Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box...
Transcript of Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box...
![Page 1: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/1.jpg)
K4Keynote4/28/173:15PM
RootingYourDevicestoTestOutsidetheBox
Presentedby:
AlanCrouch
Coveros,Inc.
Broughttoyouby:
350CorporateWay,Suite400,OrangePark,FL32073888---268---8770··[email protected]://www.techwell.com/
![Page 2: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/2.jpg)
AlanCrouchCoveros,Inc.AlanCrouchisadirectorofmobiletestingwithCoveros,Inc.,whichhelpscompaniesbuildbetterapplicationsusingagile,DevOps,andsecuritybestpractices.AlanworkswithC-levelandseniormanagementatprivatecompaniesandfederalagenciestotransformandadoptamore"mobile-first"approachtoinformationtechnology.AlanhasworkedwithDepartmentsofHomelandSecurity,Defense,andHealthandHumanServices;Symantec;andmobilestart-upstobuildandtestAndroid,iOS,andresponsivewebapplications.Hispassionistheintersectionofmobiletestingandinformationsecurity.SparetimefindsAlantravelingtheglobeandcreatingadventuresforhissonanddaughter.FollowAlanonTwitter@RealAlanCrouchoronLinkedIn.
![Page 3: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/3.jpg)
4/6/17
1
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 1
Agility.Security.Delivered.
Roo#ng Your Devices to Test Outside the Box
AlanR.Crouch@RealAlanCrouch
MobileDev+Test2017
SanDiego,CA
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 2
Agenda
• What’sHappeningintheWorldofMobile?
• What’s“Everyone”ElseDoing(WhenItComestoMobileTesYng)?
• WhyRootWhenYouTest?• LeveragingRooYngtoTestOutsidetheBox
![Page 4: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/4.jpg)
4/6/17
2
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 3
What’s Happening in Mobile?
MoreDevices,More(User)Control
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 4
What’s Happening in Mobile?
MoreOpera:ngSystems,MoreVersions!
![Page 5: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/5.jpg)
4/6/17
3
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 5
What’s Happening in Mobile?
MoreOpera:ngSystems,MoreVersions!
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 6
What Happening in Mobile?
MoreApps,MoreData,MoreComplexity!
![Page 6: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/6.jpg)
4/6/17
4
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 7
What Happening in Mobile?
MoreApps,MoreData,MoreComplexity!
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 8
What’s Happening in Mobile?
Source:RedHatMobileMaturitySurvey2015
MoreGrowth,MoreMarketSatura:on!
MobileGrowthPlansbyOrganiza:onfor2016
![Page 7: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/7.jpg)
4/6/17
5
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 9
What’s Happening in Mobile?
MorePower,MoreCapabili:es!
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 10
What’s “Everyone” Doing?
• BadhabitsfromtradiYonalapplicaYontesYngcommunityhavepenetratedthemobileapptesYngcommunity• PoorHiringandTrainingPracYces• MobiletestautomaYonisnolongeropYonal
![Page 8: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/8.jpg)
4/6/17
6
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 11
What’s “Everyone” Doing?
• StatusofRooYnginMobileTesYng:
A) Bears–CuriousTesters/Mother-BearsB) Ostriches–TestersOvercomebyFearor“Policy”C) GrumpCats–“Iknowbeeer”Testers
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 12
Because I’m Morally Obligated
• RooYngdoescomewithrisks• VoidedWarranty• Possibilityofbecoming“bricked”
• IsrooYngillegal?• No
![Page 9: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/9.jpg)
4/6/17
7
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 13
Why Root?
• Moresimilarlytestreal-worlduserscenarios.• TesYngonamodifieddevicecanexposeaddiYonaltesYnginterfaces• AdvantagesofRooYng:• AlterorreplacesystemapplicaYons• Runspecializedapps• FullcustomizaYon• Accessnormallyinaccessibledata• TestDataSeeding• FileRecovery• Enable/disabledfeatures• Modify/customizekernels
• MobileSecurityTesYng
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 14
Why Root?
28%
72%
NumberofAndroidDevicesRooted(World-Wide)
Rooted Not-Rooted
Source:TencentStudyonRootedDevices,2015
• Justhowmanydevicesarerooted?Howbigisit?• ProliferaYonishigheramongsttech-savvy.
![Page 10: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/10.jpg)
4/6/17
8
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 15
Why Root?
