!!

T4

Mobile!Testing!

10/16/2014!9:45:00!AM!

!

Top Ten Attacks to Break

Mobile Apps !

Presented by:

Jon Hagar

Grand Software Testing

!

!

!

Brought(to(you(by:((

((

340!Corporate!Way,!Suite!300,!Orange!Park,!FL!32073!

888G268G8770!H!904G278G0524!H!sqeinfo@sqe.com!H!www.sqe.com

Jon Hagar

Grand Software Testing Jon Hagar is an independent consultant working in software product integrity, testing, verification, and validation. Jon publishes regularly on testing, including the book Software Test Attacks to Break Mobile and Embedded Devices (breakingembeddedsoftware.com). For more than thirty years, he has worked in software engineering, particularly testing, supporting projects which include control systems (avionics and auto), spacecraft, mobile-smart devices, and attack testing of smart phones. Jon is an editor for ISO, IEEE, and OMG standards.

                                       

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 1$

TOP$10$SOFTWARE$TEST$ATTACKS$TO$BREAK$MOBILE$SOFTWARE$

STARWEST$2014$

Jon$Hagar$embedded@ecentral.com$jon.d.hagar@gmail.com$Grand$So4ware$TesJng$Web:$h:p://breakingembeddedso4ware.wordpress.com/$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 2$2$

AGENDA$

•  DefiniJons$for$this$session$•  RiskQbased$tesJng$concepts$for$mobile$•  Exploratory$tesJng$concepts$for$$mobile$•  My$top$10$Mobile$So4ware$(app)$a:acks$•  Wrap$up$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 3$3$

$MOBILE,$SMART,$AND$HANDHELD$

•  As$the$names$implies,$these$are$devices—small,$held$in$the$hand,$o4en$connected$to$communicaJon$networks,$including$

•  Cell$and$smart$phones$–$apps$$•  Tablets$•  Medical$devices$

•  Typically$have:$•  Many$of$the$problems$of$classic$“embedded”$systems$•  The$power$of$PCs/IT$•  More$user$interface$(UI)$than$classic$embedded$systems$•  (RelaJvely)$Fast$updates$

•  Mobile$devices$are$“evolving”$with$more$power,$resources,$apps,$etc.$$•  Mobile$is$the$“hot”$area$of$computers$and$so4ware$currently$

•  TesJng$rules$and$concepts$are$“evolving”$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 4$4$

TYPES$OF$MOBILE$APPS$

•  NaJve$ApplicaJons$•  Local$to$device$

•  Hybrid$ApplicaJons$•  Local$to$device$but$interacts$w/internet$

•  Web$ApplicaJons$•  Not$local$to$device.$All$interacJons$on$internet$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 5$5$

MOBILE$TESTING$DEFINITIONS$

•  Mobile$ApplicaJon$TesJng$is$tesJng$the$applicaJon$in$a$support$environment$or$on$a$mobile$device$

•  System$Level$Mobile$Device$TesJng$is$tesJng$the$hardware$and$operaJng$system$

•  Does$the$OperaJng$System$install?$$$•  Does$the$device$power$on?$Do$the$LED$lights$work$as$expected?$$$•  Does$the$ba:ery$charge$when$the$AC$adapter$is$plugged$into$the$device?$

•  Mobile$Phone$TesJng$should$have$some$different$approaches$to$tesJng$•  Mobile$System$TesJng$incorporates$tesJng$more$than$one$applicaJon$and$

can$combine$hardware,$so4ware,$firmware,$along$with$other$applicaJons$•  Mobile$TesJng$–$can/should$be$all$of$the$above$$Be$clear$when$using$this$terminology.$If$you$are$only$tesJng$apps$on$mobile$phones,$then$state$“mobile$apps$tesJng.”$Use$mobile$tesJng$when$you$are$tesJng$mobile$websites,$mobile$hybrid$apps,$mobile$hardware,$etc.$$

STARWEST$$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 6$6$

DEFINING$SKILL$SET$FOR$THE$MOBILE$TESTER$

•  Some$exposure$or$knowledge$about$products$from$the$domain$in$which$you$are$tesJng:$$aerospace,$medical,$automobile$manufacturing,$airplanes,$factory$systems,$roboJcs,$regulated$environments,$etc.$

