Trusteer Mobile For IOS and Android Security Testing Guide 1.6

Trusteer Mobile for iOS
and Android
Security Testing Guide
Version 1.6
May 2014

Contents
1. Overview 3
2. Security Testing on an iOS Device 4
Installation on an iOS Device 4
Trusteer Cydia Repository 5
Testing Security Requirements 6
Testing Jailbreak Detection 6
Testing Malware Detection 7
3. Security Testing on an Android Device 9
Installation on an Android Device 9
Android Debug Bridge (adb) 10
Testing Security Requirements 10
Testing Rooted Detection 10
Testing Pharming Protection 11
Testing Malware Detection 12
Testing Wi-Fi Protection 13

Trusteer Mobile for iOS and Android | ii
Security Testing Guide Version 1.6
Copyright 2014 Trusteer, an IBM Company

1. Overview
This document is intended for security architects interested in evaluating the Trusteer
Mobile application for the financial sector running on an iOS or Android device.
Security Solution Detection Requirements
The Trusteer Mobile App provides the following detection capabilities in order to
enable a secure online mobile banking session.
1. Detect and alert for a rooted/jailbroken device.
2. Detect and alert for malware on the device.
3. Block pharming techniques used against online banking customers. It is
important to block the technique as opposed to blocking specific malware
since the technique can be used by unknown malware. Due to the large
number of techniques, the solution should be able to block at least those that
are commonly used by malware authors.
4. Detect that a non-secure Wi-Fi connection is in use.
5. Detect when the OS is out of date.
The following link provides information about which operating systems are supported:
http://www.trusteer.com/support/supported-platforms
Note: The Trusteer Mobile App does not currently work on devices that use an Atom
processor.

Trusteer Mobile for iOS and Android | 3

2. Security Testing on an iOS Device
Installation on an iOS Device
To install the Trusteer Mobile app on your iOS device using the iTunes App Store:
1. Verify that your device is running a supported version of iOS:
a. Select Settings.
b. Select General.
c. Select About.
d. Scroll done to Version.
e. Verify version number.
2. On your iPhone, open the App Store.
3. Tap the Search tab.
4. Enter Trusteer in the search box, then tap Search.
5. In the search results, tap Trusteer Mobile.
6. Tap FREE.
7. Tap INSTALL APP.
Your phone will prompt you for your App Store credentials.
8. Enter your user name and password.
The Trusteer Mobile App is installed.
9. Change the profile to testing profile:
Note: Changing to the testing profile allows you to test your deployment
before it is moved to the production environment. To revert to the
normal profile, you can either clear the Trusteer Mobile app's
application data, or uninstall and reinstall the app.
a. Open the application

b. Paste the following code in the browser address bar:
command: pr of i l e: UFJ PVgABAABaAAAAUJ 2UZKw1EUt PI By2Y5W
uBX9Dt bKMi MXuXnr R2l wXWdpgmj dZ50bseCql cX/ 3xj S8AONct k
wur DYL907wBZxNo0EXWas1MRTnacCgvf SRt Wt 1/ +ZvL4WG38Cm4
DTh4v2I PNSt R4Lf k/ n0Nzce8Af gxF0qcl 9xAF0GJ 7xqr f FkehYw
pZmDO53Wnf Hk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/ o5UC+RWgd
3l L7cyAQEu9BXf VI wI Ds2MMmk7p1Nd60d1XLI BVPYqC48Zi Mkj J
/ l 2cpYnTOr W67Of gf Uf FCZ0i XdAt Wc9l 0i D+Pyp6X+YGMhZNwST
gr ZVy+Qvt Qbz8hzAXsKCSJ 2YWx1ZXMi Oi B7CgkgI CAgI m9yaWdp
bi I 6I CJ t dGVzdCI KCSB9LAoJ I CJ wcmVmcyI 6I HsKCSAgI CAi ZHV
l X2RhdGUi Oi Ai Mj AxOS04LTE1I goJ I H0Kf Q==
c. Make sure an approval message is received.

Trusteer Cydia Repository
To ease the testing tasks on jailbroken devices, Trusteer has a Cydia repository with
demo apps that simulate pharming and malware attacks.
Note: You must use a jailbroken device or emulator to run tests using the apps in the
Cydia repository.
To add the repository:
1. Open Cydia.
2. Select Manage > Sources > Edit > Add.
3. Enter: ht t p: / / www. t r ust eer - t est i ng. com/ cydi a.
4. Add Source > Return to Cydia.
You now have the Trusteer Cydia repository available on your device.
To install test attack apps:
1. Open Cydia.
2. Select Search.

