CNIT 128: Hacking Mobile Devices

39102 Weds 06:10-09:00 pm SCIE 113

Moved to SCIE 37

Spring 2019 Sam Bowne

Schedule · Slides · Projects · Links · Home Page


Catalog Description

Mobile devices such as smartphones and tablets are now used for making purchases, emails, social networking, and many other risky activities. These devices run specialized operating systems have many security problems. This class will cover how mobile operating systems and apps work, how to find and exploit vulnerabilities in them, and how to defend them. Topics will include phone call, voicemail, and SMS intrusion, jailbreaking, rooting, NFC attacks, malware, browser exploitation, and application vulnerabilities. Hands-on projects will include as many of these activities as are practical and legal.

Advisory: CNIT 113 and 123, or equivalent familiarity with hacking computers and operating mobile devices

Upon successful completion of this course, the student will be able to:
  1. Describe the risks of using mobile devices for common activities such as making phone calls, emailing, and shopping
  2. Explain cellular network functions, attacks, anbd countermeasures for voice calls, voicemail, and SMS
  3. Perform and analyze jailbreaks for iOS devices
  4. Analyze the Android security model and rooting
  5. Recognize types of mobile malware and anti-malware options
  6. Identify Web browser services and attacks on mobile platforms and recommend countermeasures
  7. Configure and defeat locking, remote location and wiping services
  8. Explain common mobile app risks and make intelligent decisions when installing and using them
  9. Evaluate the functions and risks of mobile payment services, such as Google Wallet

Textbook

"The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell, Wiley; 1 edition (February 24, 2015), ISBN-10: 1118958500 ISBN-13: 978-1118958506

Buy from Amazon ($49)

Quizzes

The quizzes are multiple-choice, online, and open-book. Study the textbook chapter and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts.

To access the quizzes:

  • Go to https://canvas.instructure.com/enroll/GMYGA3
  • If you've taken one of my class previously, you should already have an account on this Canvas server (it's NOT the usual CCSF Canvas system). Otherwise, create a new account.
  • You should see the quizzes, as shown below.
  • Questions? Email CNIT.128sam@gmail.com

Live Streaming

To join the livestream, use this Zoom link:

https://zoom.us/j/4108472927

Classes will also be recorded and published on YouTube for later viewing.

Email

For class-related questions, please email
cnit.128sam@gmail.com

Schedule (may be revised)


DateQuiz & ProjTopic
Wed 1-16  Is Your Mobile App Secure?


Wed 1-23Quiz Ch 1 *  
Proj 1 due *
1. Mobile Application (In)security


Wed 1-30Quiz Ch 6a *
Proj 2 & 3 due *
6. Analyzing Android Applications (Part 1)


Fri 2-3 Last Day to Add Classes

Wed 2-6Quiz Ch 6b *
Proj 4 due
6. Analyzing Android Applications (Part 2)


Wed 2-13Quiz Ch 6c *
Proj 4 due
6. Analyzing Android Applications (Part 3)

Live testing of mobile apps


Wed 2-20Quiz Ch 7a *
Proj 5 & 6 due
7. Attacking Android Applications (Part 1)


Wed 2-27Quiz Ch 7b *
Proj 7 due
7. Attacking Android Applications (Part 2)


Wed 3-6Proj 8 due 7. Attacking Android Applications (Part 3)


Wed 3-13Quizzes Ch 7c & Ch 8a *
Proj 9 & 10 due
8. Android Implementation Issues (Part 1)


Wed 3-20Quiz Ch 8b *
Proj 11 & 12 due
8. Android Implementation Issues (Part 2)


Wed 3-27 Holiday -- No Class

Wed 4-3No Quiz
No Proj Due
Neil Desai
Defense and Careers
@0x617075

Video from BSides Knoxville 2015

This talk will be livestreamed and recorded

Livestream: https://zoom.us/j/4108472927


Wed 4-10Quiz Ch 8c *
Proj 14 & 15 due
8. Android Implementation Issues (Part 3)


Wed 4-17Quiz Ch 9 *
Proj 16 due
9. Writing Secure Android Applications


Wed 4-24No Quiz
No Proj due
Abdullah Joseph

Android Malware

New Android adware found
in 200 apps on Google Play

@malwarecheese

This talk will be livestreamed and recorded


Wed 5-1No Quiz
No Proj Due
Ayman Elsawah
@coffeewithayman

Host of the Getting Into Information Security podcast


Wed 5-8Quiz Ch 2a *
Proj 17 & 18 due
2. Analyzing iOS Applications (Part 1)

