trusteer mobile for ios and android security testing guide 1.6

Trusteer Mobile for iOS and Android Security Testing Guide

Version 1.6

May 2014

Contents

1. Overview 3

2. Security Testing on an iOS Device 4

Installation on an iOS Device 4

Trusteer Cydia Repository 5

Testing Security Requirements 6

Testing Jailbreak Detection 6

Testing Malware Detection 7

3. Security Testing on an Android Device 9

Installation on an Android Device 9

Android Debug Bridge (adb) 10

Testing Security Requirements 10

Testing Rooted Detection 10

Testing Pharming Protection 11

Testing Malware Detection 12

Testing Wi-Fi Protection 13

Trusteer Mobile for iOS and Android | ii Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company

1. Overview This document is intended for security architects interested in evaluating the Trusteer

Mobile application for the financial sector running on an iOS or Android device.

Security Solution Detection Requirements

The Trusteer Mobile App provides the following detection capabilities in order to

enable a secure online mobile banking session.

1. Detect and alert for a rooted/jailbroken device.

2. Detect and alert for malware on the device.

3. Block pharming techniques used against online banking customers. It is

important to block the technique as opposed to blocking specific malware

since the technique can be used by unknown malware. Due to the large

number of techniques, the solution should be able to block at least those that

are commonly used by malware authors.

4. Detect that a non-secure Wi-Fi connection is in use.

5. Detect when the OS is out of date.

The following link provides information about which operating systems are supported:

http://www.trusteer.com/support/supported-platforms

Note: The Trusteer Mobile App does not currently work on devices that use an Atom processor.

Trusteer Mobile for iOS and Android | 3 Security Testing Guide Version 1.6 Copyright 2014 Trusteer, an IBM Company

2. Security Testing on an iOS Device

Installation on an iOS Device

To install the Trusteer Mobile app on your iOS device using the iTunes App Store:

1. Verify that your device is running a supported version of iOS:


a. Select Settings.

b. Select General.

c. Select About.

d. Scroll done to Version.

e. Verify version number.

2. On your iPhone, open the App Store.

3. Tap the Search tab.

4. Enter Trusteer in the search box, then tap Search.

5. In the search results, tap Trusteer Mobile.

6. Tap FREE.

7. Tap INSTALL APP.

Your phone will prompt you for your App Store credentials.

8. Enter your user name and password.

The Trusteer Mobile App is installed.

9. Change the profile to testing profile:

Note: Changing to the testing profile allows you to test your deployment before it is moved to the production environment. To revert to the normal profile, you can either clear the Trusteer Mobile app's application data, or uninstall and reinstall the app.

a. Open the application


b. Paste the following code in the browser address bar:

command:profile:UFJPVgABAABaAAAAUJ2UZKw1EUtPIBy2Y5WuBX9DtbKMiMXuXnrR2lwXWdpgmjdZ50bseCqlcX/3xjS8AONctkwurDYL907wBZxNo0EXWas1MRTnacCgvfSRtWt1/+ZvL4WG38Cm4DTh4v2IPNStR4Lfk/n0Nzce8AfgxF0qcl9xAF0GJ7xqrfFkehYwpZmDO53WnfHk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/o5UC+RWgd3lL7cyAQEu9BXfVIwIDs2MMmk7p1Nd60d1XLIBVPYqC48ZiMkjJ/l2cpYnTOrW67OfgfUfFCZ0iXdAtWc9l0iD+Pyp6X+YGMhZNwSTgrZVy+QvtQbz8hzAXsKCSJ2YWx1ZXMiOiB7CgkgICAgIm9yaWdpbiI6ICJtdGVzdCIKCSB9LAoJICJwcmVmcyI6IHsKCSAgICAiZHVlX2RhdGUiOiAiMjAxOS04LTE1IgoJIH0KfQ==

c. Make sure an approval message is received.

Trusteer Cydia Repository

To ease the testing tasks on jailbroken devices, Trusteer has a Cydia repository with

demo apps that simulate pharming and malware attacks.

Note: You must use a jailbroken device or emulator to run tests using the apps in the Cydia repository.

To add the repository:

1. Open Cydia.

2. Select Manage > Sources > Edit > Add.

3. Enter: http://www.trusteer-testing.com/cydia.

4. Add Source > Return to Cydia.

You now have the Trusteer Cydia repository available on your device.

