Trusteer Mobile for IOS and Android Security Testing Guide 1.6
-
Upload
jose-salavert -
Category
Documents
-
view
135 -
download
3
Transcript of Trusteer Mobile for IOS and Android Security Testing Guide 1.6
-
Trusteer Mobile for iOS and Android Security Testing Guide
Version 1.6
May 2014
-
Contents
1. Overview 3
2. Security Testing on an iOS Device 4
Installation on an iOS Device 4
Trusteer Cydia Repository 5
Testing Security Requirements 6
Testing Jailbreak Detection 6
Testing Malware Detection 7
3. Security Testing on an Android Device 9
Installation on an Android Device 9
Android Debug Bridge (adb) 10
Testing Security Requirements 10
Testing Rooted Detection 10
Testing Pharming Protection 11
Testing Malware Detection 12
Testing Wi-Fi Protection 13
Trusteer Mobile for iOS and Android | ii Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
1. Overview This document is intended for security architects interested in evaluating the Trusteer
Mobile application for the financial sector running on an iOS or Android device.
Security Solution Detection Requirements
The Trusteer Mobile App provides the following detection capabilities in order to
enable a secure online mobile banking session.
1. Detect and alert for a rooted/jailbroken device.
2. Detect and alert for malware on the device.
3. Block pharming techniques used against online banking customers. It is
important to block the technique as opposed to blocking specific malware
since the technique can be used by unknown malware. Due to the large
number of techniques, the solution should be able to block at least those that
are commonly used by malware authors.
4. Detect that a non-secure Wi-Fi connection is in use.
5. Detect when the OS is out of date.
The following link provides information about which operating systems are supported:
http://www.trusteer.com/support/supported-platforms
Note: The Trusteer Mobile App does not currently work on devices that use an Atom processor.
Trusteer Mobile for iOS and Android | 3 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
2. Security Testing on an iOS Device
Installation on an iOS Device
To install the Trusteer Mobile app on your iOS device using the iTunes App Store:
1. Verify that your device is running a supported version of iOS:
http://www.trusteer.com/support/supported-platforms
a. Select Settings.
b. Select General.
c. Select About.
d. Scroll done to Version.
e. Verify version number.
2. On your iPhone, open the App Store.
3. Tap the Search tab.
4. Enter Trusteer in the search box, then tap Search.
5. In the search results, tap Trusteer Mobile.
6. Tap FREE.
7. Tap INSTALL APP.
Your phone will prompt you for your App Store credentials.
8. Enter your user name and password.
The Trusteer Mobile App is installed.
9. Change the profile to testing profile:
Note: Changing to the testing profile allows you to test your deployment before it is moved to the production environment. To revert to the normal profile, you can either clear the Trusteer Mobile app's application data, or uninstall and reinstall the app.
a. Open the application
Trusteer Mobile for iOS and Android | 4 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
b. Paste the following code in the browser address bar:
command:profile:UFJPVgABAABaAAAAUJ2UZKw1EUtPIBy2Y5WuBX9DtbKMiMXuXnrR2lwXWdpgmjdZ50bseCqlcX/3xjS8AONctkwurDYL907wBZxNo0EXWas1MRTnacCgvfSRtWt1/+ZvL4WG38Cm4DTh4v2IPNStR4Lfk/n0Nzce8AfgxF0qcl9xAF0GJ7xqrfFkehYwpZmDO53WnfHk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/o5UC+RWgd3lL7cyAQEu9BXfVIwIDs2MMmk7p1Nd60d1XLIBVPYqC48ZiMkjJ/l2cpYnTOrW67OfgfUfFCZ0iXdAtWc9l0iD+Pyp6X+YGMhZNwSTgrZVy+QvtQbz8hzAXsKCSJ2YWx1ZXMiOiB7CgkgICAgIm9yaWdpbiI6ICJtdGVzdCIKCSB9LAoJICJwcmVmcyI6IHsKCSAgICAiZHVlX2RhdGUiOiAiMjAxOS04LTE1IgoJIH0KfQ==
c. Make sure an approval message is received.
Trusteer Cydia Repository
To ease the testing tasks on jailbroken devices, Trusteer has a Cydia repository with
demo apps that simulate pharming and malware attacks.
Note: You must use a jailbroken device or emulator to run tests using the apps in the Cydia repository.
To add the repository:
1. Open Cydia.
2. Select Manage > Sources > Edit > Add.
3. Enter: http://www.trusteer-testing.com/cydia.
4. Add Source > Return to Cydia.
You now have the Trusteer Cydia repository available on your device.
To install test attack apps:
1. Open Cydia.
2. Select Search.
Trusteer Mobile for iOS and Android | 5 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
3. Enter Trusteer in the search box.
4. Choose app to install.
5. Select Install > Confirm > Return to Cydia.
You now have the Trusteer test attack apps installed on your phone.