Wed 5-15No Quiz
All Extra Credit Projects Due
Last class
TBA

Thu 5-16 -
Wed 5-22
Final Exam available online throughout the week.
You can only take it once.
* Quizzes due 30 min. before class
  Nothing is consided late until 2-6

Slides

Grading Policy

Motivation

Is Your Mobile App Secure? (DEF CON 23, 2015) · PDF · Keynote
Passwords on a Phone (DEF CON 25, 2017) · PDF · Keynote

Introduction

1. Mobile Application (In)security · PDF · Keynote

Android

6. Analyzing Android Applications Part 1 · PDF · Keynote
Part 2 · PDF · Keynote
Part 3 · PDF · Keynote
7. Attacking Android Applications Part 1 · PDF · Keynote
Part 2 · PDF · Keynote
Part 3 · PDF · Keynote
8. Identifying and Exploiting
    Android Implementation Issues
Part 1 · PDF · Keynote
Part 2 · PDF · Keynote
Part 3 · PDF · Keynote

9. Writing Secure Android Applications · PDF · Keynote

iOS

2. Analyzing iOS Applications
3. Attacking iOS Applications
4. Identifying iOS Implementation Insecurities
5. Writing Secure iOS Applications

Projects

Initial Setup (Different for Mac/Linux and PC)

Mac or Linux Users

Proj 1: Genymotion (15 pts)
Proj 2: Ask A Lawyer Plaintext Login (15 pts)
Proj 3: Burp (20 pts)
Proj 4: GenieMD Broken SSL (Harvard & IBM) (15 pts)
Proj 5: Kali Virtual Machine (20 pts) *
Proj 6: Android Debug Bridge (15 pts) *

PC Users

Proj 4x: BlueStacks on Windows (15 pts)
Proj 7x: Plaintext Login (15 pts)
Proj 8x: Burp and Nox on Windows (20 pts)
Proj 4: GenieMD Broken SSL (Harvard & IBM) (15 pts)
Proj 5: Kali Virtual Machine (20 pts) *
Proj 9x: Android Debug Bridge with Nox (15 pts) *

Projects Below Should Work on Mac, Linux, or Windows

Proj 7: Observing the Delhaize Log (15 pts)
Proj 8: Menards Plaintext Password Storage (15 pts)
Proj 9: ES Explorer Command Injection (10 pts)
Proj 10: Drozer (20 pts)
Proj 11: Qark (15 pts)
Proj 12: Trojaning the Progressive App (20 pts) (Updated 3-19-19)
Proj 13: Home Depot Android App Broken Encryption (NOW EXTRA CREDIT) (15 pts)
Proj 14: mAadhaar Code Modification (20 pts)
Proj 15: AndroBugs (10 pts)
Proj 16: Protection Level Downgrade (15-30 pts)
Proj 17: Trojaning an Android App with Metasploit (15 pts)

Extra Credit Projects

Proj 1x: Interplanetary Overlay Network (ION‑DTN) (15 pts + 10 pts extra)
Proj 2x: Ask A Lawyer Plaintext Password Storage (10 pts)
Proj 3x: Security Audit of An Android App (40 pts)

Proj 4x: BlueStacks Android Emulator on Windows (15 pts)
Proj 4x: BlueStacks Android Emulator on Mac or Linux (15 pts)

Proj 5x: Bank of America Code Modification (25 pts)
Proj 6x: Rooting BlueStacks on Windows (10 pts)
Proj 10x: Making an SSL Auditing Proxy with a Mac and Burp (20 pts)
Proj 11x: Ghidra (25 pts)
Proj 12x: Android Password Cracking with Nox (40 pts)
Proj 13x: Bypassing a Screen Lock with Nox (10 pts)
Proj A30: Android App Plaintext Login (55 pts)

