Lecture 5: Mobile Vulnerability Scanners and Testing Tools

ITMC411 Security in mobile computing LECTURE 5 Mobile Vulnerability Scanners and Testing Tools Common mobile application vulnerabilities  Insecure data storage  Memory leaks and corruption  Supply chain vulnerabilities Common mobile application vulnerabilities Insecure Data Storage:  Sensitive data (e.g., user credentials, financial info) improperly secured.  Risks: Weak encryption, poorly protected database access, and exposed cookie storage.  Vulnerable to attacks, especially on rooted devices or reverse-engineered apps. Solutions:  Use encryption and secure authentication.  Conduct regular security audits. Common mobile application vulnerabilities Memory Leaks and Corruption: Common in apps using native languages like C, C++, Objective-C. Memory issues (e.g., leaks, buffer overflows) lead to app crashes or security exploits. Risks: Can lead to denial-of-service (DoS) attacks. Solutions: Apply best coding practices. Use Static Application Security Testing (SAST). Common mobile application vulnerabilities Supply Chain Vulnerabilities: Third-party components (libraries, frameworks) may contain bugs or malicious code. Example: ParkMobile breach — 21 million users' data compromised via a third-party vulnerability. Solutions: Test third-party components thoroughly. Keep all components updated. Implement a "shift-left" security approach Types of mobile app security Tests  Vulnerability scanning  Penetration testing  Risk assessment  Security posture assessment Types of mobile app security Tests Vulnerability Scanning Purpose: Uses automated tools to find vulnerabilities in the app ecosystem. Focus: Looks for known vulnerabilities, particularly in software dependencies and common code loopholes. Output: Generates reports for Types of mobile app security Tests Penetration Testing  Purpose: Simulates attacks to identify weaknesses in the app.  Key Difference: Involves ethical hackers, providing realistic, actionable threat data.  Output: More detailed information on exploit methods and loophole Types of mobile app security Tests Risk Assessment Purpose: Evaluates the risks across people, processes, and tools in the app's ecosystem. Steps: Catalog assets. Identify potential threats. Analyze how vulnerabilities can be exploited. Types of mobile app security Tests Security Posture Assessment  Purpose: Prioritizes risks from the risk assessment and develops strategies to improve the app's security posture.  Strategies: May include stronger authentication, patching software, incident response plans, and continuous monitoring. Static and Dynamic Analysis Static application security testing (SAST)  Tests the application code for vulnerabilities before running it in an app.  Tools such as Klocwork and Checkmarx are useful for achieving SAST. Dynamic application security testing (DAST)  focuses on a running app. Static and Dynamic Analysis Top mobile app security assessment Tools 1. QARK 2. Data Theorem 3. App-Ray 4. Checkmarx 5. NowSecure 6. Appknox 7. Fortify on Demand 8. HCL AppScan 9. AppSweep 10.Veracode 11.Synopsys 12.Ostorlab QARK Purpose: Open-source tool for Android app security. Key Features: Static code analysis, permission mapping, manifest analysis. Combines static and dynamic analysis. Pros: Free and open-source. Generates detailed reports. Integrates with CI systems. Cons: Android-only. Data Theorem by Mobile Secure Purpose: Comprehensive tool for Android and iOS security. Key Features: o Static and dynamic analysis, vulnerability assessment, compliance testing. o Real-time behavior monitoring. Pros: o Supports both iOS and Android. o Continuous monitoring. Cons: App-Ray  Purpose: Security testing for iOS, Android, and Windows.  Key Features: o Static and dynamic analysis for vulnerabilities and data leaks.  Pros: o Supports multiple platforms. o User-friendly with continuous monitoring.  Cons: o Limited community support. Checkmarx  Purpose: Code-level security testing tool.  Key Features: o Comprehensive SAST (Static Application Security Testing) with manual and automated options.  Pros: o Seamless integration with development workflows. o Multi-language support.  Cons: NowSecure  Purpose: Security testing for iOS and Android.  Key Features: o Dynamic analysis, real-time monitoring, network and storage vulnerability detection.  Pros: o Actionable reports with clear steps. o Advanced mobile forensics.  Cons: o Limited language support. Appknox  Purpose: Cloud-based security tool for Android and iOS.  Key Features: o Automated testing with focus on vulnerabilities and improper authentication.  Pros: o Easy-to-use interface. o Integration with CI/CD tools.  Cons: o Limited to cryptographic Fortify on Demand  Purpose: Cloud-based security testing by Micro Focus.  Key Features: o Combines static and dynamic analysis, focusing on code and network vulnerabilities.  Pros: o Seamless integration with dev environments. o Detailed reports.  