Testing Security Requirements
Tests are given in the following sections for testing the security requirements on an
iOS device.
Testing on iOS devices may include downloading apps from the Cydia repository as
described in Trusteer Cydia Repository (on page 5).
Testing Jailbreak Detection
The following procedure explains how to test that the appropriate alert triggers when
entering a protected website with a jailbroken device.
To test Jailbreak Detection on iOS:
1. Use a jailbroken device.
2. Open the Trusteer Mobile app.
3. Navigate to a protected website, such as www.trusteer.com.
When you navigate to a protected website the status of the device is sent to
the Trusteer servers. The status can be checked through the Trusteer
Management Application (TMA), as described in the following steps.
4. Copy your device's Agent Key.
a. Tap the Trusteer icon (at the top right of the window).
b. Tap Help and Support.
c. Tap About.
Trusteer Mobile for iOS and Android | 6 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
d. Tap the Copy button next to the Agent Key.
5. Send yourself an email containing the Agent Key
a. Open your mail client on your iPhone.
b. Create an email to yourself.
c. Paste the Agent Key into the body of the email.
d. Send.
6. On a PC, navigate to the TMA and login.
a. The demo TMA website can be accessed through this link:
https://mtest.trusteer.com
b. Login using username=securitester and password=mobileRox
7. Click on Assessment > Agent Status.
8. Enter the Agent Key for the device and that you want to check (which you sent
to yourself in the email).
9. Click Search.
10. Verify the device status, which is displayed next to Machine Infection.
Testing Malware Detection
To test Malware Detection on iOS:
1. Install the malware iKee.B by installing the app Trusteer Malware Demo from the
Trusteer Cydia repository. This is a weakened malware which cannot cause
damage to your device.
Refer to Trusteer Cydia Repository (on page 5) for installation instructions.
2. Open the Trusteer Mobile app.
3. Go to a protected website, such as www.trusteer.com.
Trusteer Mobile for iOS and Android | 7 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
When you navigate to a protected website the status of the device is sent to
the Trusteer servers. The status can be checked through the Trusteer
Management Application (TMA), as described in the following steps.
4. Copy your device's Agent Key.
a. Tap the Trusteer icon (at the top right of the window).
b. Tap Help and Support.
c. Tap About.
d. Tap the Copy button next to the Agent Key.
5. Send yourself an email containing the Agent Key
a. Open your mail client on your iPhone.
b. Create an email to yourself.
c. Paste the Agent Key into the body of the email.
d. Send.
6. On a PC, navigate to the TMA and login.
a. The demo TMA website can be accessed through this link:
https://mtest.trusteer.com
b. Login using username=securitester and password=mobileRox
7. Click on Assessment > Agent Status.
8. Enter the Agent Key for the device and that you want to check (which you sent
to yourself in the email).
9. Click Search.
10. Verify the device status, which is displayed next to Machine Infection.
Note: When you are finished with this test you should remove the test attack app from your device.
Trusteer Mobile for iOS and Android | 8 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
3. Security Testing on an Android Device
Installation on an Android Device
To install the Trusteer Mobile app on your Android device:
1. Verify that your device is running a supported version of Android:
http://www.trusteer.com/support/supported-platforms
a. Select Settings.
b. Select About phone.
c. Scroll to the Android Version and verify that it is supported.
2. On your PC, navigate to the Google Play Store, using the following link:
https://play.google.com/store.
Note: These installation instructions are given assuming that you are using your PC. You can also install the Trusteer Mobile app by accessing the Google Play Store through your mobile Android device.
3. Enter Trusteer in the search box, then click on the search button..
4. In the search results, find Trusteer Mobile and click on the INSTALL button
next to it.
5. Next to Send To, select the mobile device that you want to install it on.
6. Click INSTALL.
Your phone will download and install the Trusteer Mobile App.
7. Change the profile to testing profile:
Note: Changing to the testing profile allows you to test your deployment before it is moved to the production environment. To revert to the normal profile, you can either clear the Trusteer Mobile app's application data, or uninstall and reinstall the app.