Source:TencentStudyonRootedDevices,2015
It’sjustplainfun.
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 16
Root to Test Outside the Box
RootAccessforUsersandApps
• SuperUsergrantsandmanagesappsabilitytogetrootaccess.• ArootedAndroiddevicewon’tbeasusefulifappsdon’thaverootaccess.Tofixthisproblem,makesureyouinstallSuperUsersoonalerrooYngyourdevice.ThiswillautomaYcallyforceappstoaskpermissiontoestablishrootprivileges.
![Page 11: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/11.jpg)
4/6/17
9
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 17
Root to Test Outside the Box
LocaYon/GPSSpoofing
• AppslikeFakeGPSorLockitoallowyoutonotonlychangeyourGPSlocaYonbutalsobuildiniYneraries.• Byaddingarootedapplike“LuckyPatcher”orXposedyoucanmakeFakeGPSaSystemAppandoverrideGPSSpoofingDetecYon
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 18
Root to Test Outside the Box
AutomatedTasking
• AppslikeTaskerallowyoutosetupautomatedtasks.• ByrooYngyourPhone,Taskercannowperformtaskwithrootaccessallowingittodoanythingfrom:• Nightlyresetstoa“cleanstate”• SeedingtestapplicaYondata• Nightlybackupsofsystemandappdata
• AutomatedlogaccessArchive
![Page 12: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/12.jpg)
4/6/17
10
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 19
Root to Test Outside the Box
NetworkTrafficAnalysis
• AppslikeSharkforRootallowyoutorecordnetworktrafficandanalyzejustwhatdataisbeingtransferredoverclear-text.• DeterminewhatsensiYvedatamightbeexposedfromyourappincluding:• Passwords• Keys• PersonalData• SensiYve“App”InformaYon
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 20
Root to Test Outside the Box
RecordandPlaybackofTouchEvents
• RootAppsthatallowrecordandplaybackoftouchevents,suchasRepeYTouchcanbeapoorman’sautomaYontool• RecordandplaybacktoucheventswithloopsorbuiltinresponsetooutsidesYmuli(howtohandleaphonecall)totest“farming”orcommonacYonsinyourmobileapp
![Page 13: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/13.jpg)
4/6/17
11
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 21
Root to Test Outside the Box
ModifyingLocalDataStorage
• Therearemanyrootedappsthatlookatlocaldatastorageandsharedpreferencestoallowyoutotestyourapps.• Determinewhatyourapphasstoredwhereandwhatyoumightbeabletohack.• Changeyourstates(level,permissionsetc.)
• ExploreprivacyviolaYonsondisk• Recoverpasswords• Giveyourselflotsof“free”goldorin-gamecurrency
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 22
Root to Test Outside the Box
DeletedFileRecovery
• Non-rootedappsmayallowyoutorecoverdeletedfiles,butotherfiletypesareelusivetorecover• RecoverytoolslikeUndeleterallowyoutorecoveravarietyoffiletypesfromallyourparYYons• TempData• CachedData• Logs• TextMessages
![Page 14: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/14.jpg)
4/6/17
12
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 23
Root to Test Outside the Box
SecurityTesYng
• NaYveAppTesYng• CertValidaYontesYngwiththe“XposedFramework”and“JustTrustMe”
• Root-DetecYonControltesYng• XposedDetecYoncontrols• Fuzzing• APIVulnerabilityTesYng
• MobileWebApp&Network• WifiCrackers• PenetraYonTesYngMobileWebApps
• AutomatedInjecYonAeacks
Bugtroid
dSpolit
DroidSQLi
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 24
Conclusion
• YoucangetawaywithmobiletesYngwithoutrooYng.• Youcancatchbugsandbuild/testgoodproducts• RooYngcanhelpyouelevateyourtesYngcapabiliYes:• TESTFASTER• TESTMORE• TESTDIFFERENTLY• HAVEFUN
![Page 15: Rooting Your Devices - StickyMinds Alan Crouch.pdfRooting Your Devices to Test Outside the Box Presented by: Alan Crouch Coveros, Inc. ... , DevOps, and security best practices. Alan](https://reader034.fdocuments.us/reader034/viewer/2022042312/5edada7709ac2c67fa6869f1/html5/thumbnails/15.jpg)
4/6/17
13
©COPYRIGHT2016COVEROS,INC.ALLRIGHTSRESERVED. 25
Thank You AlanR.Crouch
@RealAlanCrouch