3. Enter Trusteer in the search box.
4. Choose app to install.
5. Select Install > Confirm > Return to Cydia.
You now have the Trusteer test attack apps installed on your phone.

Testing Security Requirements
Tests are given in the following sections for testing the security requirements on an
iOS device.
Testing on iOS devices may include downloading apps from the Cydia repository as
described in Trusteer Cydia Repository (on page 5).

Testing Jailbreak Detection
The following procedure explains how to test that the appropriate alert triggers when
entering a protected website with a jailbroken device.
To test Jailbreak Detection on iOS:
1. Use a jailbroken device.
2. Open the Trusteer Mobile app.
3. Navigate to a protected website, such as www.trusteer.com.
When you navigate to a protected website the status of the device is sent to
the Trusteer servers. The status can be checked through the Trusteer
Management Application (TMA), as described in the following steps.
4. Copy your device's Agent Key.
a. Tap the Trusteer icon (at the top right of the window).
b. Tap Help and Support.
c. Tap About.

d. Tap the Copy button next to the Agent Key.
5. Send yourself an email containing the Agent Key
a. Open your mail client on your iPhone.
b. Create an email to yourself.
c. Paste the Agent Key into the body of the email.
d. Send.
6. On a PC, navigate to the TMA and login.
a. The demo TMA website can be accessed through this link:
https://mtest.trusteer.com
b. Login using username=securitester and password=mobileRox
7. Click on Assessment > Agent Status.
8. Enter the Agent Key for the device and that you want to check (which you sent
to yourself in the email).
9. Click Search.
10. Verify the device status, which is displayed next to Machine Infection.

Testing Malware Detection
To test Malware Detection on iOS:
1. Install the malware iKee.B by installing the app Trusteer Malware Demo from the
Trusteer Cydia repository. This is a weakened malware which cannot cause
damage to your device.
Refer to Trusteer Cydia Repository (on page 5) for installation instructions.
3. Go to a protected website, such as www.trusteer.com.

When you navigate to a protected website the status of the device is sent to
the Trusteer servers. The status can be checked through the Trusteer
Management Application (TMA), as described in the following steps.
4. Copy your device's Agent Key.
a. Tap the Trusteer icon (at the top right of the window).
b. Tap Help and Support.
c. Tap About.
d. Tap the Copy button next to the Agent Key.
5. Send yourself an email containing the Agent Key
a. Open your mail client on your iPhone.
b. Create an email to yourself.
c. Paste the Agent Key into the body of the email.
d. Send.
6. On a PC, navigate to the TMA and login.
a. The demo TMA website can be accessed through this link:
https://mtest.trusteer.com
b. Login using username=securitester and password=mobileRox
7. Click on Assessment > Agent Status.
8. Enter the Agent Key for the device and that you want to check (which you sent
to yourself in the email).
9. Click Search.
10. Verify the device status, which is displayed next to Machine Infection.
Note: When you are finished with this test you should remove the test attack app
from your device.


3. Security Testing on an Android Device
Installation on an Android Device
To install the Trusteer Mobile app on your Android device:
1. Verify that your device is running a supported version of Android:
a. Select Settings.
b. Select About phone.
c. Scroll to the Android Version and verify that it is supported.
2. On your PC, navigate to the Google Play Store, using the following link:
https://play.google.com/store.
Note: These installation instructions are given assuming that you are using
your PC. You can also install the Trusteer Mobile app by accessing the
Google Play Store through your mobile Android device.
3. Enter Trusteer in the search box, then click on the search button..
4. In the search results, find Trusteer Mobile and click on the INSTALL button
next to it.
5. Next to Send To, select the mobile device that you want to install it on.
6. Click INSTALL.
Your phone will download and install the Trusteer Mobile App.
7. Change the profile to testing profile:
Note: Changing to the testing profile allows you to test your deployment
before it is moved to the production environment. To revert to the
normal profile, you can either clear the Trusteer Mobile app's
application data, or uninstall and reinstall the app.
a. Open the application