* Project sends scores directly into Canvas

Links

Ch 1a: Mobile OS market share in the U.S. 2018
Ch 1b: Android App Vulnerablities Research
Ch 1c: How to secure, protect, and completely lock down your Android phone
Installing Burp Certificate as a System Certificate
Ch 6a: SSL broken! Hackers create rogue CA certificate using MD5 collisions (2008)
Ch 6b: Create your own MD5 collisions
Ch 6c: MD5 considered harmful today (2008)
Ch 6d: Why it's harder to forge a SHA-1 certificate than it is to find a SHA-1 collision
Ch 6e: Encryption: Android Open Source Project
Ch 6f: Android version history - Wikipedia
Ch 6g: Android Encryption Demystified | ElcomSoft blog
Stuck at 99% : noxappplayer
JustTrustMe SSL certificate UN-pinning
Android Applications Reversing 101
Android and Apple phone security: Here's an objective chart to help you decide
Android Enterprise Recommended
Ch 6h: What is LineageOS and What Happened to CyanogenMod?
Ch 6i: Paranoid Android (software) - Wikipedia
Ch 7a: Picking your compileSdkVersion, minSdkVersion, targetSdkVersion
Ch 7b: Distribution dashboard: Android Developers
Ch 7c: What has happened to Android's Distribution Dashboards?
Ch 7d: Apple will stop reporting unit sales for iPhone, iPad and Mac from next quarter (2018)
Ch 7e: Vulnerabilities with Custom Permissions
Ch 7f: Permission Downgrade Attacks and Android 5.0
Ch 7g: Android Intents - Tutorial
Ch 7h: am: Activity Manager
Ch 7i: CVE-2013-6271: Remove Device Locks from Android Phone - Cureblog
Ch 5k: whois microsoft.com (archived)
Ch 5j: Zone Transfer Test Online | HackerTarget.com
Android Security Analysis Tools, Part Four - MobSF | Netguru Blog on Android
Ch 7j: What is Umask and How To Setup Default umask Under Linux? - nixCraft
Ch 7k: linux - Effect of umask on text files - Stack Overflow
Ch 7l: Download Cydia for Android - Full Installation Guide
Ch 7m: Link Substrate Files failed � Issue #1 � AndroidHooker/hooker
Ch 7n: Frida -- A world-class dynamic instrumentation framework
Ch 7o: Hacking Android app with Frida
Ch 7p: Hacking Android apps with FRIDA
passionfruit: [WIP] Crappy iOS app analyzer -- TRY FOR PROJECTS
JEB Decompiler by PNF Software -- Important commercial tool
Ch 7q: Four Ways to Bypass Android SSL Verification and Certificate Pinning
MOBISEC slides for European Android Hacking Class
TrustMeAlready: Disable SSL verification and pinning on Android, system-wide
Ch 7r: CVE-2013-6271 Android Settings Remove Device Locks (4.0-4.3)
Ch 8a: PathClassLoader �|� Android Developers
Ch 8b: DexClassLoader - Android Developers
Don't Trust Google Play Protect to Shield Your Android
9 Mobile App Scanner to Find Security Vulnerabilities
Ch 8c: How to Use ADB and Fastboot on Android (and Why You Should)
Ch 8d: How to Enter Android's Bootloader and Recovery Environments
Ch 8e: Cracking Android passwords, a how-to
Ch 8f: How to crack android lockscreen passwords
Ch 8g: Android WebView addJavascriptInterface Code execution Vulnerability
Ch 8h: Android Basics: How to Enable Unknown Sources to Sideload Apps
Ch 8i: Full Disclosure: CVE-2014-7911: Android (5.0 Privilege Escalation using ObjectInputStream
Ch 8j: How Was SQL Injection Discovered?
Ch 8k: How is the Gmail password stored in Android - and where?
Ch 8l: sch3m4/androidpatternlock: A little Python tool to crack the Pattern Lock on Android devices
Ch 9a: Securing Content Providers - Secure Android App Development
Ch 9b: Online Java Editor and IDE - Fast, Powerful, Free
Ch 9c: Adventures with Android WebViews
Ch 9d: Introduction to debugging Android apps using AndBug
Ch 9e: Behavior changes: apps targeting API level 28 �|� Android Developers
Ch 9f: hardening - Why does checksec.sh highlight rpath and runpath as security issues?
Ch 9g: Android Hacker Protection Level 0 - DEFCON-22-Strazzere-and-Sawyer-Android-Hacker-Protection-Level-UPDATED.pdf

          

Links from Previous Textbook

Last Updated: 4-17-19 7:14 pm