•  Some$knowledge$of:$hard$sciences:$$math,$physics,$electronics,$engineering,$etc.$for$logical$thought$processes$

•  So4ware$sciences:$$psychology,$philosophy,$sociology,$human$factors$(human$machine$interface)$for$creaJve$&$conceptual$thought$processes$

•  Tester$skill$•  Planning,$design$techniques,$pa:erns$of$errors,$intuiJon,$criJcal$thinking,$“so4$skills,”$$

communicaJon,$observaJon,$and$mental$models$[ISTQB$and$AST$have$“lists”]$

Chapter$1$–$So4ware$Test$A:acks$to$Break$Mobile$&$Embedded$Devices$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 7$7$

WHAT$IS$AN$ATTACK?$

•  A$pa:ern$(of$tesJng)$based$on$a$common$mode$of$failure$seen$over$and$over$

•  Maybe$seen$as$a$negaJve,$when$it$is$really$a$posi%ve(•  Goes$a4er$the$“bugs”$that$may$be$in$the$so4ware$•  May$include$or$use$classic$test$techniques$and$test$concepts$

•  Lee$Copeland’s$book$on$test$design$•  Many$other$good$books$

•  A$Pa:ern$(more$than$a$process),$which$must$be$modified$for$the$context$at$hand,$to$do$the$tesJng$$

•  Testers$learn$these$in$a$domain$a4er$years$and$form$a$mental$model$(most$good$testers$a:ack)$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 8$8$

WHY$ATTACK?$•  A:acking$your$so4ware$is$in$part,$$the$process$of$a:empJng$to$

demonstrate$a$system$(hardware,$firmware,$so4ware$and$operaJons)$$does$not$meet$requirements,$funcJonal$and$nonQfuncJonal$objecJves$

•  Embedded/handheld$so4ware$tesJng$must$include$"the$system"$(hardware,$so4ware,$operaJons,$users)$

•  A:acking$common$modes$of$failure,$especially$where$the$applicaJon$is$engaged$and$visible$by$the$user.$

Attack your enemy with approaches to include: Tools Levels Attacks Techniques

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 9$9$

KINDS$OF$ATTACKS$

•  Whi:aker$offers$a$good$starJng$point$for$so4ware$a:acks$in$general$that$can$be$applied$to$mobile:$

•  User$Interface$A:acks$

•  Data$and$ComputaJon$

•  File$System$Interface$

•  So4ware/OS$Interface$

•  Whi:aker’s$“How$to$Break$So4ware”$lists$23$a:acks$•  Plus$he$has$other$books$on$a:acks,$security,$web,$exploratory,$and$tours$in$tesJng$

•  “So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices”$lists$32$a:acks$and$8$sub$a:acks$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 10$10$

MOBILE$RISK$AREAS$TO$CONSIDER$

•  There$are$many$risk$to$$consider,$but$you$cannot$test$everything$

•  Risk(s)$based$tesJng$$helps$$bound$the$test$scope$problem$

•  TesJng$is$about$providing$informaJon$and$understanding$

•  ExploraJon$gets$you$started$with$whatever$you$have$(or$don’t$have)$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 11$11$

SAMPLE$MOBILE$PRODUCT$RISKS$TESTERS$SHOULD$CONSIDER$

•  Environment$and$input$factors$

•  Environment$–$heat,$noise,$sun,$water,$etc.$

•  Hardware$–$calibraJon,$uniqueness,$manufacturing,$etc.$

•  Electronics$–$noise,$power,$ba:eries,$etc.$

•  CommunicaJons$

•  Interfaces$types$

•  Hardware$

•  Human$$

•  Network$$

•  So4ware$

•  Output$—$noise$influences,$D2A,$representaJon,$etc.$

•  Complexity—use$/$size$of$the$system$$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 12$12$

RISK=BASED$TESTING$$

(ISO$29119)$

•  Address,$miJgate,$a:ack$and$reJre$product$risks$

•  PrioriJze$risks$Q$tests:$•  PotenJal$problems$Q$$Consequences$and$effects$•  Occurrences$–$likelihood$or$chance$of$happening$•  Impacts$–$what$happens$

