{"id":298,"date":"2020-10-17T20:05:27","date_gmt":"2020-10-17T20:05:27","guid":{"rendered":"https:\/\/lyhinslab.org\/?p=298"},"modified":"2020-10-19T16:03:12","modified_gmt":"2020-10-19T16:03:12","slug":"lifehacks-for-hackers-how-to-audit-mobile-apps","status":"publish","type":"post","link":"https:\/\/lscp.llc\/index.php\/2020\/10\/17\/lifehacks-for-hackers-how-to-audit-mobile-apps\/","title":{"rendered":"Lifehacks for hackers: how to audit mobile apps"},"content":{"rendered":"\n<p>In web app security, a large number of clients attack the server. In client app security, the situation is opposite &#8211; a huge amount of client devices are always carried by people, that can do whatever they want, be as relaxed as they want, and still need to be protected. <br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.memesmonkey.com\/images\/memesmonkey\/f5\/f567e5d99a0e7c0eddf6f1acd2617800.jpeg\" alt=\"\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Client-side threat agents<\/h4>\n\n\n\n<p>Lyhin&#8217;s Lab distinguishes four additional threat agents related to the clients, while, of course, the client is definitely a threat agent for the server. The pen test of a client application on behalf of these five threat agents is considered to be complete.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">A device stealer<\/h5>\n\n\n\n<p>Main questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>What can a malicious actor get, if they steal the device and is capable to unlock the phone? <\/li><li>What can get a malicious actor get, if they have a Remote Access Toolkit on the rooted victim&#8217;s device? <\/li><li>Does the application allow the saving of sensitive data in backups? How about the cloud?<\/li><\/ul>\n\n\n\n<p>Just a friendly reminder: sometimes there&#8217;s no need to unlock the device to install applications on the victim&#8217;s phone. <\/p>\n\n\n\n<h5 class=\"wp-block-heading\">A malware <\/h5>\n\n\n\n<p>Main question: What can get a regular application on a non-rooted device?<\/p>\n\n\n\n<p>Just a friendly reminder: some applications with thousands of downloads could be bought in terms of thousands of dollars.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/lyhinslab.org\/wp-content\/uploads\/2020\/10\/image.png\" alt=\"\" class=\"wp-image-342\" width=\"584\" height=\"313\"\/><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">The application itself<\/h5>\n\n\n\n<p>The client brings danger to the server, but the server also brings danger to the client. Main questions:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Does the application require suspicious permissions?<\/li><li>Does the application collect suspicious data? How much data is being collected by the application?<\/li><\/ul>\n\n\n\n<p>Just a friendly reminder: big companies often white-list applications allowed on their devices. <\/p>\n\n\n\n<h5 class=\"wp-block-heading\">An intruder<\/h5>\n\n\n\n<p>Main questions: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>What can a malicious actor do, if they control the router or the proxy-server between the device and the Internet? <\/li><li>What can a malicious actor do, if they remotely interact with a user?<\/li><\/ul>\n\n\n\n<p>Just a friendly reminder: hackers can ask people to install TLS certificates. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Conclusion<\/h4>\n\n\n\n<p>Today, 17th of October, 2020, I believe that there is no other threat (Y) agent which is:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>capable to do anything that the listed agents cannot do OR <\/li><li>can do something that the listed agent (X) can AND can have an evil intent that (Y) threat agent cannot have<\/li><\/ul>\n\n\n\n<p>While it seems like there is rigorous proof, I&#8217;d rather discuss it somewhere in a more private conversation. By the way, all these five threat agents could be effectively memorized on a hand. Guess how. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In web app security, a large number of clients attack the server. In client app security, the situation is opposite &#8211; [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-298","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/comments?post=298"}],"version-history":[{"count":0,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/298\/revisions"}],"wp:attachment":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/media?parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/categories?post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/tags?post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}