以系統化之方式滲透測試行動裝置

Abstract

近幾年來，行動技術的蓬勃發展，帶動了行動裝置與智慧型手機的普及程度。人們對智慧型手機的重度依賴，使得智慧型手機逐漸成為網路駭客覬覦的攻擊目標。由於行動裝置與智慧型手機搭載了和桌上型電腦相似的作業系統，因此這些裝置也面臨了與桌上型電腦類似的威脅。為了保護行動裝置免受駭客攻擊，在裝置出廠前，模擬駭客實際攻擊的滲透測試(Penetration Testing) 方法，常被用來評估行動裝置的安全性。因為行動裝置的安全問題逐漸受到各界重視，專家學者也開始對行動裝置滲透測試提出了不同的測試方法、流程與細節。然而，這些針對行動裝置所設計的滲透測試方法卻缺乏系統化、全面性的分析程序。早在行動裝置安全受到威脅時，多年前，許多組織 就針對電腦裝置的滲透測試提出不同的系統性分析方法，包括NIST 的GNST、OISSG 的ISSAF 等等。因此，在這篇論文之中，我們分析前述方法，並以ISSAF 為基礎，提出了一套針對行動裝置的系統化滲透測試分析方法，簡稱為MoSAF，以利測試者對行動裝置進行全面性的滲透測試與分析。以MoSAF 為基礎，我們也針對行動裝置，設計了詳細的評估流程與步驟，除了滲透手法外，也分別針對行動應用程式與裝置配置，進行靜態與動態分析，以提升行動裝置的安全度。在這篇論文中，我們以Android 智慧型手機作為測試平台，設計一系列的滲透測試實驗，並說明本論文所提出之MoSAF 與其評估流程如何提供系統化、全面性的滲透測試分析。同時，我們也分析其他行動裝置的滲透測試技巧，說明其不足之處，以及如何利用MoSAF 與其評估流程改善現有技巧之不 足處。

Advanced of modern technologies, mobile devices and smart phones are widely deployed and ubiquitous anywhere at any time. Recently, mobile devices have been attacked due to their desktop-like operating systems, hence mobile devices have faced similar threats as desktop computers. Researchers studied several skills to penetrate and evaluate the security of a mobile device, but neither a systematic procedure nor a full resolution is provided based on these skills. Such penetration tests examine robustness of a computing device by launching or simulating attacks from the position of a potential attacker. This kind of testing technologies have been widely adopted to ensure the security of a computing device or a network. To systematically analyze the security of a computing device, NIST and OSSIG proposed several testing methodologies, including GNST, ISSAF, etc. However, these methodologies are not designed for a mobile device. In this paper, we modify ISSAF to support penetration tests for a mobile device. Based on the ISSAF modification (MoSAF), we design an nine-step assessing flow to systematically penetration test a mobile device. In addition to the steps of external penetration, we also design the internal vulnerability checks to statistically and dynamically analyze mobile applications and configurations used in the mobile device. Taking Android mobile devices as testing targets, we conduct a series of experiments to demonstrate how MoSAF and its assessing flow can be used in providing a systematic and complete penetration test for a mobile device. Moreover, we analyze the insufficiency of the existing penetration testing skills for mobile devices and show the improvements after applying MoSAF and its assessing flow.