This issue of the magazine is dedicated to Mobile Penetration Testing. If you are however not interested in this topic, take a look at the table of contents anyway, as we have articles not related to mobile too. Hopefully everyone will find something interesting inside! We have prepared two completely new sections. The first one is GitHub Corner, where we gathered the most interesting GitHub projects on mobile, Android and iOS. It will be our opening section in every issue from now on. If you know of a GitHub project that you would like to share in the magazine (or you run one) - drop us a line! The second new section is Blog News, where you can find our newest blog posts. Let us know if you like them or not, if you would like to add or change something. These new sections are made for you my dear reader, so we are open to feedback! I hope that you will enjoy reading the articles and you will learn something new. See you next time!
If you want to buy this magazine click here
The Age Of M(alware)obile
by Andrea Cavallini
Malwares are the most important leaks from the beginning of the Web. When a system is developed, a network is configured or a schema is deployed, then someone thinks, creates and injects something into them to control and manipulate data without permissions: this something is called malware. Over time, the technology is oriented on mobile devices because more people switch from personal computers to smartphones; at this point in time, smartphones are as powerful as computers. The attackers have to necessarily do something to adapt their methodologies, adapting their point of view.
Automate Static Analysis With Mobile Security Framework
Learn All In One MOBSF To Find Secuirty Flaws In Android Applications Without Ruining Them
by Sumit Kumar Soni
We are living in the age of smartphones. More and more businesses and users employ mobile phones not only as communication tools, but also as a means of planning and organizing their work and private life. Within companies, these technologies are causing profound changes in the organization of information systems and, therefore, they have become the source of new risks. Mobile security or mobile phone security has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones. Smartphones are the new target for the hacker, especially Android and iOS based devices, due to their user popularity. Everyday, many mobile applications are being developed and pushed into the market. Consumer firms are moving towards a mobile app based platform, e.g. Uber. Testing these applications for security issues is not the same as the traditional desktop based applications. This brings new challenges for the pentester and requires a new set of tools.
Beating ASLR Protection Using Brute Force
by Khaled Sakr
Most of us are familiar with basic stack and heap buffer overflow attacks and how they can be exploited; in most modern computers, multiple protections are applied to prevent buffer overflow attacks, including Canary Values, ASLR. DEP,…etc. In this article, we will look into one type of BOF protections which is ASLR and how it can be defeated using a simple Brute force.
Reverse Engineering the Android OS
by Tom Updegrove
The Android OS is a popular open-source mobile platform based on the Linux 2.6 kernel. It was first developed by a company called Android, Inc. and later acquired by Google in 2005. Presently, there are many versions of the Android OS starting with the 2.6 kernel.
Reflected File Download Vulnerability
by Narendra Bhati
We will talk about Reflected File Download Vulnerability, which is a lesser known vulnerability by most researchers. We will see how we can find this vulnerability, and actually make an
exploit to present the impact in real world scenario.
App wrapping and putting down the shields
by Christopher Dreher
Mobile devices are hard to exclude from today's enterprises. New requirements for the responsible IT departments are constantly added. Apps are to be developed as securely as possible, in order to protect the data of the enterprise. However, this is not simple, because users have the possibility of compromising their devices to get root access. The instructions for Rooting (Android) or Jailbreaking (iOS) are simple to understand for a broad mass of users. This makes the devices susceptible to a variety of attacks and the sensitive data of the company is no longer safe.
SEH Stack Based Windows Buffer Overflow
by Virendra Bisht
In this article, we will discuss SEH stack based buffer overflow at length. An overflow happens in an application as the program writes more information in an array or the buffer than the space allocated in memory for it. This causes the adjacent area, the areas above the direction of buffer growth, to be overwritten. When this occurs, all previously stored values are corrupted. An attacker can control these previous stored values, such as EIP, and control the flow of execution of the process.
by Milan Oulehla
Mobile devices such as smartphones, tablets and wearable hardware (e.g. smartwatches) have become a common component in our society. This fact can be illustrated by Facebook - in Q4 2015, it had 51.7% mobile-only users and this trend is constantly growing . There are three main mobile operating systems: Android developed by Google Inc., Apple’s iOS and Windows
Mastering SQL injection: Guide to hacker’s manual query magic
by Samrat Das
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Hunting Vulnerabilities That Affect Your API
by Mahmoud Reda
Web applications, as well as mobile applications, are becoming more complex and that is exposing new threats, which places your company and your customers at risk. API became part of that complexity which facilitate talking between the client and the server. But API is overlooked in term of security, so we will shine some light on API and how to test your API for vulnerabilities, also how to secure them.
Abusing Windows Opener to Bypass CSRF Protection
(Never Rely On Client Side)
by Narendra Bhati
Due to the increase in the use of modern web applications, security is the main concern. For security, the developer mostly relies on client side mechanisms.
If you are not a subscriber and want to buy this magazine click here
|Mobile Penetration Testing.pdf