b. Paste the following code in the browser address bar:
command: pr of i l e: UFJ PVgABAABaAAAAUJ 2UZKw1EUt PI By2Y5W
uBX9Dt bKMi MXuXnr R2l wXWdpgmj dZ50bseCql cX/ 3xj S8AONct k
wur DYL907wBZxNo0EXWas1MRTnacCgvf SRt Wt 1/ +ZvL4WG38Cm4
DTh4v2I PNSt R4Lf k/ n0Nzce8Af gxF0qcl 9xAF0GJ 7xqr f FkehYw
pZmDO53Wnf Hk9UY0B0sQ8GFqmxk6SHhoqS+osRsYu/ o5UC+RWgd
3l L7cyAQEu9BXf VI wI Ds2MMmk7p1Nd60d1XLI BVPYqC48Zi Mkj J
/ l 2cpYnTOr W67Of gf Uf FCZ0i XdAt Wc9l 0i D+Pyp6X+YGMhZNwST
gr ZVy+Qvt Qbz8hzAXsKCSJ 2YWx1ZXMi Oi B7CgkgI CAgI m9yaWdp
bi I 6I CJ t dGVzdCI KCSB9LAoJ I CJ wcmVmcyI 6I HsKCSAgI CAi ZHV
l X2RhdGUi Oi Ai Mj AxOS04LTE1I goJ I H0Kf Q==
c. Make sure an approval message is received.

Android Debug Bridge (adb)
Testing on Android can be conducted on a device or on an emulator. Testing may
require the use of the Android Debug Bridge (adb) which is a command line tool that
enables communication with a device or emulator. More information on the adb can
be found at http://developer.android.com/tools/help/adb.html.

Testing Security Requirements
Tests are given in the following sections for testing the security requirements on an
Android device.

Testing Rooted Detection
The following procedure explains how to test that the appropriate alert triggers when
entering a protected website with a rooted device.
To test rooted detection on Android:
1. Use a rooted device or an emulator.

A security alert regarding the rooted device appears:

Note: When you run this test, you may get a message asking you to allow root
permissions. If this message appears, you can click on Deny to dismiss
it.

Testing Pharming Protection
In a pharming attack, the fraudster redirects the client to a phishing website of the
bank by tampering with the Domain Name System (DNS). Note that this website can
be connected in real-time to the banks website in order to bypass strong two-factor
authentication systems. In this scenario, even if the login process requires information
from external devices, the phishing website can ask for the same information from the
customer and relay this information to the banks website.
The product should be able to protect the customer if the banks website IP address is
different than the IP address in the pre-configured/Trusteer DNS service.

To test for a pharming attack on Android
1. Modify the /etc/hosts file on the device using adb.
adb connect <host >: <por t > # or adb usb.
adb r emount
adb pul l / et c/ host s host s # host s f i l e backup.
adb shel l
echo " 184. 168. 186. 22 your bankher e. com" >> / et c/ host s
cat / et c/ host s # Ver i f y t hat t he l i ne i s t her e.
2. Run the native web browser app.
3. Enter the URL: yourbankhere.com
The fraudulent website appears.
4. Verify that you have reached the fraudulent website. The title of the webpage
is:
YourBankHere.com - Welcome! (fraudulent)
6. Add a new website: yourbankhere.com
Note: If an alert warns about unsupported secure communication (SSL),
press Yes.
7. Open the newly added website
The genuine site appears.
8. After verifying that the pharming protection works, restore the hosts file by
running the adb command:
adb push host s / et c/ host s

Testing Malware Detection
To test malware detection on Android:
1. Use a rooted device.
2. Install the malware.

SPITMO malware can be downloaded from:
https://trusteer.exavault.com/share/view/tnu-b8q7rpai. The password on the
zip file is infected. It is packaged as com.antivirus.kav, application name: Kav
Antivirus 2011. SPITMO malware monitors incoming SMS messages and steals
mTAN authentication messages.
To install the malware manually, connect to your device with adb and install
the APK file from your computer:
adb connect <host >: <por t > # or adb usb.
adb i nst al l <pat h>/ kav. apk
4. Go to a protected website, such as www.trusteer.com.
A security alert regarding malware on the device appears:

Testing Wi-Fi Protection
To test Wi-Fi protection on Android:
1. Change your Wi-Fi router to not require authentication for access.

A security alert regarding a non-secure Wi-Fi connection appears:

Note: When you are finished with this test you need to restore your Wi-Fi router to
use authentication.


Trusteer Mobile For IOS and Android Security Testing Guide 1.6

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Trusteer Mobile For IOS and Android Security Testing Guide 1.6

Transféré par

Droits d'auteur :

Formats disponibles

Trusteer Mobile for iOS

Vous aimerez peut-être aussi