Given the increasing focus on cybersecurity, supply chain risk and compliance requirements – businesses are being asked to provide evidence of independent cybersecurity testing for mobile applications. Given the continued need for organizations to meet such requests for various reasons including SOC-2, HIPAA, FISMA or FedRAMP compliance, we have developed a standardized offering to help assess the current state of the security posture of mobile applications especially on the AWS cloud service. Our stackArmor ThreatAlert Mobile Security Review Report (SRR) helps organizations rapidly assess security risk from their mobile applications for both Apple’s iOS or Google’s Android. Since there are millions of these devices out there, it is vital to ensure that the security aspect of the applications running on these devices are up to scratch. The vulnerability testing and penetration scanning methods used to develop the stackArmor ThreatAlert Mobile Security Review Report (SRR) are described below.
Static code analysis or source code analysis involves going through the code as a part of the development cycle and trying to find vulnerabilities during the implementation/design phrase itself. It usually involves conducting white-box tests to find static code vulnerabilities such as buffer overflow, SQL injection flaws etc. and rectify the same during the design/testing phrase before pushing it out to the masses. Some IDEs or integrated development environments now come with static analysis tools build in which allows developers to instantly rectify their vulnerable code. Here are a few types of static code analysis methods applicable for mobile computing:
The above-mentioned techniques cover most of the static code analysis form of mobile application penetration testing.
Dynamic code analysis on the other hand involves testing the application when it is running/execution state. Dynamic code analysis can be conducted in both white-box and black-box form of testing methods. The main advantages of dynamic code analysis are finding runtime errors such as buffer overflows, null pointers etc., finding reflecting forms of dependency and examining each polymorphic state of the application. One of the main methods of dynamic analysis on mobile device is:
Reverse engineering analysis:
Reverse engineering usually involves tracing back the steps taken by the developers to reach the final application. It’s usually a black box form of analysis. The process involves trying to derive the source code from a binary file.
This technique mostly applies to Android applications, as Android applications are primarily based on Java, reverse engineering the application tends to provide a bunch of Java libraries and code, this allows the use of traditional Java library/code vulnerability tools on Android applications.
Here are some of the tools used on both platforms:
|Sr. No||Tool Name||License||Description||Used For|
|1||Otool||Open-Source||Tool for the analysis of Mach-O file.||Binary Analysis of IPA file.|
|2||Needle||Open-Source||Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps.||Dynamic Analysis|
|3||unc0ver||Open-Source||The most advanced jailbreak tool using which you can jailbreak iOS 11.1-12.1.2||Jailbreak|
|4||Cydia||Open-Source||Cydia is a package manager mobile app for iOS that enables a user to find and install software packages on jailbroken iPhones and iPads. It also refers to digital distribution platform for software on iOS accessed through Cydia software.||Installing application on the iOS for dynamic and static analysis.|
|Sr. No||Tool Name||License||Description||Used For|
|1||Mobile Security Framework (MobSF)||Open-Source||Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.||Static Analysis|
|2||Androbugs_Framework||Open-Source||AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.||Static Analysis|
|3||OWASP Dependency Checker||Open-Source||Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.||Static and Source Code Analysis.|
|4||Drozer||Open-Source||drozer (formerly known as Mercury) is the leading security testing framework for Android.||Dynamic Analysis of Application|
|5||Android Tamer||Open-Source||Android Tamer is a Virtual / Live Platform for Android Security professionals.||Static and Dynamic Analysis.|
|6||Enjarify, dex2jar, JD-GUI||Open-Source||Enjarify: Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications. dex2jar: Tools to work with android .dex and java .class files. JD-GUI: A standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.||Reverse Engineering.|
|7||Visual Code Grepper||Open-Source||Visual Code Grepper is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium||Source Code Analysis|
We hope this helped. Please let us know if you have any questions at solutions at stackArmor dot com or contact us. Learn more about our vulnerability testing and compliance solutions using the stackArmor ThreatAlert cybersecurity platform by visiting https://stackarmor.com/solutions-2/devops/