•  Take$consistent$acJon$from$the$beginning$(proposal)$to$the$end$(reJrement)$of$the$product$or$lifecycle$

•  Risks$&$prioriJzing$should$dictate$the$test$a:acks$STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 13$13$

EXPLORATORY$TESTING$=$DEFINITION$

•  QuoJng$James$Bach:$$“The$plainest$definiJon$of$exploratory$tesJng$is$test$design$and$test$execuJon$at$the$same$Jme.$This$is$the$opposite$of$scripted$tesJng$(predefined$test$procedures,$whether$manual$or$automated).$Exploratory$tests,$unlike$scripted$tests,$are$not$defined$in$advance$and$carried$out$precisely$according$to$plan.”$

h:p://www.saJsfice.com/arJcles/what_is_et.shtml$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 14$14$

EXPLORATORY$TESTING$IN$MOBILE$

•  Rapid$feedback$•  Learning$•  Upfront$rapid$learning$

•  A:acking$•  Address$Risk$(s)$

•  Independent$assessment$•  Target$a$defect$•  Prototyping$•  Need$info$•  Test$beyond$the$requirements$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 15$15$

NUMBER$10:$FUNCTIONAL$ATTACK$(33)$

•  Have$an$outline$$or$charter$(top$level$plan$and/or$risk$list)$

•  Create$a$flip$chart,$notecard,$state$model,$mind$map$or$some$representaJon$of$each$test$$task$$

•  No$“heavyweight$documentaJon$of$the$“test$case”$•  See$Exploratory$Charter$(test$objecJve)$

•  Have$a$Target$concept$$or$charter$$(Risk,$A:ack,$Bug,$Learning,$…)$•  VerificaJon$checking$of$requirements$(necessary$but$not$sufficient)$$

•  Have$a$schedule/Jme$box$(short$$test$cycles$=$Planning$to$report)$

•  Do$the$test$•  Design$test$•  Execute$test$$•  Learn$about$the$product:$change$the$risk$list,$modify/add$tests,$and$so$on$

•  Repeat$as$needed$

STARWEST$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 16$16$

EXAMPLE$MIND$MAP$FROM$A$TRAVEL$APP$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 17$17$

•  Download$either$Twi:er$or$Facebook$onto$a$device$$

•  Start$either$downloaded$app$

•  From$another$device,$send$an$email$to$the$device’s$email$account$

•  Immediately$send$a$tweet$or$post$a$status$$

•  ConJnue$to$do$engage$Twi:er$or$Facebook$app$for$at$least$1$minute$

•  Record$email$noJficaJon$and$Jme$when$sent$and$received$

•  What$other$observaJons$occurred?$

9:$NOTIFICATION$TEST$ATTACK$(18)$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 18$18$

ATTACK$TEST$CASE$EXAMPLE:$$INTERRUPTS$ON$MOBILE$PHONES$

•  Go$to$your$App$store$and$choose$an$applicaJon$to$download$•  While$the$downloading$is$occurring,$call$the$mobile$phone$

•  Record$observaJons$with$the$download$•  You$may$need$to$rely$on$observing$a$log$file$while$implemenJng$these$

tests$

•  If$it$fails,$what$kind$of$error$recovery$occurs?$Can$you$repeat$any$errors?$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 19$19$

8:$ATTACK$SCENARIOS$(12)$

•  Tests$consider$usage,$operaJons,$interface$interacJons$and$integraJons$$

•  Interface$points$include:$$hardware,$firmware,$so4ware,$data$exchange,$network$communicaJon$and$combinaJons$

•  How$each$interface$point$integrates$with$another$interface$point$•  Tests$include$how$the$applicaJon$is$used$endQtoQend$$•  Tests$to$combine$how$the$enJre$system$interacts$as$well$as$how$

porJons$interact$with$one$another$and$depending$on$complexity$•  Note:$ConfiguraJon$tests$with$regards$to$how$so4ware$behaves$based$

on$various$configuraJons$of$devices,$operaJng$systems$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 20$

