Vulnerability testing of mobile applications using stackArmor ThreatAlert Mobile

Given the increasing focus on cybersecurity, supply chain risk and compliance requirements – businesses are being asked to provide evidence of independent cybersecurity testing for mobile applications. Given the continued need for organizations to meet such requests for various reasons including SOC-2, HIPAA, FISMA or FedRAMP compliance, we have developed a standardized offering to help assess the current state of the security posture of mobile applications especially on the AWS cloud service. Our stackArmor ThreatAlert Mobile Security Review Report (SRR) helps organizations rapidly assess security risk from their mobile applications for both Apple’s iOS or Google’s Android. Since there are millions of these devices out there, it is vital to ensure that the security aspect of the applications running on these devices are up to scratch. The vulnerability testing and penetration scanning methods used to develop the stackArmor ThreatAlert Mobile Security Review Report (SRR) are described below.

Static code analysis:

Static code analysis or source code analysis involves going through the code as a part of the development cycle and trying to find vulnerabilities during the implementation/design phrase itself. It usually involves conducting white-box tests to find static code vulnerabilities such as buffer overflow, SQL injection flaws etc. and rectify the same during the design/testing phrase before pushing it out to the masses. Some IDEs or integrated development environments now come with static analysis tools build in which allows developers to instantly rectify their vulnerable code. Here are a few types of static code analysis methods applicable for mobile computing:

  • Software composition analysis: Since over 90% of mobile application’s involve open source or 3rd party library of sorts, it is key to understand the various libraries/code bases used and to ensure that they don’t contain any vulnerabilities. This is where software composition analysis comes into play, it helps to keep track of various libraries used and what vulnerabilities each of the libraries have and in turn helps to focus on the libraries that need to be updated or replaced.
  • Permissions: Permissions of a mobile application is closely tied to privacy on the mobile ecosystem especially on Android. Android applications work on a permission-based system where specific APIs and hardware access is locked behind permissions. An App requesting too many permissions opens itself to various security and privacy vulnerabilities.
  • Open source library usage and versions: This is similar to software composition analysis where you keep an eye on vulnerabilities reported on OWASP (Open Web Application Security Project) and update your open source libraries appropriately.
  • Fuzz testing APIs: Fuzz testing or fuzzing is a black box testing method wherein bugs/security loopholes are discovered using automated injection of malformed or semi malformed data. Since mobile applications tend to make many API calls to perform tasks and transmit sensitive data, it is crucial to test the security of these API calls.

The above-mentioned techniques cover most of the static code analysis form of mobile application penetration testing.

Dynamic code analysis:

Dynamic code analysis on the other hand involves testing the application when it is running/execution state. Dynamic code analysis can be conducted in both white-box and black-box form of testing methods. The main advantages of dynamic code analysis are finding runtime errors such as buffer overflows, null pointers etc., finding reflecting forms of dependency and examining each polymorphic state of the application. One of the main methods of dynamic analysis on mobile device is:

  • Runtime Manipulation: Runtime manipulation mostly involves running the application in debug mode and trying to break it by using various automated methods. In case of Android, adb or the native Android debugger is used for this method. In case of iOS tools such as cycript is used to achieve similar results.

Reverse engineering analysis:

Reverse engineering usually involves tracing back the steps taken by the developers to reach the final application. It’s usually a black box form of analysis. The process involves trying to derive the source code from a binary file.

This technique mostly applies to Android applications, as Android applications are primarily based on Java, reverse engineering the application tends to provide a bunch of Java libraries and code, this allows the use of traditional Java library/code vulnerability tools on Android applications.

Here are some of the tools used on both platforms:

iOS:

Sr. No Tool Name License Description Used For
1 Otool Open-Source Tool for the analysis of Mach-O file. Binary Analysis of IPA file.
2 Needle Open-Source Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps. Dynamic Analysis
3 unc0ver Open-Source The most advanced jailbreak tool using which you can jailbreak iOS 11.1-12.1.2 Jailbreak
4 Cydia Open-Source Cydia is a package manager mobile app for iOS that enables a user to find and install software packages on jailbroken iPhones and iPads. It also refers to digital distribution platform for software on iOS accessed through Cydia software.  Installing application on the iOS for dynamic and static analysis.

Android:

Sr. No Tool Name License Description Used For
1 Mobile Security Framework (MobSF) Open-Source Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis.   It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code.   MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. Static Analysis
2 Androbugs_Framework Open-Source AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows. Static Analysis
3 OWASP Dependency Checker Open-Source Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Static and Source Code Analysis.
4 Drozer Open-Source drozer (formerly known as Mercury) is the leading security testing framework for Android. Dynamic Analysis of Application
5 Android Tamer Open-Source Android Tamer is a Virtual / Live Platform for Android Security professionals. Static and Dynamic Analysis.
6 Enjarify, dex2jar, JD-GUI Open-Source Enjarify: Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.   dex2jar: Tools to work with android .dex and java .class files.   JD-GUI: A standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. Reverse Engineering.
7 Visual Code Grepper Open-Source Visual Code Grepper is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium Source Code Analysis

We hope this helped. Please let us know if you have any questions at solutions at stackArmor dot com or contact us. Learn more about our vulnerability testing and compliance solutions using the stackArmor ThreatAlert cybersecurity platform by visiting https://stackarmor.com/solutions-2/devops/

SHARE

MOST RECENT

CONTACT US