How to perform “Penetration Test” for Smartphones
Mohamed Mohamed Anwer El-kassify
Student ID: elkassify2035100004
Network and Security Engineer
Alexandria, Egypt
Ebn_kassify@yahoo.com
Abstract— Smartphones have become very
important channel for business and personal
communications. As much personal information
migrates to mobile devices, hackers have increased
chances to listen on phone calls and intercept e-mails
or documents. Smart phones are becoming more
powerful and multifunctional, and beginning to reduce
the other personal devices off the market. This will
offer both viruses and virus writers more vulnerability
to exploit.
This paper will show how companies are looking for
mobilizing their work, with the urge to push IT Staff to
use the same security standards and policies for
managing smartphones as they do with the other
personal devices like laptops, Which includes
Checking E-mail; accessing shared data, and remote
connection to company's using VPN tunnels. There is
a lot of work needed before smartphones truly
become ready to join the organization secure network
services.
We will be focusing on how to perform the
penetration test for the smartphones and will show
the main phone’s vulnerabilities and suggest some
applicable countermeasures. Smartphones
penetration test assist you to identify risks related to
your organization mobile devices. How smartphone
penetration testing differs from usual laptop Pen-
testing to secure network access.
Smartphones penetration test [11] is a method of
evaluating the security of these phones including all
contained features by simulating an attack by a
malicious hacker. This test requires analysis of the
system for any weaknesses, or vulnerabilities.
Focusing on gaining unauthorized access on tested
phones and using that access to check if the network
services could be compromised or not.
I. INTRODUCTION
Nowadays Cellular networks have become an
important part of our critical information infrastructure.
Smartphones devices are multifunction devices and
very powerful, the more cellular companies are rapidly
deploying broadband data services the more
profitable an attack will be.
Smartphones provide all the functionality of a
computer; they are open to the same threats as a
computer, including hackers, viruses, Trojans and
worms. These threats find their way onto the mobile
devices of unsuspecting users and from there can
infect organization networks.
Smartphones will be used to connect business's
network services, and in that case the network
security is the responsibility of the organization IT
Staff, not the phones users', on the other hand
security policies must be pushed from the top levels
down. While training and awareness may be
beneficial for users, to ensure that policies are
correctly applied in the right manner we should
conduct with the mobile devices penetration testing
Hackers have the chance to attack Smartphones by
performing activities such as spoofing, sniffing and
spamming. There are several malicious Malware
applications in circulation like worms such as
SymbOS.Beselo and SymbOS.Beselo or the Trojans
WinCE.Infojack [7], and Skulls Trojan horse which
attack the content and functionality of mobile phones.
The question is organization's security policy applied
on the smart phones or laptops as the other PDA's
like laptop, I think the answer will be NO because
most of organization concerned about the required
level of security for only laptop because it is an
important asset, organizations schedule a periodic
vulnerability assessment and penetration testing for
Laptops and they forgot about the more important
devices like mobiles and smartphones.
This paper will be discussing how to perform
penetration test for the mobile devices, what are the
mobile vulnerabilities, and what are the applicable
countermeasures that could be suggest.
II. PROBLEM STATEMENT
In this paper we address the problem of how to pen-
test Smartphones and what is the challenges facing
that test. When organizations and companies decide
to use smartphones to increase mobility of their
employees, currently most of organizations do pay
attention for creating a security policy to set security
rules and instructions of how to treat these
smartphones including the coverage of all sides of
the smartphones security problems. Organizations
must establish strong security policies to face risks
and vulnerabilities and conducting penetration
testing.
Smartphone penetration testing faces some
challenges, the most important challenge is the
culture of treating smartphone like other end points
(laptops) because it has more risks than employees
can imagine, another challenge is concerned about
what is the possibility of using employee's personal
devices to connect the organization network, and
sending E-mail while organization has no control on
employees personal devices. smartphones have
varied brands and various operating systems
platforms, each platform has it's special
vulnerabilities and threats.
Smartphones have a lot of functions like SMS to send
text messages, Bluetooth for file transferring in a
limited range, E-mail, WiFi (802.11)[2] used to
connect to hotspot or WLAN, MMS to transmit
pictures, audio files and video. Each function must be
tested and evaluated during the penetration testing
and disables if not required to be used in the
business environment.
