Guide to Android Application Testing
With the growth of 3.2 billion smartphone users across the world, it is no surprise that the mobile app industry is booming. App and smartphone usage is still growing at a steady rate, without any signs of slowing down in the foreseeable future. There are 2.87 million apps available for download on the Google Play Store. Some of the applications give access only when users sign up. Users provide sensitive information such as email, payment details, sensitive documents, and phone number or application seeks user’s permission to their camera, storage device, and contacts. This data is stored on the application’s server that poses risk to the user’s information that How secure android application is? How secure application server is? How is data stored? Whether is it using encryption or not? Or is it transmitted over a weak channel?
This brings Android app security into role. Here, we will be discussing the top 10 vulnerabilities defined by OWASP.
M1: Improper Platform Usage
Mobile applications run over the operating system that provides a wide range of features, including security. When an application does not use features properly or fails to use platform security controls, thereby increases the attack surface, and may expose data to attackers. Pentester identifies coding flaws, tries to gain access, exploits the permissions that have been granted to an application. Improper platform usage not only relies on how a developer is using security features, but it also depends on the application’s communication with OS.
M2: Insecure Data Storage
Insecure data storage is a high severity vulnerability. Applications store information about their users often referred to as personally identifiable information (PII) such as bank details, passwords, credit card information, sensitive documents, or medical history. Once the data is exposed to an attacker by any means, it completely damages reputation, an attacker can exploit user’s information by impersonating.
How applications can be vulnerable to insecure data storage
It depends on how OS stores data, access tokens, binary data, and media, how application stores data in the device, how application sync data to the cloud, how data is used for advertising and analytics, how data gets stored on the device when it is rooted or unrooted device.
Developers assume file systems and data stored in mobile devices are completely secure but once the device is stolen attacker can access information, or the device is rooted then the filesystem avoids encryption. Organizations should assume that a bad actor can access mobile device or malware can inspect sensitive data stores
M3: Insecure Communication
Mobile apps transmit and receive data in a client-server architecture. Data travels via mobile carrier or Wi-Fi. Attackers can eavesdrop on the transmitted data to steal sensitive data coming from a device or network. Most developers configure SSL/TLS during authentication, but this leads to the risk of exposing access tokens, session IDs, sensitive data by other means.
M4: Insecure Authentication
Authentication is the process of identifying whether the person impersonating is real or fake. This can be verified by what they know(password), what they have (security code, backup code), and what they are(biometric). Attacker identifies a potential vulnerability in authentication system, tries to fake or bypass. Impact can be low if a normal user account gets compromised and high if a high privilege user account gets compromised.
M5: Insufficient Cryptography
Weak cryptography, unencrypted channel over the network, physical access to device, and malware acting on the attacker’s behalf are a threat to unauthorized retrieval of sensitive information.
M6: Insecure Authorization
Authorization refers to what privileges’ user holds. Pentester understands authorization scheme and performs role-based test cases to bypass authorization. Goal is to get administrative privileges by enumerating requests, modifying server responses. To forcibly enumerate requests attackers, use botnets or malware.
M7: Client Code Quality
Development teams work together, every developer follows different coding practices that may create inconsistency in code. Due to poor coding practices, an android application can be vulnerable to information disclosure, unauthorized access, slow down in processing client’s requests. Attacker can pass malicious input onto code that resides in mobile device and can overflow buffer or leak memory data.
M8: Code Tampering
Bad actors can download apk file, make binary changes to application package’s core binary, can redirect, or replace APIs to execute malicious code remotely. After modification of files of apk, attacker can re-compile files and upload it too somewhere for free.
M9: Reverse Engineering
Decompiling apk and analysing files within the local environment using a suite of different tools to identify information about back-end servers, sensitive information, tokens or cryptographic constants, and ciphers.
M10: Extraneous Functionality
Attacker identifies extra functions of application other than proposed and exploits the hidden functionality from their system without interaction of end-user. Developers leave logs, configuration files, comments with sensitive information or even binaries that have hidden switches, untested code that can be used to increase the attack surface and gather information for further attack.
To test the above-discussed vulnerabilities, we can use Damn insecure and vulnerable application (DIVA). It consists of the most common mobile application vulnerabilities. Application includes few vulnerabilities in native code, access control issues, insecure storage, which makes it more interesting.
To run an android application, we need an emulator such as Genymotion, bluestack, or we can install Santoku Linux — an android app security testing tool.
Genymotion is an emulator that simulates Android devices on your computer to test a variety of devices, applications, and android API without having physical device.
Santoku Linux is one of the android security testing tools that come with the required tools for hacking an android application. Supports security assessment, decompilation and disassembly tools, scripts to detect common issues in mobile applications, scripts to automate decrypting binaries, deploying apps, enumerating app details, and more.