IN$SCENARIO$TESTING$:$TIMING$SUBQ$ATTACK$

When$Time$interacts$with$the$so4ware,$events,$inputs,$and$outputs,$here's$a$checklist$of$things$to$look$for$and$consider$(where$bugs$lurk)$in$sequences/stories$

$•  Order$problems$

•  Too$Long$$

•  Too$Fast$

•  Not$at$right$Jme$mark$or$point$$

•  Late$$

•  Late$or$early$

•  Early$$

•  Deadlocked$caused$by$a$race$condiJon$(hard$to$find)$$

•  Extra$input$or$output$events$$

•  Missing$events$$

•  Wrong$input/output$within$events$$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 21$21$

•  When$to$apply$this$a:ack?$$…when$your$app/device$has$games$•  What$faults$make$this$a:ack$successful?$$$…games$are$complex$

•  Who$conducts$this$a:ack?$$…see$chart$on$Roles$•  Where$is$this$a:ack$conducted?$$…throughout$lifecycle$and$in$environments$

•  How$to$determine$if$the$a:ack$exposes$failures?$•  Unhappy$“users”$

•  Bugs$found$

•  See$checklist$

7:$ATTACK$TESTING$MOBILE$GAMES$(26)$

Mobile Device Game Testing (2 years ago gaming was 60% or more of Mobile App downloads)

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 22$22$

•  The$developer(s)—see$A:acks$1,$2,$and$3.$

•  The$app$game$architect$or$director$

•  OnQteam$game$tester(s)$$

•  InQcompany$“dog$food”$testers$

•  Independent$test$players$$

•  Mass$beta$trials$

•  Not$a$tester—Finally,$consider$who$should$not$be$playing$

Note%on%roles:%During(the(tes%ng(effort(and(as(it(progresses,(don’t(forget(that(there(are(many(different(user(roles$

ROLES$TO$PLAY$IN$THE$GAME$(ANY$MANY$OTHER$APPS)$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 23$23$

•  Refine$checklist$to$context$scope$•  Define$a$role$$

•  Watch$what$is$happening$with$this$role$•  Define$a$usage$(scenario$or$set$of$funcJons$to$Play$the$game)$

•  Guided$exploraJons$or$ad$hoc$•  Stress,$unusual$$cases,$explore$opJons$•  Capture$understanding,$risk,$observaJons,$etc.$•  Checklist$(watch$for$confusion)$

•  Run$Exploratory$A:ack$•  Learn$•  ReQplanQdesign$

•  Watch$for$Bias$•  Switch$testers$

•  Repeat$$

$

$

GAME$ATTACK$PATTERN$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 24$24$

6:$BREAKING$SOFTWARE$WITH$HARDWARE$AND$SYSTEM$OPERATION$(9)$

•  Classic$subQa:ack$example$to$consider$is$checking$ba:ery$power$impacts$

•  Not$Common$to$IT/PC$tesJng$•  Large$impacts$to$users$(if$ba:ery$is$drained)$•  Relates$to$hardware$and$basic$operaJon$acJviJes$$

•  Requires$systems$thinking$•  May$require$use$of$specialized$test$environments$and$support$test$tools$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 25$25$

DOCUMENTING$YOUR$TEST$CONDITIONS$FOR$THE$CHARGING$OF$BATTERY$TEST$

Credit$to:$Jean$Ann$Harrison$$2013$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 26$26$

5:$ATTACKING$WITH$SIMULATION$(AND$EMULATION)$(17)$

•  TesJng$with$real$hardware$is$advised,$but$•  Has$limitaJons$•  Can$require$a$lot$of$equipment$•  You$need$the$hardware$$•  FragmentaJon$

•  Many$mobile$people$test$using$simulators$and/or$emulators$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 27$27$

PROS$AND$CON$(SAMPLING)$OF$SIMULATION$AND$EMULATION$

•  Pro$•  Can$start$early$•  Can$support$virtual$tesJng$•  Can$support$automaJon$

•  Con$•  Will$miss$some$kinds$of$bugs$•  May$not$transfer$to$the$actual$hardware$

