Introducing the Smartphone Penetration Testing Framework

Explore the world of smartphone security in this 56-minute conference talk from BruCON Security Conference. Delve into the Smartphone Penetration Testing Framework, a DARPA Cyber Fast Track project, designed to assess the security of mobile devices in corporate environments. Learn about unique attack vectors specific to smartphones and how this open-source toolkit addresses various aspects of security assessment. Discover the framework's capabilities in information gathering, exploitation, social engineering, and post-exploitation through both traditional IP networks and mobile modems. Gain insights into using the framework via command line console, graphical user interface, and smartphone app. Witness demonstrations of the framework assessing multiple smartphone platforms and understand its potential for security teams and penetration testers. Explore threats such as malicious apps, software bugs, social engineering, and jailbreaking. Examine remote, client-side, social engineering, and local vulnerability examples, as well as post-exploitation techniques and mitigating strategies. Get a glimpse into the future of this project and its implications for smartphone security in the workplace.

Intro
Disclaimer
3 to DARPA
The Problem: Smartphones in the Workplace
Threats against smartphones: Apps
Threats against smartphones: software bugs
Threats against smartphones: social engineering • Users can be tricked into opening malicious links
Threats against smartphones: jailbreaking
The Question
What's out there now? Pentesting from Smartphones: zAnti
Structure of the framework
Framework console
Framework GUI
Framework Smartphone App
What you can test for
Remote Vulnerability Example
Client Side Vulnerability Example Smartphone browsers, etc. are subject to vulnerabilities
Social Engineering Vulnerability Example SMS is the new email for spam/phishing attacks
Local Vulnerability Example
Post exploitation
Mitigating Strategies
Future of the Project