Security audits in mobile devices (II)

Security audits in mobile devices (II)

Reading Time: 4 minutes


In the last post I have shown you the previous steps to init an audit with all the warranties to make a good job. In this post the fun begins. As in the past, I will explain you the basics of the next phases of the audit.


Information Gathering

After some tries, yes, now the auditors have all the necessary elements to start the audit.

In the information gathering phase, the auditors should search in every directory and look every file they consider to get information that can say them something.

After this part, the auditors should have detailed all what the device has. This information will be useful for the next steps. But, what can we find doing this?

Here comes an easy example. Let’s say we want to know where the phone has been connected by WiFi. Well, with root privileges we can go to /data/misc/wifi/wpa_supplicant.conf. Here we can see a list of all the wifi connections with the name of the wifi and the password.

In the terminal we navegate until the right folder
A lot of information about the wifi connections

Almost all the apps save the information they need in an internal database. These databases are accessible if the device has root permission, so the auditor can also see information about conversations, contacts, telephone numbers, messages, etc.

The files’ metadata are also a source of information for auditor. There is some tools that allow them to see where and when have been taken a picture, or when have been created a document, who have created it, when was the last time it was edited, and so on.

Some of the information the auditors can get from a file

All these files are information that the auditors should capture in the final report if the “rules of the game” allows it. If not, they just don’t look inside this directories.


In the last step the auditors took the device and made a deep search of all the interestings files. With all that information in the report the auditors go to the next phase, the dynamic analysis. In this phase they do 2 things. A services analysis and a vulnerabilities analysis.

But, what is a service in this context? Well, at the end, what the auditors do here is a ports scanner. With some tools they will get which ports are open. there is some ports that, by default, are used for thing like web server (HTTP), mail server (SMTP) or name server (DNS). That are services, and people can run another kind of services in other ports when it’s needed. For example, the communication of the iPhone with iTunes Music share it’s made using the port 3689. Here you have an example of the ports used by Apple:

Apple ports documentation

Service analysis. Why?

By doing a services analysis the auditors find out if the device has any open port and why it’s this port open. In the case of Android, by default, it should have all ports close.

This is important because, if the device has an open port, this can be used by someone with bad ideas to get into the device. Then, if the device is rooted, this person has complete access to it. And there is a lot of information. This person can also use some vulnerability to get root privileges and get all what he or she wants. But if the device is not rooted, this person can also have access to plenty of information like pictures, music, documents, etc.

In the case that the device hasn’t been compromised, this step won’t give us so much information. But the auditor always has to check it.

Here an example of a scanner when the device has some open ports

Then comes the vulnerabilities scanner. To proceed with this the auditor will use tools that will automatize the task. Nessus or OpenVAS are two very well known PC tools for this purpose. The auditor can also use tools like Belarc Security Adviser directly in the device. After using some of the tools they can get a bunch of security risks. These are known vulnerabilities from which the device can suffer, either in the operating system, in any app, or both.

To complete this part, the auditor should research on internet for any other vulnerability known in installed apps or in the operating system. There is no version of software completely free of bugs. And all these vulnerabilities should be also in the final report with some information about each one and, if exists, a solution.

Although it can seem a short post, this part is probably the longest phase of an audit. The professional should search deep to don’t let nothing behind. It can be a tedious work with old and full of information devices.

In the next post I will tell you how to end an audit and what conclusion can get both auditor and client. See you there!