Penetration testing must include attacks to
smartphones while being in use with employees and
connecting to organization services, and must be
tested in case as if it has been lost or stolen, check
what the possibility of extracting sensitive data is and
contact lists.
If organizations do not pay attention for securing
devices access it will create a Zombie or botnet call
smartphone, where attacker will use to perform
DDOS attacks on any target though internet or other
mobile communication cannels like SMS and MMS.
After the solving the problem we expect that the
whole organization will create it's security
countermeasures for Smartphones attacks, build
strong security policy, proceed with awareness
program to their employees, periodic vulnerability
assessment or penetration testing for phones to
achieve the required security target.
III. BACKGROUND
Most of Smartphone functions and services are at
risk like messages, Contacts, Video, Phone
transcriptions, Call history and sensitive Documents.
Most of Malware targeting Smart phones have been
acting as evidences of concept rather than totally
developed attack code. Malware damages include
screen distort, disable live applications, and the
shutdown of the phone.
Smartphones will be the new workstations for
organization employees; By the end of 2012 65% of
all cell phone could be smartphones [3],
Smartphones are susceptible to the same threats as
workstations or laptops, there are different
smartphones like BlackBerry, Symbian (more than 40
0f market share [6], Windows Mobile, apple for
iphone and Android, each Smartphone OS has
vulnerabilities differ from the other OS types.
Smartphones support various operating systems
including Android and IOS are based off Linux and
Unix[5] But windows mobile based on windows
operating system, Thus smartphone OS will be the
major security issue for pen-test team, this means
smartphones will be affected by windows and Linux
vulnerabilities and exploits.
More than 50% of mobile malwares are Trojans [7],
there are few examples of smart phones Malware
threats that will have harmful effect like information
leakage when deployed in business environment [1].
1. WinCE.Infojack : The Famous Trojan designed
to target Windows Mobile OS.. It is able to disable
Windows Mobile security features and run harm
malicious code, plus transmit sensitive stored data
to the intruder.
 2. SymbOS.Yxes: worm is developed to spread
through SMS sent to all organization employees'
phone contact list. In that case the malware would
be digitally signed by Symbian certificate, and the
harmful effect of a worm is the ability to be installed
on any Symbian smartphone without any warnings.
3. SymbOS.Beselo: The first worm that is being
distributed via Bluetooth and MMS channels, dressed
in the common shapes and forms of the Real Media,
while in fact it is Symbian software. It can be
distributed using multimedia memory cards. It
spreads the harmful effect after infection as it was
sending its copy to phone numbers taken from user’s
phone contact list.
In case of corporate deploying smartephones in their
business, they must treat these devices like the other
end-point in their infrastructure hosts. Smartphones
main usages in business environment are listed
below:
• Organization’s e-mail feature (MS Mobile
Outlook)
• Organization’s calendar service (Microsoft
Exchange) Shared data systems (like MS
SharePoint).
• Enterprise Resource Planning (ERP) systems.
• Remote Access organization’s network using
VPN connections or tunnels.
• Applications dedicated to smart phones like SMS
notifications [1]
IV. RELATED WORK
Other researchers concerning about the idea of
securing smartphones in case of lost or stolen and
how to lock all data folders and encrypt the credit
card and bank accounts, and does not cover the
whole process of the smartphones penetration testing
and how it differ from testing other PDA's like
Laptop's.
Other researches participating in creation the Mobile
Device Vulnerability Database (MDVD) [9], it is an
online database for collecting vulnerability and
countermeasure information on mobile computing
technologies (smart phones, WiFi, Bluetooth, and
more. and will help penetration testers to identify
vulnerabilities and find countermeasures.
Similar Smartphones security researches focusing on
the attacks and vulnerabilities [8] like Attacks from
the Internet, Infection from compromised PC during
data transfer, and Peer smart-phone attacks or
infections,
But this paper has its own standard as it shows the
challenges to perform penetration testing and
recommendation for a corporate to secure itself in
case of deciding either to deploy the smarphones or
not in order to increase the mobility according to
business needs.