To install test attack apps:

1. Open Cydia.

2. Select Search.


3. Enter Trusteer in the search box.

4. Choose app to install.

5. Select Install > Confirm > Return to Cydia.

You now have the Trusteer test attack apps installed on your phone.

Testing Security Requirements

Tests are given in the following sections for testing the security requirements on an

iOS device.

Testing on iOS devices may include downloading apps from the Cydia repository as

described in Trusteer Cydia Repository (on page 5).

Testing Jailbreak Detection

The following procedure explains how to test that the appropriate alert triggers when

entering a protected website with a jailbroken device.

To test Jailbreak Detection on iOS:

1. Use a jailbroken device.

2. Open the Trusteer Mobile app.

3. Navigate to a protected website, such as www.trusteer.com.

When you navigate to a protected website the status of the device is sent to

the Trusteer servers. The status can be checked through the Trusteer

Management Application (TMA), as described in the following steps.

4. Copy your device's Agent Key.

a. Tap the Trusteer icon (at the top right of the window).

b. Tap Help and Support.

c. Tap About.


d. Tap the Copy button next to the Agent Key.

5. Send yourself an email containing the Agent Key

a. Open your mail client on your iPhone.

b. Create an email to yourself.

c. Paste the Agent Key into the body of the email.

d. Send.

6. On a PC, navigate to the TMA and login.

a. The demo TMA website can be accessed through this link:

https://mtest.trusteer.com

b. Login using username=securitester and password=mobileRox

7. Click on Assessment > Agent Status.

8. Enter the Agent Key for the device and that you want to check (which you sent

to yourself in the email).

9. Click Search.

10. Verify the device status, which is displayed next to Machine Infection.

Testing Malware Detection

To test Malware Detection on iOS:

1. Install the malware iKee.B by installing the app Trusteer Malware Demo from the

Trusteer Cydia repository. This is a weakened malware which cannot cause

damage to your device.

Refer to Trusteer Cydia Repository (on page 5) for installation instructions.


3. Go to a protected website, such as www.trusteer.com.


When you navigate to a protected website the status of the device is sent to

the Trusteer servers. The status can be checked through the Trusteer

Management Application (TMA), as described in the following steps.

4. Copy your device's Agent Key.

a. Tap the Trusteer icon (at the top right of the window).

b. Tap Help and Support.

c. Tap About.

d. Tap the Copy button next to the Agent Key.

5. Send yourself an email containing the Agent Key

a. Open your mail client on your iPhone.

b. Create an email to yourself.

c. Paste the Agent Key into the body of the email.

d. Send.

6. On a PC, navigate to the TMA and login.

a. The demo TMA website can be accessed through this link:

https://mtest.trusteer.com

b. Login using username=securitester and password=mobileRox

7. Click on Assessment > Agent Status.

8. Enter the Agent Key for the device and that you want to check (which you sent

to yourself in the email).

9. Click Search.

10. Verify the device status, which is displayed next to Machine Infection.

Note: When you are finished with this test you should remove the test attack app from your device.


3. Security Testing on an Android Device

Installation on an Android Device

To install the Trusteer Mobile app on your Android device:

1. Verify that your device is running a supported version of Android:


a. Select Settings.

b. Select About phone.

c. Scroll to the Android Version and verify that it is supported.

2. On your PC, navigate to the Google Play Store, using the following link:

https://play.google.com/store.

Note: These installation instructions are given assuming that you are using your PC. You can also install the Trusteer Mobile app by accessing the Google Play Store through your mobile Android device.

3. Enter Trusteer in the search box, then click on the search button..

4. In the search results, find Trusteer Mobile and click on the INSTALL button

next to it.

5. Next to Send To, select the mobile device that you want to install it on.

6. Click INSTALL.

Your phone will download and install the Trusteer Mobile App.

