Since the turn of the decade, smartphones and smartphone application have started beating out traditional forms of computing in terms of market share and most of these devices run on either Apple’s iOS or Google’s Android. Since there are millions of these devices out there, it is vital to ensure that the security aspect of the applications running on these devices are up to scratch. The following are a few analysis methods used to test the security of a mobile application:
Static code analysis or source code analysis involves going through the code as a part of the development cycle and trying to find vulnerabilities during the implementation/design phrase itself. It usually involves conducting white-box tests to find static code vulnerabilities such as buffer overflow, SQL injection flaws etc. and rectify the same during the design/testing phrase before pushing it out to the masses. Some IDEs or integrated development environments now come with static analysis tools build in which allows developers to instantly rectify their vulnerable code. Here are a few types of static code analysis methods applicable for mobile computing:
- Software composition analysis: Since over 90% of mobile application’s involve open source or 3rd party library of sorts, it is key to understand the various libraries/code bases used and to ensure that they don’t contain any vulnerabilities. This is where software composition analysis comes into play, it helps to keep track of various libraries used and what vulnerabilities each of the libraries have and in turn helps to focus on the libraries that need to be updated or replaced.
- Permissions: Permissions of a mobile application is closely tied to privacy on the mobile ecosystem especially on Android. Android applications work on a permission-based system where specific APIs and hardware access is locked behind permissions. An App requesting too many permissions opens itself to various security and privacy vulnerabilities.
- Open source library usage and versions: This is similar to software composition analysis where you keep an eye on vulnerabilities reported on OWASP (Open Web Application Security Project) and update your open source libraries appropriately.
- Fuzz testing APIs: Fuzz testing or fuzzing is a black box testing method wherein bugs/security loopholes are discovered using automated injection of malformed or semi malformed data. Since mobile applications tend to make many API calls to perform tasks and transmit sensitive data, it is crucial to test the security of these API calls.
The above-mentioned techniques cover most of the static code analysis form of mobile application penetration testing.
Dynamic code analysis on the other hand involves testing the application when it is running/execution state. Dynamic code analysis can be conducted in both white-box and black-box form of testing methods. The main advantages of dynamic code analysis are finding runtime errors such as buffer overflows, null pointers etc., finding reflecting forms of dependency and examining each polymorphic state of the application. One of the main methods of dynamic analysis on mobile device is:
- Runtime Manipulation: Runtime manipulation mostly involves running the application in debug mode and trying to break it by using various automated methods. In case of Android, adb or the native Android debugger is used for this method. In case of iOS tools such as cycript is used to achieve similar results.
Reverse engineering analysis:
Reverse engineering usually involves tracing back the steps taken by the developers to reach the final application. It’s usually a black box form of analysis. The process involves trying to derive the source code from a binary file.
This technique mostly applies to Android applications, as Android applications are primarily based on Java, reverse engineering the application tends to provide a bunch of Java libraries and code, this allows the use of traditional Java library/code vulnerability tools on Android applications.
Here are some of the tools used on both platforms:
iOS:
| Sr. No | Tool Name | License | Description | Used For |
| 1 | Otool | Open-Source | Tool for the analysis of Mach-O file. | Binary Analysis of IPA file. |
| 2 | Needle | Open-Source | Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps. | Dynamic Analysis |
| 3 | unc0ver | Open-Source | The most advanced jailbreak tool using which you can jailbreak iOS 11.1-12.1.2 | Jailbreak |
| 4 | Cydia | Open-Source | Cydia is a package manager mobile app for iOS that enables a user to find and install software packages on jailbroken iPhones and iPads. It also refers to digital distribution platform for software on iOS accessed through Cydia software. | Installing application on the iOS for dynamic and static analysis. |
Android:
| Sr. No | Tool Name | License | Description | Used For |
| 1 | Mobile Security Framework (MobSF) | Open-Source | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. | Static Analysis |
| 2 | Androbugs_Framework | Open-Source | AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows. | Static Analysis |
| 3 | OWASP Dependency Checker | Open-Source | Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. | Static and Source Code Analysis. |
| 4 | Drozer | Open-Source | drozer (formerly known as Mercury) is the leading security testing framework for Android. | Dynamic Analysis of Application |
| 5 | Android Tamer | Open-Source | Android Tamer is a Virtual / Live Platform for Android Security professionals. | Static and Dynamic Analysis. |
| 6 | Enjarify, dex2jar, JD-GUI | Open-Source | Enjarify: Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications. dex2jar: Tools to work with android .dex and java .class files. JD-GUI: A standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. | Reverse Engineering. |
| 7 | Visual Code Grepper | Open-Source | Visual Code Grepper is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium | Source Code Analysis |
