Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box...

Preview:

Click to see full reader

Citation preview

K4Keynote4/28/173:15PM

RootingYourDevicestoTestOutsidetheBox

Presentedby:

AlanCrouch

Coveros,Inc.

Broughttoyouby:

350CorporateWay,Suite400,OrangePark,FL32073888---268---8770··904---278---0524-info@techwell.com-https://www.techwell.com/

AlanCrouchCoveros,Inc.AlanCrouchisadirectorofmobiletestingwithCoveros,Inc.,whichhelpscompaniesbuildbetterapplicationsusingagile,DevOps,andsecuritybestpractices.AlanworkswithC-levelandseniormanagementatprivatecompaniesandfederalagenciestotransformandadoptamore"mobile-first"approachtoinformationtechnology.AlanhasworkedwithDepartmentsofHomelandSecurity,Defense,andHealthandHumanServices;Symantec;andmobilestart-upstobuildandtestAndroid,iOS,andresponsivewebapplications.Hispassionistheintersectionofmobiletestingandinformationsecurity.SparetimefindsAlantravelingtheglobeandcreatingadventuresforhissonanddaughter.FollowAlanonTwitter@RealAlanCrouchoronLinkedIn.

4/6/17

1

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 1

Agility.Security.Delivered.

Roo#ng Your Devices to Test Outside the Box

AlanR.Crouch@RealAlanCrouch

MobileDev+Test2017

SanDiego,CA

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 2

Agenda

• What’sHappeningintheWorldofMobile?

• What’s“Everyone”ElseDoing(WhenItComestoMobileTesYng)?

• WhyRootWhenYouTest?• LeveragingRooYngtoTestOutsidetheBox

4/6/17

2

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 3

What’s Happening in Mobile?

MoreDevices,More(User)Control

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 4

What’s Happening in Mobile?

MoreOpera:ngSystems,MoreVersions!

4/6/17

3

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 5

What’s Happening in Mobile?

MoreOpera:ngSystems,MoreVersions!

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 6

What Happening in Mobile?

MoreApps,MoreData,MoreComplexity!

4/6/17

4

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 7

What Happening in Mobile?

MoreApps,MoreData,MoreComplexity!

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 8

What’s Happening in Mobile?

Source:RedHatMobileMaturitySurvey2015

MoreGrowth,MoreMarketSatura:on!

MobileGrowthPlansbyOrganiza:onfor2016

4/6/17

5

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 9

What’s Happening in Mobile?

MorePower,MoreCapabili:es!

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 10

What’s “Everyone” Doing?

• BadhabitsfromtradiYonalapplicaYontesYngcommunityhavepenetratedthemobileapptesYngcommunity• PoorHiringandTrainingPracYces• MobiletestautomaYonisnolongeropYonal

4/6/17

6

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 11

What’s “Everyone” Doing?

• StatusofRooYnginMobileTesYng:

A)  Bears–CuriousTesters/Mother-BearsB)  Ostriches–TestersOvercomebyFearor“Policy”C)  GrumpCats–“Iknowbeeer”Testers

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 12

Because I’m Morally Obligated

• RooYngdoescomewithrisks• VoidedWarranty• Possibilityofbecoming“bricked”

• IsrooYngillegal?• No

4/6/17

7

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 13

Why Root?

• Moresimilarlytestreal-worlduserscenarios.• TesYngonamodifieddevicecanexposeaddiYonaltesYnginterfaces• AdvantagesofRooYng:• AlterorreplacesystemapplicaYons• Runspecializedapps• FullcustomizaYon• Accessnormallyinaccessibledata• TestDataSeeding• FileRecovery• Enable/disabledfeatures• Modify/customizekernels

• MobileSecurityTesYng

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 14

Why Root?

28%

72%

NumberofAndroidDevicesRooted(World-Wide)

Rooted Not-Rooted

Source:TencentStudyonRootedDevices,2015

•  Justhowmanydevicesarerooted?Howbigisit?• ProliferaYonishigheramongsttech-savvy.

4/6/17

8

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 15

Why Root?

Source:TencentStudyonRootedDevices,2015

It’sjustplainfun.

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 16

Root to Test Outside the Box

RootAccessforUsersandApps

•  SuperUsergrantsandmanagesappsabilitytogetrootaccess.• ArootedAndroiddevicewon’tbeasusefulifappsdon’thaverootaccess.Tofixthisproblem,makesureyouinstallSuperUsersoonalerrooYngyourdevice.ThiswillautomaYcallyforceappstoaskpermissiontoestablishrootprivileges.

4/6/17

9

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 17

Root to Test Outside the Box

LocaYon/GPSSpoofing

• AppslikeFakeGPSorLockitoallowyoutonotonlychangeyourGPSlocaYonbutalsobuildiniYneraries.• Byaddingarootedapplike“LuckyPatcher”orXposedyoucanmakeFakeGPSaSystemAppandoverrideGPSSpoofingDetecYon

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 18

Root to Test Outside the Box

AutomatedTasking

• AppslikeTaskerallowyoutosetupautomatedtasks.• ByrooYngyourPhone,Taskercannowperformtaskwithrootaccessallowingittodoanythingfrom:•  Nightlyresetstoa“cleanstate”•  SeedingtestapplicaYondata•  Nightlybackupsofsystemandappdata

•  AutomatedlogaccessArchive

4/6/17

10

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 19

Root to Test Outside the Box

NetworkTrafficAnalysis

• AppslikeSharkforRootallowyoutorecordnetworktrafficandanalyzejustwhatdataisbeingtransferredoverclear-text.• DeterminewhatsensiYvedatamightbeexposedfromyourappincluding:•  Passwords•  Keys•  PersonalData•  SensiYve“App”InformaYon

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 20

Root to Test Outside the Box

RecordandPlaybackofTouchEvents

• RootAppsthatallowrecordandplaybackoftouchevents,suchasRepeYTouchcanbeapoorman’sautomaYontool• RecordandplaybacktoucheventswithloopsorbuiltinresponsetooutsidesYmuli(howtohandleaphonecall)totest“farming”orcommonacYonsinyourmobileapp

4/6/17

11

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 21

Root to Test Outside the Box

ModifyingLocalDataStorage

•  Therearemanyrootedappsthatlookatlocaldatastorageandsharedpreferencestoallowyoutotestyourapps.• Determinewhatyourapphasstoredwhereandwhatyoumightbeabletohack.•  Changeyourstates(level,permissionsetc.)