Cons: AppSweep  Purpose: Cloud-based tool for Android and iOS.  Key Features: o Automated testing with focus on data leakage and insecure communication.  Pros: o Easy-to-use with CI/CD integration.  Cons: o Limited iOS support. HCL AppScan  Purpose: Enterprise-grade tool for Android and iOS.  Key Features: o Comprehensive vulnerability scanning with detailed reports.  Pros: o Strong integration with CI/CD. o Advanced automation.  Cons: o Complex setup. o High cost for small enterprises. Veracode  Purpose: Enterprise-grade tool for Android and iOS.  Key Features: o Combines static and dynamic analysis with network communication security.  Pros: o Detailed, actionable insights. o Strong dev environment integration.  Cons: o Expensive for small businesses. Synopsys  Purpose: Security testing tool for Android, iOS, and Windows.  Key Features: o Combines static, dynamic, and interactive analysis.  Pros: o Comprehensive testing capabilities. o Supports multiple platforms.  Cons: o Expensive. o Requires complex setup. Ostorlab Purpose: Security testing tool for Android, iOS Key Features: o Provides static, dynamic analysis.  Pros: o Comprehensive Security Analysis. o User-Friendly Interface.  Cons: o Limited Features in Free Version. o Performance Issues. Top mobile app security assessment Tools Smali What is Smali? Smali : low-level assembly-like language designed for the Dalvik Virtual Machine (VM) It serves as an intermediate language between Java source code and the executable code on Android devices. Smali is mainly used in reverse engineering, particularly for analyzing or modifying Android applications. Smali Common Uses of Smali 1.Reverse Engineering: Modify Android APK files after decompiling to change their behavior. 2.Malware Analysis: Used by researchers to understand the behavior of malware on Android. 3.Debugging: Applied when the original source code is unavailable, helping to debug apps. Smali Key Tools for Working with Smali Baksmali: Decompiles DEX files into Smali code. Smali Tool: Recompiles Smali code back into DEX format. JEB & APKTool: Common tools for decompiling/recompiling APK Smali How to Work with Smali Use APKTool to extract APK resources, including DEX files, which can be converted to Smali code using Baksmali. After modifying the Smali code, use Smali Tool to recompile the DEX file, and Tools for Working with Smali Working with Smali often involves various tools that facilitate decompiling editing reassembling analyzing APK files and.dex bytecode for Android Tools for Working with Smali ApkTool Purpose: Decompiles and reassembles APK files, converting.dex files into Smali code and allowing for modification of both code and resources. Usage: Decompile: apktool d app.apk (creates Smali files and resources). Recompile: apktool b app_folder (rebuilds the APK after edits). Tools for Working with SmaliBytecode) JEB (Java Executable Purpose: Professional-grade Android decompiler converting.dex files into Smali and Java code performing interactive code analysis. Features: Interactive GUI with decompiled Java, Smali Advanced support for obfuscation and native code analysis. Python scripting support for automating tasks. Tools for Working with Smali JADX (Java Decompiler for Android) Purpose: A decompiler that converts.dex files into readable Java code, with some support for viewing Smali. Usage: Open APK: Load an APK file in jadx-gui to explore the code. Export Smali: View Smali code for methods/classes when needed. Tools for Working with Smali Baksmali and Smali Purpose: Tools specifically for disassembling (baksmali) and assembling (smali).dex files. Usage: Disassemble: baksmali disassemble app.dex (produces.smali files). Assemble: smali assemble smali_folder -o classes.dex (compiles.smali files into a.dex file). Tools for Working with Smali Android Studio (with JD-GUI or JADX plugin) Purpose: While Android Studio isn’t a Smali editor, it can be configured with plugins to support Java decompilation and some Smali viewing. Tools for Working with Smali JD-GUI Purpose: A standalone Java decompiler that can be used with dex2jar to inspect Java code for analysis. Usage: Open JAR file: Load the.jar file created with dex2jar to view decompiled Java code. Tools for Working with Smali dex2jar Purpose: Converts.dex files into.jar files, which can then be decompiled into Java using a decompiler like JD-GUI or JADX. Usage: Convert: d2j-dex2jar app.dex (generates a.jar file from the.dex file). Workflow Example with 1. DecompileSmali Editing APK: Use apktool d app.apk to get.smali files. 2. Edit Smali Code: Open.smali files in a text editor (like VSCode) and make changes. 3. Recompile APK: Use apktool b app_folder to rebuild the modified APK. 4. Sign and Install APK: Use jarsigner or apksigner to sign the APK and then install it on an Android

Lecture 5: Mobile Vulnerability Scanners and Testing Tools

Document Details

Tags

Related

Summary

Full Transcript