•  May$require$special$skills$and$efforts$to$set$up$

•  Modeling$(if$used)$can$be$very$tricky$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 28$28$

4:$DEVELOPER$LEVEL$ATTACK:$WHITE$BOX$(1$&$2)$

•  Between$20QandQ30$percent$of$errors$can$be$found$by$developerQled$structural$tesJng$

•  When$combined$with$#3,$a$testers$job$becomes$much$more$interesJng$

•  Industry$has$known$this$tesJng$from$the$beginning$and$yet$it$is$underused$

•  Priority$is$high$

•  “Official”$Tester$should$know$it,$advocate$for$it$and$even$“do$it”$someJmes$

•  Two$basic$A:acks$

•  Data$

•  Logic$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 29$29$

3:$STATIC$CODE$ANALYSIS$(SCA)$ATTACK$(3)$

•  This$acJvity$does$NOT$execute$the$code$•  Can$be$done$“early”$in$the$lifecycle$

•  A$be:er$term$is$just$“analysis,”$but…………$

•  For$the$code,$we$use$a$tool$to$“analyze”$for$certain$types$of$errors$

•  Tools$are$commercial$although$some$open$source$tools$exist$

•  SCA$finds$the$“hard$to$find”$errors$

•  Many$test$teams$take$this$effort$over$since$programmers$“don’t$have$the$Jme”$

•  Issues:$•  False$posiJves$

•  When$to$do$

•  When$to$repeat$

•  Efforts$can$(should)$$include$analyzing$models,$requirements,$and$other$arJfacts$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 30$30$

1$&$2:$ATTACK$SECURITY$$•  Apply$when$the$device$is$mobile$and$has$

•  Account$numbers$

•  UserQids$and$passwords$

•  LocaJon$tags$

•  Restricted$data$$

•  $Current$$authenJcaJon$approaches$in$use$on$mobile$devices$

•  ServerQbased$

•  Registry$(user/password)$

•  LocaJon$or$deviceQbased$

•  ProfileQbased$ PRIVACY

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 31$31$

THE$CURRENT$SECURITY$SITUATION$•  Mobile$systems$are$highly$integrated$hardware–so4ware–system$

soluJons$which:$

•  Must$be$highly$trustworthy$since$they$handle$sensiJve$data$$

•  O4en$perform$criJcal$tasks$

•  Security$holes$and$problems$abound$

•  Coverity$Scan$2010$Open$Source$Integrity$Report$Q$Android$

•  staJc$analysis$test$a:ack$found$0.47$defects$per$1,000$SLOC$$

•  359$defects$in$total,$88$of$which$were$considered$“high$risk”$in$the$security$domain$

•  OS#hole#Andriod#with#Angry#Birds#$(researchers$Jon$Oberheide$and$Zach$Lanier)$

•  Robots$and$Drones$rumored$to$be$a:acked$

•  Cars$$and$medical$devices$being$hacked$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 32$32$

EMBEDDED/MOBILE$SECURITY$CONCERNS$•  Fraud$–$IdenJty$•  Worms,$virus,$etc.$

•  Fault$injecJon$•  Processing$on$the$run$•  Hacks$impact$

•  Power$•  Memory$

•  CPU$usage$

•  Eavesdropping$–$yes$everyone$can$hear$you$•  Hijacking$•  ClickQjacking$•  Voice/Screen$

•  Physical$Hacks$•  File$snooping$•  Lost$phone$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 33$33$

SECURITY$ATTACKS$$$(ONLY$A$STARTING$POINT)$

•  A:ack$28$PenetraJon$A:ack$Test $$

•  A:ack$28.1$PenetraJon$Sub–A:acks:$AuthenJcaJon$—$Password$A:ack $$

•  A:ack$28.2$Sub–A:ack$Fuzz$Test$$

•  A:ack$29:$InformaJon$The4—Stealing$Device$Data $$

•  A:ack$29.1$Sub$A:ack$–IdenJty$Social$Engineering $$

•  A:ack$30:$Spoofing$A:acks $$

•  A:ack$30.1$LocaJon$and/or$User$Profile$Spoof$Sub–A:ack$

•  A:ack$30.2$GPS$Spoof$Sub–A:ack $$

•  A:ack$31:$A:acking$Viruses$on$the$Run$in$Factories$or$PLCs$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 34$34$

