, and distribution model. Apple’s iOS, for example, maintains complete control over its closed-source OS and hardware. Apple develops all features and security, plus develops its own hardware (iPhone, iPad, iPod). Apple bypasses cellular providers when deploying updates to devices. Apple currently states that 93% of iOS users are running the latest version of the OS. The tight control over distribution allows Apple to quickly react to vulnerabilities found in its OS. Apple is the only mobile OS developer who has successfully been able to retain control over OS distribution after the device has been manufactured. Microsoft Windows Phone and BlackBerry, although distributed in differing ways, have similar OS distribution challenges to those found in the Android OS.

[Ed.]: How does this course topic relate to your work at MITRE?

[SV]: I developed this class after gaining more than a year’s worth of experience providing mobile forensics and mobile application security testing across multiple platforms. My forensics and testing work was conducted in an effort to identify software assurance weaknesses in mobile applications and provide mitigation recommendations to software engineers. Although not the primary focus of my work, a deep understanding of mobile forensics and mobile application penetration testing comes in very handy when I work on mobile security research projects and enterprise mobile security engineering challenges.

[Ed.]: What kind of reaction have you had to your course?

[SV]: I attended three other Android courses and other-security related courses to recognize which topics were not covered elsewhere and to determine how this course could bring additional value. Feedback has been positive from participants, who have stated that this course answered many questions regarding mobile security that other courses did not address.

[Ed.]: So, what’s next?

[SV]: Several courses are in the early stages of exploration and development, including working titles of “Developing Secure Android Applications” and “iOS Forensics.” At some point, I plan to get these courses developed, and perhaps a general “mobile hacking” course too for penetration testers working across the mobile spectrum.

[Ed.]: Thank you, Shawn. We’ll look forward to those courses and making a dent in the top ten IT security concerns.

[Ed]: After this blog post was finalized, Shawn joined Veracode, where he leads their product management team for mobile products. We at MITRE wish him the best in his new endeavor.