•  ExploreprivacyviolaYonsondisk•  Recoverpasswords•  Giveyourselflotsof“free”goldorin-gamecurrency

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 22

Root to Test Outside the Box

DeletedFileRecovery

• Non-rootedappsmayallowyoutorecoverdeletedfiles,butotherfiletypesareelusivetorecover• RecoverytoolslikeUndeleterallowyoutorecoveravarietyoffiletypesfromallyourparYYons•  TempData•  CachedData•  Logs•  TextMessages

4/6/17

12

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 23

Root to Test Outside the Box

SecurityTesYng

• NaYveAppTesYng•  CertValidaYontesYngwiththe“XposedFramework”and“JustTrustMe”

•  Root-DetecYonControltesYng•  XposedDetecYoncontrols•  Fuzzing•  APIVulnerabilityTesYng

• MobileWebApp&Network• WifiCrackers•  PenetraYonTesYngMobileWebApps

•  AutomatedInjecYonAeacks

Bugtroid

dSpolit

DroidSQLi

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 24

Conclusion

•  YoucangetawaywithmobiletesYngwithoutrooYng.•  Youcancatchbugsandbuild/testgoodproducts• RooYngcanhelpyouelevateyourtesYngcapabiliYes:•  TESTFASTER•  TESTMORE•  TESTDIFFERENTLY•  HAVEFUN

4/6/17

13

©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 25

Thank You AlanR.Crouch

@RealAlanCrouch

Recommended

Automated Security Scanning for Your Delivery Pipeline · Delivery Pipeline Presented by: Matthew Grasberger Coveros, Inc. ... clients to build and develop robust test automation
Documents
Lawrence Johnson (Nagra, Switzerland), Alan Hooper (Alan
Documents
Controversy and provocation Alan Dix alan@hcibook.com
Documents
Advanced Field Effect Transistor (FET) Devices...Georgia Tech ECE 3080 - Dr. Alan Doolittle Lecture 12b Advanced Field Effect Transistor (FET) Devices Reading: (Cont’d) Notes and
Documents
How to Test Serverless Cloud ApplicationsHow to Test Serverless Cloud Applications Presented by: Glenn Buckholz Coveros, Inc. Brought to you by: ... AWS’Serverless’Walkthrough’Lambda
Documents
Table 3 Neuromodulation devices for primary headache disorders: … · 2018. 11. 1. · primary headache disorders, Nathaniel M. Schuster, Alan M. Rapoport 2016. Table 3 | Neuromodulation
Documents
EP DEVICES-WHO, WHEN AND WHAT? - University of Florida · Presenter Disclosure Information HEART FAILURE SPECIALIST’S PERSPECTIVE –EP DEVICES AMELIA 2O19 ALAN B MILLER MD I will
Documents
Alan Jose_2312_assignsubmission_file_organizational communication Alan 8089.pdf
Documents
1 © Copyright 2014 Coveros, Inc. All rights reserved. Web Application Security Testing: Kali Linux Is the Way to Go Gene Gotimer, Senior Architect gene.gotimer@coveros.com
Documents
2016 Course Catalog - Coveros Training · Implementing a Test Automation Framework Implementing Task-Oriented Unit Testing Integrating Test with a DevOps Approach Just-in-Time Software
Documents
Nanotechnology Materials and Devices Workshop 2010 · Nanotechnology Materials and Devices Workshop 2010 ... Inkjet Printing of Carbon Nanotube Materials by Alan R. Hopkins and Kathryn
Documents
Funzioni Alan K1 ALAN K1 - Multicom
Documents
Kent Academic Repository · Mckenna, Alan (2018) Public perceptions and acceptance of drones, and the question of regulatory effectiveness. In: Cambridge Wireless Future Devices &
Documents
1 Hardware Devices Display Hardware Video display devices Hard-copy devices Input devices Locator Devices Keyboard devices Valuator Devices Choice Devices
Documents
Turing Machines (At last!). Designing Universal Computational Devices Was Not The Only Contribution from Alan Turing… Enter the year 1940: The world is
Documents
ALAN….ALAN… ALAN. WHO IS ALAN TURING?
Documents
Lecture 1 Introduction to Semiconductor Devices Reading ...users.ece.gatech.edu/alan/ECE3080/Lectures/ECE3080-L-1-Introduction... · Georgia Tech ECE 3080 - Dr. Alan Doolittle Lecture
Documents
Alan Rossiter President, Rossiter & Associates alan@rossiters · (
Documents
BIO-ARTIFICIAL LIVER (EXTRACORPOREAL TEMPORARY LIVER SUPPORT DEVICES) Alan Golde Jr. BME181 March 18 th 2013
Documents
By Alan S. Brown - ASME...IOT PUTS A NEW SPIN How one of the oldest mechanical devices became a poster child for the Internet of Things. By Alan S. Brown A s anyone who ever had a
Documents