A few months ago I enjoyed my first online course. The topic? Security. Specifically, mobile devices security. More specifically, mobile devices security audits. As an Android developer I’m really concerned about security, not only as a developer, also as a user. And because I think that what I learned there can interest you I will try to explain it here. Probably it is too much content for only one post so I will divide it in two or three parts.
By the way, don’t do nothing stupid with the information I publish here. I’m not responsable of what you do with this information.They are some basics lessons, but enough to commit a cyber crime. Follow always the law 😉
Well, in this course I knew what is the Open Web Application Security Project (OWASP). It is an online foundation with a community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of digital security.I recommend you to take a look to their website, and also, if you are a mobile apps developer, take a look of these ten more commons vulnerabilities in mobile apps this year
What is a security audit?
When I talk about security audits here, I’m meaning toa manual measurable technical assessment of a system or application.
It’s a normal (and recommended) practise in many companies to contract the services of a group of auditors to check the security of different aspects of the company.This auditors will follow a methodology and their experience to inform the company about the risk of suffer an attack or have a security leak. So, the auditors should review all the devices, networks, but in this manual assessments is also included interviews with the staff, performs security vulnerability scans, the review of applications and operating system access controls, and the analysis of the physical access to the systems.
Then, the auditors will present a final report with all what they have found, the vulnerabilities and solutions for this vulnerabilities, if there are possible solutions.
From where to start?
To do that, the auditors should follow some steps. There are some methodologies that differ each other in the order of the steps, or some of them add more steps that others. But, all this methodologies have something in common, normallythey always share the three most important steps:
But before the auditor can start with the first step, it’s needed an authorization.
The different between do this process legally or illegally it lies in the authorization. Who has to give it? The owner of the devices and infrastructure that has to be audited, in this case the company.
So, before to start with the information gathering, the auditors should have from their client a complete and clear authorization, and they also should know “the rules of the game”.
“The rules of the game”
When I mention “the rules of the game” I’m referring to a document that the company provide to the auditors. In it the company explains all that files and folders where the auditors can access and take a look. It puts a limit to the auditors to check.
With the authorization in one hand and “the rules of the game” in the other hand, the auditors can start with the first phase of the process.
That part will be shown in the next post of this serie.
Process to have root privileges
But, again, to be able to start with the first step, previously the auditors should make one more things.
When we talk about mobile devices (smartphones and tablets), in general we talk about devices with limited privileges. The users can do many things, but if they want to have total control over all the aspects of the devices, they need root privileges. This is important. Without this rights, the auditors can’t access to the entire device, so they couldn’t do their jobs effectively. But, use a rooted device in our daily routine is something really dangerous. Not only because the user will lose the factory warranty, but if someone access to the device with root privileges, the intruder would have complete access to all the files, folders and processes of the device. So this can’t only produce a dangerous leak of information, to the user, but also to their friends and contacts.
That’s why the auditors, once they finish with the audit, should return all the devices to the old user privileges.
But meanwhile, with root access, they have free way to make a great audit.
In the next post, once the auditor has all the necessary to start, I will explain how continue with the audit.