8 Penetration Testing Apps For Android Devices!

8 Penetration Testing Apps For Android Devices!

Perform pen test while you’re on the move with these apps on your Android device!

IMG_1944.JPG

Monday, January 13, 2014: The PC market is declining day by day as the smartphone and tablet market rises. When they say that smartphones and tablets can do almost everything that PCs can they aren’t all that wrong. A very good example of that is the penetration testing capabilities that these devices hold. Here is a list of apps that you can use on your Android-based device in order to Pen Test a network.

1. dSploit: This is a penetration testing suite for Android networks. It has all-in-one network analysis capacities and is available for free. The app is easy to use and quite fast. It runs on Android 2.3 Gingerbread or higher.

2. Network Spoofer: This app can be used in order to change websites on other people’s computers from your Android-based smartphones. Although this is not exactly a penetration testing tool, it can still show you how easy or difficult it is to hack a particular network.

3. Network Discovery: This free app for Android-based devices and doesn’t need the user’s phone to be rooted. It has a simple user interface and is quite easy to use. The app helps you to gather information on the network that you are connected to.

4. Shark for Root: This is a traffic sniffer that is meant for your Android device. It works pretty easily on both WiFi and 3G networks. The app comes with Shark Reader that can be used to view the dump on your smartphone. In addition, there is Wireshark, which allows you to open the dump on your system.

5. Penetrate Pro: This is an Android app that can be used for WiFi devoding functions. The newest version of this app has also added a number of nice features. You can also use the app to calculate WAP/WEP keys for wireless routers. Many antivirus apps flag Penetrate Pro as a virus. The app though doesn’t harm your device.

6. DroidSheep [Root]: This is a session hjacking tool that can be used on Android devices. This penetration testing tool can be used for security analysis in wireless networks. The DroidSheep app can be used in order to hijack most web accounts.

7. DroidSheep Guard: This app has also been developed by the developers of Droidsheep and does not need a device to be rooted. You can use the app to monitor ARP tables of Android-based devices and ARP-spoofing attacks on networks being performed by DroidSheep, FaceNiff and other apps of the kind.

8. WPScan: This is a WordPress vulnerability scanner. The app can be used in order to scan a website created on WordPress and find the security vulnerabilities that it has. The desktop version of the app though is more powerful than the Android version.

Outlook.com Android App Leaves Email Messages Exposed

Outlook.com Android App Leaves Email Messages Exposed

Researchers find Outlook.com emails unprotected by default on SD cards.
A Microsoft Outlook client app for Android devices stores, by default, email messages unencrypted on the device’s SD cards, researchers say.

Erik Cabetas, managing director of Include Security, says the Outlook.com mobile client, which was developed by third-party app firm Seven Networks, leaves email messages in the clear on the removable SD cards. “Anyone can grab that and walk away,” Cabetas says.

Android users must set up the device to encrypt the file system, something most consumers are likely unaware of, he says, noting that it’s not a feature that’s integrated with the Outlook.com service or app. “Users need to be aware so they can encrypt the file system of the SC card. Android has native tools to do that… but it’s a [multi-click] setting and most don’t know how to do that.”

Outlook.com does have a PIN feature, but it only protects the user interface to the app, not the stored data on the file system, he says. “I could lock my phone with the PIN, but if someone gets the SD card, they still have all the data.”

Other apps on the phone also could access the emails. “Any app on the phone can read that” information on the SD card. They don’t need special permission. Phones nowadays come with preinstalled apps on them that could grab those emails.”

Cabetas and his team contacted Microsoft’s Security Response Center about the security weakness in the app, but Cabetas says Microsoft’s response was that this was an issue with the device itself and outside the scope of the app and Microsoft’s own security model.

A Microsoft spokesperson provided this statement in response to a press inquiry about the research:

Microsoft is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use, or disclosure. For people using the Outlook.com app for Android, applications run in sandboxes where the operating system protects customers’ data. Additionally, customers who wish to encrypt their email can go through their phone settings and encrypt the SD card data. Please see Microsoft’s online privacy policy for more information.

Include’s Cabetas says that, ideally, the app should alert users that it stores emails to the local file system. “As part of the app installation, it should alert the user that ‘We store emails to your local file system. Would you like to encrypt it? Yes or no.’ Even if a software vendor doesn’t feel directly responsible for worrying about the local file system encryption, at least it should inform the user.”

He recommends that users use full disk encryption for Android and SD card file systems, and the USB debugging (under the Developer Options setting) should be turned off.

Include says in a blog post that will be posted today:

Alternatively, Outlook.com for Android could use third-party addons (such as SQLcipher) to encrypt the SQLite database in tandem with transmitting the attachments as opaque binary blobs to ensure that the attachments can only be read by the Outlook.com app (perhaps using the JOBB tool). These methods would be useful for older devices (such as devices that run Android 4.0 and earlier) that do not support full disk encryption.

Kelly Jackson Higgins is Senior Editor at DarkReading.com.