By Georgia Weidman, M.S., CISSP, NIST 4011, OSCP

In, Mobile Hacking 101, the first article in my new column on The Ethical Hacker Network, I felt it was appropriate to start from the beginning. Offer up a primer if you will to give the readers a brief synopsis of where we’ve been and where we’re heading in regards to smartphones, their security and their determined march into the enterprise. Now that the basics have been covered, it’s now time to start digging deeper into the technical aspects of smartphone security. The logical next step is to set the foundation of a mobile penetration testing lab and eventually enter the live testing phase. That’s where the Smartphone Pentest Framework (SPF) enters the picture. Being the developer of this project, I thought it might be interesting to give you a personal tour.

Often when I try to tell people about SPF, they naturally jump to the conclusion that this is a tool to let you run Nmap or Metasploit on a smartphone. While that is certainly cool, it's been done before. SPF takes the opposite angle. Instead of pentesting from a smartphone (though some attacks in SPF can be launched from an on-device app), our goal is to instead perform a pentest of the mobile devices themselves. As mobile devices are joining more corporate networks every single day, do organizations have a security standard in place? If so, is it being properly enforced? Even if it is, do the smartphones in the environment open you up to total compromise as they access internal networks with direct access to sensitive resources, receive and store sensitive emails, and a wide variety of other security red flags? For this reason, all mobile devices should be in your organizations’ penetration testing activities. Like Metasploit for network pen testing, SPF is a tool to help make it easier to pen test those pesky mobile devices.