Some researches offer recommendation to secure
Smartphones usages like using VPN connection to
access organization resources or services, and use
antivirus. But they did not combine the risk of
dangerous use of smrtphones with the risk of being
lost or stolen .This paper introduces integrated
solution to secure phones in case of business usage
and even incase it lost or stolen.
V. PROPOSED SOLUTION
This section will explain how a corporate can
establish a penetration testing for smartphones
starting with treating smartphones as the other
endpoint in the organization, searching for
smartphone vulnerabilities and countermeasures
differentiate between personal usage and business
usage of phones.
Smartphone penetration testing will combine the
required steps for testing in case the phone become
a botnet or spreading infections to other devices, and
in case of it has been stolen or lost, and if these
suggested steps are the same as testing the other
PDA’s devices like laptops or not, and what are the
fields of similarity and dissimilarity in the test
procedures.
Smartphones are one of PDA’s but not treated as
PDA when conduction Penetration testing. The
following Figure (Table1) will show the Penetration
testing for PDA’s, smartphones are considered as
PDA’s but not treated as other PDA, some of steps
are followed when test Laptops and not applied to
smartphones due to careless, other steps are
provided specially for smartphones and not
necessarily to be followed when testing the other
PDA’s like laptops
 Check if Check if
always always
followed followed
Pen-test steps Comments on Smartphone Pen-test steps Comments on Smartphone
with with
PDA's PDA's
Test Test
Most of organizations start their testing by Test for Unauthorized access of
Scan for active scanning for a live hosts whoever the host employee’ multimedia files like (photos,
Yes Extract data via
devices is Smartphone or PC "Have IP address" No videos, software, sound files) VIA MMS,
MMS
Some employees uses their personal this test never applied on the other
phones to connect network, set a rule to PDA’s
force smartphones passing the health Used to discover unknown vulnerabilities
Identify if the Test MMS using such as a proof-of-concept remote code
check for OS and updates and run No
device is personal No fuzzing tool{ref} injection and execution exploit
antiMalware before connecting , or
or for business use
prevent using any personal device in the
Most pen-tester use it to test if
business usages by using control list on
application configuration and
Firewall.
Extract credentials can be compromised by the
Smartphone has different OS like
information from Yes attacker, then he will gain unauthorized
Identifying the OS BlackBerry, Symbian, Windows Mobile,
Yes application access to company’s resources and
type apple for iphone and Android, which based
services, but not totally followed when
on Linux, Unix and windows
testing smartphones till now.
Most vulnerabilities scanning tool will be
limited to windows, Linux and Unix which Testing if the sensitive data is well-
Vulnerability scan
Yes are most popular OS for endpoints, Look for encrypted and to safe it incase of being
for each OS Yes
ignoring other devices' OS like Symbian encrypted files sniffed, lost and stolen.
and Android.
Comparing Very important step to identify Check mobile web browser and tracing
vulnerabilities vulnerabilities found but most of testers Check the web if employee visit malicious websites
with Mobile escape it because they do not pay attention browser Yes because that may lead web browser to
No
Device to mobile vulnerabilities and do not treat it run attacker’s executable code
Vulnerability as end-point
Database
Check for login It is normal procedure for testing Laptop's Table 1
password but not completely applied when testing
Yes
complexity and smartphones
encryption level Smartphones Security Countermeasures:
Smartphones have different services which
Scanning for
running services Yes
in most cases will not totally scanneddue 1. Enforce orgnaization smartphone policy: Applying
to careless like Bluetooth, WiFi, SMS and smartphone usage policy on all company’s employees, But it
of functions
MMS will be hard to enforce the policy on personal devices. In order
Most pen-tester check for sensitive data to establish a corporate smartphone policy, we should
Identifying during their testing for PDA's, however it
Yes understand the range of vulnerabilities that facing smartphone.
sensitive data will be different to check it on
Smartphones The variety of nature smartphone will affect on the ratio of
It is very important to check for contact password compromises, hacks, and information theft,
Extract address smartphones security policy could force users use complex
list and try to extract it because there are
book Yes
types of worms or malware extract that list and strong passwords to access the network services or even
and contact list
and send it to intruders to login to their phones, and require smartphone antivirus and
It is checked with laptop's but not actually antimalware software updating.