a. Open the application
Trusteer Mobile for iOS and Android | 9 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
b. Paste the following code in the browser address bar:
command:profile:UFJPVgABAABaAAAAUJ2UZKw1EUtPIBy2Y5WuBX9DtbKMiMXuXnrR2lwXWdpgmjdZ50bseCqlcX/3xjS8AONctkwurDYL907wBZxNo0EXWas1MRTnacCgvfSRtWt1/+ZvL4WG38Cm4DTh4v2IPNStR4Lfk/n0Nzce8AfgxF0qcl9xAF0GJ7xqrfFkehYwpZmDO53WnfHk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/o5UC+RWgd3lL7cyAQEu9BXfVIwIDs2MMmk7p1Nd60d1XLIBVPYqC48ZiMkjJ/l2cpYnTOrW67OfgfUfFCZ0iXdAtWc9l0iD+Pyp6X+YGMhZNwSTgrZVy+QvtQbz8hzAXsKCSJ2YWx1ZXMiOiB7CgkgICAgIm9yaWdpbiI6ICJtdGVzdCIKCSB9LAoJICJwcmVmcyI6IHsKCSAgICAiZHVlX2RhdGUiOiAiMjAxOS04LTE1IgoJIH0KfQ==
c. Make sure an approval message is received.
Android Debug Bridge (adb)
Testing on Android can be conducted on a device or on an emulator. Testing may
require the use of the Android Debug Bridge (adb) which is a command line tool that
enables communication with a device or emulator. More information on the adb can
be found at http://developer.android.com/tools/help/adb.html.
Testing Security Requirements
Tests are given in the following sections for testing the security requirements on an
Android device.
Testing Rooted Detection
The following procedure explains how to test that the appropriate alert triggers when
entering a protected website with a rooted device.
To test rooted detection on Android:
1. Use a rooted device or an emulator.
Trusteer Mobile for iOS and Android | 10 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
2. Open the Trusteer Mobile app.
3. Navigate to a protected website, such as www.trusteer.com.
A security alert regarding the rooted device appears:
Note: When you run this test, you may get a message asking you to allow root permissions. If this message appears, you can click on Deny to dismiss it.
Testing Pharming Protection
In a pharming attack, the fraudster redirects the client to a phishing website of the
bank by tampering with the Domain Name System (DNS). Note that this website can
be connected in real-time to the banks website in order to bypass strong two-factor
authentication systems. In this scenario, even if the login process requires information
from external devices, the phishing website can ask for the same information from the
customer and relay this information to the banks website.
The product should be able to protect the customer if the banks website IP address is
different than the IP address in the pre-configured/Trusteer DNS service.
Trusteer Mobile for iOS and Android | 11 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
To test for a pharming attack on Android
1. Modify the /etc/hosts file on the device using adb.
adb connect : # or adb usb. adb remount adb pull /etc/hosts hosts # hosts file backup. adb shell echo "184.168.186.22 yourbankhere.com" >> /etc/hosts cat /etc/hosts # Verify that the line is there.
2. Run the native web browser app.
3. Enter the URL: yourbankhere.com
The fraudulent website appears.
4. Verify that you have reached the fraudulent website. The title of the webpage
is:
YourBankHere.com - Welcome! (fraudulent)
5. Open the Trusteer Mobile app.
6. Add a new website: yourbankhere.com
Note: If an alert warns about unsupported secure communication (SSL), press Yes.
7. Open the newly added website
The genuine site appears.
8. After verifying that the pharming protection works, restore the hosts file by
running the adb command:
adb push hosts /etc/hosts
Testing Malware Detection
To test malware detection on Android:
1. Use a rooted device.
2. Install the malware.
Trusteer Mobile for iOS and Android | 12 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
SPITMO malware can be downloaded from:
https://trusteer.exavault.com/share/view/tnu-b8q7rpai. The password on the
zip file is infected. It is packaged as com.antivirus.kav, application name: Kav
Antivirus 2011. SPITMO malware monitors incoming SMS messages and steals
mTAN authentication messages.
To install the malware manually, connect to your device with adb and install
the APK file from your computer:
adb connect : # or adb usb. adb install /kav.apk
3. Open the Trusteer Mobile app.
4. Go to a protected website, such as www.trusteer.com.
A security alert regarding malware on the device appears:
Testing Wi-Fi Protection
To test Wi-Fi protection on Android:
1. Change your Wi-Fi router to not require authentication for access.
Trusteer Mobile for iOS and Android | 13 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
-
2. Open the Trusteer Mobile app.
3. Navigate to a protected website, such as www.trusteer.com.
A security alert regarding a non-secure Wi-Fi connection appears:
Note: When you are finished with this test you need to restore your Wi-Fi router to use authentication.
Trusteer Mobile for iOS and Android | 14 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company
1. Overview2. Security Testing on an iOS DeviceInstallation on an iOS DeviceTrusteer Cydia RepositoryTesting Security RequirementsTesting Jailbreak DetectionTesting Malware Detection
3. Security Testing on an Android DeviceInstallation on an Android DeviceAndroid Debug Bridge (adb)Testing Security RequirementsTesting Rooted DetectionTesting Pharming ProtectionTesting Malware DetectionTesting Wi-Fi Protection