WARNINGS$WHEN$CONDUCTING$SECURITY$ATTACKS$

!  Security$a:acks$must$be$done$with$the$knowledge$and$approval$of$owners$of$the$system$and$so4ware$

!  Severe$legal$implicaJons$exist$in$this$area$

!  Many$of$these$a:acks$must$be$done$in$a$lab$(sandbox)$

!  In$these$a:acks,$I$tell$you$conceptually$how$to$“drive$a$car$very$fast$(150$miles$an$hour)$but$there$are$places$to$do$this$with$a$car$legally$(a$race$track)$and$places$where$you$will$get$a$Jcket$(most$public$streets)”$

!  Be$forewarned$Q$Do$not$a:ack$you$favorite$app$on$your$phone$or$connected$server$without$the$right$permissions$due$to$the$legal$implicaJons$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 35$35$

WRAP$UP$

•  I$gave$my$top$10,$but$your$a:acks$can$and$will$be$different$

•  Understanding$your$local$context$and$error$pa:erns$is$important$$

(one$size$does$NOT$fit$all)$

•  A:acks$are$pa:erns…you$sJll$must$THINK$and$tailor$

$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 36$36$

MOBILE$ATTACK$CLASSIFICATION$

•  Developer$A:acks$(unit/code$tesJng) $$•  Control$System$A:acks$$•  HardwareQSo4ware$A:acks $$•  Mobile$and$Embedded$So4ware$Domain$A:acks $$•  Time$A:acks$(Performance) $$•  Human$User$Interface$A:acks$$$•  Smart$and/or$Mobile$Phone$FuncJonal$App$A:acks $$•  Mobile/Embedded$Security$A:acks $$•  Generic$A:acks$$

•  FuncJonal,$mind$mapping,$and$combinatorial$tests$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 37$