Look for stored with smartphones, passwords could be for
Yes
passwords credit card or bank account 2. Create access control list to allow only business’ phones
No checked by pen-tester team with all to connect to its resources and prevent the other personal
Check for auto devices to connect to avoid the risks of infection or attacks.
No PDA’s devices laptops and smartphones
lock
Smartphone Data Interception and 3. Consider all smartphones as uncontrolled endpoints:
Sniffing of
Sniffing is very risky which must be
generated PDA's No
controlled and use encryption tunnels to Smartphone users' identities could be attacked, lost and stolen.
traffic Device identification uses serial number information to allow
eliminate it’s risk
To Simulate the effect of worms which use organizations to control her assets and associate a
Extract data via Bluetooth to sending copy to phone smartphone to a specific user. And allows IT to gain remote
No
Bluetooth numbers taken from employee’s phone control on all devices and disable it or erase all sensitive data.
contact list.
To Simulate the effect worm developed to 4.Use Host IDS for smartphones to detect all intrution
Extract data via spread through SMS sent to all (signature-base and anomaly-base) and help to find the
No organization employees' phone contact list.
SMS devices which compromised by the same vulnerability and can
alarm the administrator to take the required action to prevent
that kinds of attacks in the future.
5.Create VPN secure tunnel (SSL) to access organization
resources. VPN SSL to provide a centralized SSL VPN which
acting as secure gate for authenticated and encrypted secure
browser-based access to organization network resources or
gateways from different smartphone OS (like Symbian, Windows,
Android, BlackBerry and iOS).
6. Inclusive scan all smartphone traffic. To ensure securing
network resources and protection from smartphones attacks, IT
should deploy Firewall and Packet Inspection of Secure Socket
Layer (DPI-SSL) technology for inspection of all smartphone
traffic traversing the SSL VPN.
7. Use varied Security software for smartphone’s OS like
Antivirus and antimalware which may help in protecting phone
against most of known attacks. Some security software may
offers possibility of remotely erasing or destroying phone's
memory and storage incase the device is stolen.
8. Maximize throughput of firewall to eliminate application
latency [4]. Latency can be the reason for hack attacks. Security
administrators must control smartphone application traffic. In this
case, application control must be deployed in place in the
network to report how much application utilization of the
smartPhone.
9. Force a rule to control opening MMS and E-mails: prevent
opening all MMS and E-mails messages coming from unknown
sources. Incase SMSes the situation is different as most of OS
opens them automatically. We have to find some method to
change the default setting of the smartphone OS.
10. Control traffic of smartphone applications: Most of
phones depend on Web 2.0 applications [10], and are especially
disposed to their inveterate vulnerabilities. And report upon
application usage over the network.
11. Securing smartphone wireless access smartphones have
WiFi for wireless communication, WiFi highly vulnerable to be
hacked when connected to unencrypted WiFi hotspots. Security
for corporate wireless must be the same level as wired using
apply SSL VPN connection and deploy comprehensive firewall
for packet inspection
12. Manage smartphone VoIP traffic VOIP not applied on all
application it depend on the organization communication
platform. VoIP traffic is related to QOS such as latency and
packet loss ratio. VOIP bandwidth management will help in
reduce bandwidth-consuming traffic.
13. Smartphone data back up frequently Backup sensitive data
like Contact lists which very important to the company. If the list
is lost or stolen, data backup will help incase of smart phone has
been infected, IT staff mat recover the default phone settings to
fixing the system then restore the data backup.
14. Disable us-used services like Bluetooth or WiFi when
employee do not need for it. These services are easy to exploit
for sending malicious code or viruses. It’s also possible that
sensitive information could be sniffed when these features are
enabled.
15. Training and awareness for employees, to instruct them
following the organization security policy and awareness for
security concepts like use complex passwords to access their
phones, informing employees to be careful before following URLs
– especially shortcuts or tiny versions of URLs, when receiving
such from un-trusted sources. Because most of the fake URL is
Phishing attacks which may be very harmful for organization if
using gained data in social engineering attacks. Notify them when
vulnerabilities appear and they can take steps to protect
themselves.
VI. EVALUATION AND RESULTS
Pen-testers teams must pay attention to the
danger of smartphone usage, and add phones to their
scope when conduction a Penetration testing for PDA,
focusing of phones functions and serves, adding
required steps matching with phones nature to
accomplish a successful test.
