An analyst is investigating behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the "compose" window.
Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior?
A. Reverse engineer the application binary.
B. Perform static code analysis on the source code.
C. Analyze the device firmware via the JTAG interface.
D. Change to a whitelist that uses cryptographic hashing.
E. Penetration test the mobile application.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Answer is A. Reverse engineer the application binary.
Co. own and managed mobile device.
application was installed base on Whitelisting (could be commercial app, but no where did it say inhouse built app.)
app exhibit malicious behavior, what will get you the BEST chance of understanding and characterizing?
A. Reverse engineer (Yes, take the apk and convert it to code.)
B. static code analysis of source code (no, you don’t have the source code. No where did it said, this is a inhouse built app.)
C. Analyze the device firmware (no, looking the hardware (firm=hard) is not going to tell you about the software app.)
D. Change to a whitelist that uses cryptographic hashing (no, changing the whitelist method is still the same whitelist of apps to allow.)
E. Penetration test the mobile application (maybe, but you have the app that you can open up to find out more. It’s not like you are an outsider.)
D
Well guys, I went with D. The fact that their whitelist is based on “name string” automatically suggests what the problem is. Going with a hash based whitelist would mitigate the vulnerability. From there, one could simply defer what the issue was and characterize the behavior. Maybe that’s way off-base.
IF you have reverse engineering software, then I’d say B, Not A – you’d have to perform the code analysis to identify the issue.
Question asks for: “Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior?”. It is not asking about what you should do to address the security issue.
The best thing to do would be analyzing the application running on the mobile, to verify if it is really malicious. This would be done by reverse engineering the .apk (option A), since you don’t have this malicious app source code.
“D” might be the best resolution but the question how to understand and characterize the behavior.
A
Agree with A.
Why A over B? I’m torn over this one as I can see the logic in A being the correct answer but also B. If you have the source code available B would be acceptable but without it A may be your only option. They don’t explicitly say they do or do not have the source code so I assume they don’t so I lean towards A but this is comptia.
The question doesn’t say the source code has been provided. Therefore, there is no source code. So A is BEST.