MORE$ATTACKS$$(FROM$SOFTWARE$TEST$ATTACKS$TO$BREAK$MOBILE$AND$EMBEDDED$DEVICES)$

•  A:ack$1:$StaJc$Code$Analysis $$

•  A:ack$2:$Finding$White–Box$Data$ComputaJon$Bugs$$

•  A:ack$3:$White–Box$Structural$Logic$Flow$Coverage$

•  A:ack$4:$Finding$Hardware–System$Unhandled$Uses$in$So4ware$

•  A:ack$5:$$HwQSw$and$SwQHw$signal$Interface$Bugs$

•  A:ack$6:$Long$DuraJon$Control$A:ack$Runs $$

•  A:ack$7:$$Breaking$So4ware$Logic$and/or$Control$Laws$

•  A:ack$8:$Forcing$the$Unusual$Bug$Cases $$

•  A:ack$9$Breaking$So4ware$with$Hardware$and$System$OperaJons$

•  9.1$Sub–A:ack:$Breaking$Ba:ery$Power $$

•  A:ack$10:$Finding$Bugs$in$Hardware–So4ware$CommunicaJons $$

•  A:ack$11:$Breaking$So4ware$Error$Recovery $$

•  A:ack$12:$Interface$and$IntegraJon$TesJng $$

•  12.1$Sub–A:ack:$ConfiguraJon$IntegraJon$EvaluaJon $$

•  A:ack$13:$Finding$Problems$in$So4ware–System$Fault$Tolerance$

•  A:ack$14:$Breaking$Digital$So4ware$CommunicaJons $$

•  A:ack$15:$Finding$Bugs$in$the$Data $$

•  A:ack$16:$Bugs$in$System–So4ware$ComputaJon $$

•  A:ack$17:$$Using$SimulaJon$and$SJmulaJon$to$Drive$So4ware$A:acks$

•  A:ack$18:$Bugs$in$Timing$Interrupts$and$Priority$Inversion$

•  A:ack$19:$Finding$Time$Related$Bugs $$

•  A:ack$20:$Time$Related$Scenarios,$Stories$and$Tours $$

•  A:ack$21:$Performance$TesJng$IntroducJon $$

•  A:ack$22:$Finding$SupporJng$(User)$DocumentaJon$Problems$

•  Sub–A:ack$22.1:$$Confirming$Install–ability $$

•  A:ack$23:$Finding$Missing$or$Wrong$Alarms $$

•  A:ack$24:$Finding$Bugs$in$Help$Files $$

•  A:ack$25:$Finding$Bugs$in$Apps $$

•  A:ack$26:$TesJng$Mobile$and$Embedded$Games $$

•  A:ack$27:$A:acking$App–Cloud$Dependencies $$

•  A:ack$28$PenetraJon$A:ack$Test $$

•  A:ack$28.1$PenetraJon$Sub–A:acks:$AuthenJcaJon$—$Password$A:ack $$

•  A:ack$28.2$Sub–A:ack$Fuzz$Test$$

•  A:ack$29:$InformaJon$The4—Stealing$Device$Data $$

•  A:ack$29.1$Sub$A:ack$–IdenJty$Social$Engineering $$

•  A:ack$30:$Spoofing$A:acks $$

•  A:ack$30.1$LocaJon$and/or$User$Profile$Spoof$Sub–A:ack$

•  A:ack$30.2$GPS$Spoof$Sub–A:ack $$

•  A:ack$31:$A:acking$Viruses$on$the$Run$in$Factories$or$PLCs$

•  A:ack$32:$Using$Combinatorial$Tests $$

•  A:ack$33:$A:acking$FuncJonal$Bugs $$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 38$38$

SUMMARY:$THANK$YOU$(IDEAS$USED$FROM)$

•  James$Whi:aker$(a:acks)$•  Elisabeth$Hendrickson$(simulaJons)$•  Lee$Copeland$(techniques)$•  Brian$Merrick$(tesJng)$•  James$Bach$(exploratory$&$tours)$•  Cem$Kaner$$(test$thinking)$

•  Many$teachers$•  GeneraJons$past$and$future$•  Books,$references,$etc.$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 39$39$

BOOK$LIST$(MY$FAVORITES)$•  “So;ware(Test(A?acks(to(Break(Mobile(and(Embedded(Devices”((

–(Jon(Hagar,(to(be(published(in(2013(

•  “How$to$Break$So4ware”$James$Whi:aker,$2003$•  And$his$other$“How$To$Break…”$books$

•  “TesJng$Embedded$So4ware”$Broeckman$and$Notenboom,$2003$•  “A$PracJJoner’s$Guide$to$So4ware$Test$Design”$Copeland,$2004$•  “A$PracJJoner’s$Handbook$for$RealQTime$Analysis”$Klein$et.$al.,$1993$•  “Computer$Related$Risks”,$Neumann,$1995$•  “Safeware:$System$Safety$and$Computers”,$Leveson,$1995$•  Honorable$menJons:$

•  “Embedded$System$and$So4ware$ValidaJon”$Roychoudhury,$2009$•  “Systems$TesJng$with$an$A}tude”$Petschenik$$2005$•  “So4ware$System$TesJng$and$Quality$Assurance”$Beizer,$1987$•  “TesJng$Computer$So4ware”$Kaner$et.$al.,$1988$•  “SystemaJc$So4ware$TesJng”$Craig$&$Jaskiel,$2001$•  “Managing$the$TesJng$Process”$Black,$2002$

Jon$Hagar$Copy$right$2014$ So4ware$Test$A:acks$to$Break$Mobile$and$Embedded$Devices$ 40$40$

MORE RESOURCES

•  www.sJckyminds.com$–$CollecJon$of$test$info$•  www.embedded.com$–$info$on$a:acks$•  www.sqaforums.com$Q$Mobile$Devices,$Mobile$Apps$Q$Embedded$Systems$

TesJng$forum$

$•  AssociaJon$of$So4ware$TesJng$

–  BBST$Classes$h:p://www.tesJngeducaJon.org/BBST/$

•  Your$favorite$search$engine$

•  Our$web$sites$and$blogs$(listed$on$front$page)$