7. Change the profile to testing profile:

Note: Changing to the testing profile allows you to test your deployment before it is moved to the production environment. To revert to the normal profile, you can either clear the Trusteer Mobile app's application data, or uninstall and reinstall the app.

a. Open the application


b. Paste the following code in the browser address bar:

command:profile:UFJPVgABAABaAAAAUJ2UZKw1EUtPIBy2Y5WuBX9DtbKMiMXuXnrR2lwXWdpgmjdZ50bseCqlcX/3xjS8AONctkwurDYL907wBZxNo0EXWas1MRTnacCgvfSRtWt1/+ZvL4WG38Cm4DTh4v2IPNStR4Lfk/n0Nzce8AfgxF0qcl9xAF0GJ7xqrfFkehYwpZmDO53WnfHk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/o5UC+RWgd3lL7cyAQEu9BXfVIwIDs2MMmk7p1Nd60d1XLIBVPYqC48ZiMkjJ/l2cpYnTOrW67OfgfUfFCZ0iXdAtWc9l0iD+Pyp6X+YGMhZNwSTgrZVy+QvtQbz8hzAXsKCSJ2YWx1ZXMiOiB7CgkgICAgIm9yaWdpbiI6ICJtdGVzdCIKCSB9LAoJICJwcmVmcyI6IHsKCSAgICAiZHVlX2RhdGUiOiAiMjAxOS04LTE1IgoJIH0KfQ==

c. Make sure an approval message is received.

Android Debug Bridge (adb)

Testing on Android can be conducted on a device or on an emulator. Testing may

require the use of the Android Debug Bridge (adb) which is a command line tool that

enables communication with a device or emulator. More information on the adb can

be found at http://developer.android.com/tools/help/adb.html.

Testing Security Requirements

Tests are given in the following sections for testing the security requirements on an

Android device.

Testing Rooted Detection

The following procedure explains how to test that the appropriate alert triggers when

entering a protected website with a rooted device.

To test rooted detection on Android:

1. Use a rooted device or an emulator.




A security alert regarding the rooted device appears:

Note: When you run this test, you may get a message asking you to allow root permissions. If this message appears, you can click on Deny to dismiss it.

Testing Pharming Protection

In a pharming attack, the fraudster redirects the client to a phishing website of the

bank by tampering with the Domain Name System (DNS). Note that this website can

be connected in real-time to the banks website in order to bypass strong two-factor

authentication systems. In this scenario, even if the login process requires information

from external devices, the phishing website can ask for the same information from the

customer and relay this information to the banks website.

The product should be able to protect the customer if the banks website IP address is

different than the IP address in the pre-configured/Trusteer DNS service.


To test for a pharming attack on Android

1. Modify the /etc/hosts file on the device using adb.

adb connect : # or adb usb. adb remount adb pull /etc/hosts hosts # hosts file backup. adb shell echo "184.168.186.22 yourbankhere.com" >> /etc/hosts cat /etc/hosts # Verify that the line is there.

2. Run the native web browser app.

3. Enter the URL: yourbankhere.com

The fraudulent website appears.

4. Verify that you have reached the fraudulent website. The title of the webpage

is:

YourBankHere.com - Welcome! (fraudulent)


6. Add a new website: yourbankhere.com

Note: If an alert warns about unsupported secure communication (SSL), press Yes.

7. Open the newly added website

The genuine site appears.

8. After verifying that the pharming protection works, restore the hosts file by

running the adb command:

adb push hosts /etc/hosts

Testing Malware Detection

To test malware detection on Android:

1. Use a rooted device.

2. Install the malware.


SPITMO malware can be downloaded from:

https://trusteer.exavault.com/share/view/tnu-b8q7rpai. The password on the

zip file is infected. It is packaged as com.antivirus.kav, application name: Kav

Antivirus 2011. SPITMO malware monitors incoming SMS messages and steals

mTAN authentication messages.

To install the malware manually, connect to your device with adb and install

the APK file from your computer:

adb connect : # or adb usb. adb install /kav.apk


4. Go to a protected website, such as www.trusteer.com.

A security alert regarding malware on the device appears:

Testing Wi-Fi Protection

To test Wi-Fi protection on Android:

1. Change your Wi-Fi router to not require authentication for access.




A security alert regarding a non-secure Wi-Fi connection appears:

Note: When you are finished with this test you need to restore your Wi-Fi router to use authentication.


1. Overview2. Security Testing on an iOS DeviceInstallation on an iOS DeviceTrusteer Cydia RepositoryTesting Security RequirementsTesting Jailbreak DetectionTesting Malware Detection

3. Security Testing on an Android DeviceInstallation on an Android DeviceAndroid Debug Bridge (adb)Testing Security RequirementsTesting Rooted DetectionTesting Pharming ProtectionTesting Malware DetectionTesting Wi-Fi Protection

trusteer mobile for ios and android security testing guide 1.6

Documents

testing profile

testing security requirements

trusteer mobile application

application trusteer

testing malware detection

android device

ios device installation

testing rooted detection