Paper make use of the prior experience of other
researchers “related work section” to find new
integrated solution for pen-testers, like showing the
value of Mobile Device Vulnerability Database
(MDVD) [9] which has been disused in related work
section, but paper offer new usage for this database
by creating New Signature-based Host IDS for
smartphones to detect all vulnerabilities which learned
from (MDVD) HIDS will be great protective
countermeasure for all smartphones, and security
researchers must co-operate to accomplish that HIDS
as fast as possible to secure smartphone business
usage in different organizations.
This paper explains the required steps to conduct
penetration testing for phones and offers an
applicable recommendation for securing corporate
from risks of phones business usages. Organizations
have to add new rules and policies beside current
existence rules to secure all PDA including
smartphones.
VII. DISCUSSION
Proposed solution will work well in most cases but
there are exceptions, when organization deploying a
lot of brands of smartphones to connect to
organization services, It will be variety of running
operating systems and different types of
vulnerabilities which will be very difficult to pen-team
to cover all vulnerabilities , exploits and fixes.
By the end of 2012 65% of all cell phone could be
smartphones [3], but till now most cell phones are not
smartphones. So this paper will be very effective in
the next two years.
Instructing employee’s to use complex password will
be difficult in case of multiple letters are associated
with each numeric key on a keypad (like press once
for A, press twice for B) many users would like to
choose words that use the first (single-press) letters,
and that is logically reducing the number of possible
passwords and make it more easy to be cracked by
the hackers or intruders, so it is recommended to use
smartphones with each letter has it is separate key on
the keypad.
The solution will perform less than expected incase
of organization's IT staff is not qualified enough to
follow the rules and steps and pay attention to monitor
traffic and periodic backup for phones data, because
the most of load and responsibilities will be handled by
them,
RFERENCES
[1] Artur Maj, Marek Janiczek " Prevenity_Dangerous_smartphones"
[2] Pablo Brenner, "A Technical Tutorial on the IEEE 802.11 Protocol".
[3] DevicesDaniel V. Hoffman " Smartphone Hacks andAttacks:A
DemonstrationofCurrent ThreatstoMobile"
[4] George Gerza, Simon Hill "Establishing a Corporate Smartphone
Policy for Security"
[5] ADRIAN KINGSLEY-HUGHES, IOS USAGE SURPASSES LINUX\
BY A WHISKER
[6] WWW.THREATCENTER.SMOBILESYSTEMS.COM
[7] www.threatcenter.smobilesystems.com
[8] Chuanxiong Guo , Helen J. Wang, Wenwu Zhu " Smart-Phone Attacks and
Defenses'
[9] Wayne Jansen, Karen Scarfone, "Guidelines on Cell Phone and PDA
Security (Draft)"
[10] Patrick Sweeney," 10 Best IT Practices for Smartphone Security"
[11] SANS Institute InfoSec Reading Room, "Conducting a
Penetration Test on an Organization"

VIII. CONCLUSIONS AND FUTURE W ORK

In this position paper, we would like to warn the

community on the dangers of potential smart-phone
vulnerability, as smartphones become small Computers,
viruses will originate to take advantage of an increasing
number of available features and services, In case of
companies decide using smartphones to Increase the
mobility of their employees, they must establish an
updated security policy and conducting penetration
testing for PDA including all smartphone devices.
Organizations must treat smartphones like other end-
points. penetration testing must cover two targets first
securing smartphones business usages' and the other
target is securing phones in case of lost or stolen.
We introduce a new testing technique for pen-testers
which in smartphone testing with the required special
steps and common steps with other PDA , and solving
problems which may face testing team during their
project . And offer many security countermeasures for
using smartphones.
We have also outlined how an attacker could extract
information gained from Bluetooth, SMS, and MMS
attacks from a smudge attack to improve the likelihood
of guessing a user’s patterns Smartphones have many
operating system lot of functions and services, and each
Service has its vulnerabilities and exploits, which may
used to send user's data to attackers and user will not
even realize the data leakage.
Feature work could be developing new technologies
like work on the idea of generating Host intrusion
detection (HIDS) for smartphones which will assist in
securing the devices and also help administrators to
take the appropriate action.