Network

This page will guide you through the different steps in the Network tab.

Login and Data Population

Remember that the actual login and data population part of this test need to be performed on the phone when asked by the assistant shown below.

Once ready to start the process, click on the “Start” to begin the data population process.

Login and Data Population

Then, you may login to your application, and use various features within the application while the NowSecure Lab assistant is running. You may wish to test different scenarios such as returning to the home screen or forcing the application to quit, as this may produce different results in the application’s log files.

Once you have thoroughly used the application, click “Continue” in the assistant to complete the process and let NowSecure Lab run its automated tests.

Data Capture

NowSecure Lab will automatically search the Network Capture and run additional tests if you selected the “Packet Capture Search” and “Packet Capture” tasks in the Automate Tab. If not, you can run those tests manually by clicking on the Search button as shown below.

If after clicking on one of the buttons, you don’t notice any assistant popping-up, it may be because the task is already running in the background. Check the Background Task Manager to see if any of the PCAP (Network Capture) related tasks are running or queued.

Port Scan

This test will allow you to select a specific server/IP address and perform a light, medium, or Intensive scan to determine open ports, Operating System running on the server, type of firewalls in use, and more. The list of servers is populated with all of the servers your device communicated with during the most recent packet capture session.

Scanning hosts is only permissible on hosts which you own or have explicit permission to test. Please ensure you have permission to scan the selected host.

To perform a Port Scan:

  1. Select the host you wish to scan

  2. Select scan level:

  • Light: Only scans a few common ports (22,23,25,80,443,8080,8090,8443)

  • Medium: Standard Port scan; covers the top 1,024 most common ports

  • Intense: Full port scan of the server; will likely be flagged by most ISPs

  1. Select “Run Scan”

  2. Review the Warning, and if appropriate, click “Forward” to initiate the initial scan

  3. If ports are found, click “Forward” to scan the open ports (otherwise, click “Forward” to complete Port Scan step). Port Scan output will be displayed in the results treeview on the left, under the “Network” folder

SSL Scan

The SSL Scan test allows you to select a specific server/IP address and run a scan to determine what ciphers are accepted by that server. Servers that accept deprecated or insecure ciphers for encryption pose a security threat to your application. The list of servers is populated with all of the servers your device communicated with during the most recent packet capture session.

Scanning hosts is only permissible on hosts which you own or have explicit permission to test. Please ensure you have permission to scan the selected host.

To perform an SSL scan:

  1. Select the host you wish to scan

  2. Select “Run Scan”

  3. Review the Warning, and if appropriate, click “Forward” to initiate the scan

  4. An output containing a list of ciphers accepted by the selected host will be displayed in the results treeview on the left, under the “Network” folder. If any insecure ciphers are found, a finding will also be populated explaining any vulnerabilities.

Any ciphers known to be insecure will be highlighted in red.

SSL Scan

Interactive Proxy

Remember that the actual login and data population part of this test need to be performed on the phone when asked by the assistant shown below.

During a man-in-the-middle (MITM) attack, traffic is intercepted and a spoofed (non-trusted) certificate is presented to the client to impersonate the server. When successful, the MITM attack can convince the client to disclose login credentials (username/password) to the attacker since the attack allows all communication between client and server to be intercepted and read unencrypted. The man-in-the-middle attack is executed on a controlled Wi-Fi network access point using ARP cache poisoning. During the analysis traffic is captured for analysis.

An app fails a MITM attack when it allows the user to login, and in the background, passes login credentials or other application data to the intercepting endpoint without the user ever knowing. This means that the application does not perform certificate validation. An app that passes a Interactive Proxy with a Unrusted Certificate installed will typically display some type of network or certificate error on the device, preventing the user from logging in. Some applications will not produce an error, continue to login, but will not pass through credentials or app data.

To perform this test, complete the following steps:

  1. Before you initiate this test, it is recommended to logout/force close your application.

  2. Select “Start Interactive Proxy” Follow the on-screen instructions and launch, then login to your application. If an error appears on the device, you may wish to take a screenshot of it. To do so, select the “camera” icon within the window:

Interactive Proxy

  1. Once finished, click “Continue”, then “Close”, and the Interactive Proxy results (including any screenshots) will be displayed in the results treeview on the left.

SSL Strip

Remember that the actual login and data population part of this test need to be performed on the phone when asked by the assistant.

SSL Strip is a tool which is based a MITM form-of-attack, and attempts to downgrade all HTTPS links to HTTP in order to allow the encrypted data to be viewed in plain text. Using this method, sensitive information passed through the application could potentially be recovered.

To perform this test, complete the following steps:

  1. First, logout/force close the application

  2. Click “Start”, and then login and complete a brief data population session.

  3. Again, if an error appears on the screen, you may wish to take a screenshot using the Camera icon

  4. Once finished, click “Forward”, then “Close” and the results will be displayed in the Workspace area.

SSL Proxy

Remember that the actual login and data population part of this test need to be performed on the phone when asked by the assistant.

SSL Proxy is a tool which will setup a proxy tunnel so that all traffic from the device, even encrypted, can be intercepted and analyzed. Only applications that perform certificate pinning are not susceptible to traffic interception during the SSL Proxy test.

To perform this test, complete the following steps:

  1. First, logout/force close the application

  2. Click “Start”, and then login and complete a brief data population session.

  3. Again, if an error appears on the screen, you may wish to take a screenshot using the Camera icon.

  4. Once finished, click “Forward”, then “Close” and the results will be displayed in the Workspace area.

Remember that the actual login and data population part of this test need to be performed on the phone when asked by the assistant.

The Network section is now complete. You may pause and review the files created thus far in the process (see section: “Findings, Notes, Screenshots, and Output”), or move along to the Forensics section.