Mobile Application Security Testing: Major Threats and the Tools Needed to Overcome Them

Billions of people share their personal information with mobile apps, making apps a prime target for hackers. Attacks on poorly protected applications can result in the leakage of personal data, including financial details. Fraudulent transactions, malware injections, and other manipulative actions are terrifyingly common. In fact, more than three million malicious apps were identified in 2018 alone.

You need to make sure that your application is sufficiently secure and your users’ data won’t be compromised. Security testing helps identify all the possible threats which, in turn, boosts confidence in the integrity of the product. Sounds good, right? With that in mind, in this article we’ll go over how to test mobile app security effectively.

Security testing is the process of checking and assessing mobile and web applications and APIs for their level of protection against potential attacks. Since technologies are rapidly improving, new security risks appear often. Each year, priorities in mobile application security testing change, which is reflected in the top-risks list made by OWASP. Being aware of the major current vulnerabilities means we understand which parts of an application require specific attention.

Before developing an application, we must set security requirements — both basic and project-specific ones — then clearly articulate and prioritise them.

First of all, we must determine which type of information in an application is confidential. It’s best to document the parameters of any sensitive data in the project before testing. The following user information is generally considered sensitive:

• User authentication information: credentials, PINs, passwords
• Personally identifiable information: social security numbers, credit card and bank account details, health information
• Device identifiers
• Any data under legal protection as set out in a privacy policy or terms of usage
• Technical information generated by an application and used to protect other data or the system itself – for example, encryption keys

According to MASVS (OWASP Mobile Application Security Verification Standard), it is also vital to establish a basic level of mobile application security (MASVS-L1). Plus, if necessary, you can include defense-in-depth measures (MASVS-L2) and client-side threat protection (MASVS-R).

MASVS defines two strict verification levels, L1 and L2, as well as a set of reverse engineering requirements (MASVS-R) that are adaptable to the threat model for a particular application.

MASVS-L1 and MASVS-L2 contain general security requirements. L1 is recommended for all mobile applications while L2 is designed for applications that process highly sensitive data. MASVS-R has additional security control to prevent reverse engineering.

Our MadAppGang team developed a project for secure messaging called StrongBox. Popular programs such as Slack suffer from numerous threats which puts sensitive data at risk. The encryption and certificate pinning used in StrongBox satisfy MASVS requirements which makes for heightened protection.

By following the MASVS process, you will have guidance on how to develop and test an application and set the security level for an application. After all the security requirements have been compiled, the process of development and testing can begin.

To identify security problems, we need to perform both dynamic and static code analysis.

Static code analysis is performed without actual program execution. A tool checks the application for malicious files and libraries and tests permissions, the validity of certificates, and so on. For example, you can quickly check a great number of vulnerabilities in an app build by using automated frameworks for static code analysis. At the moment, there are many tools to help you do that, both paid and free.

Dynamic code analysis is usually performed directly on a device or emulator during program execution. At this point, a tool can check network requests, cryptography, system memory, query execution time, and so on.

We select specific tools depending on the type of product and its needs. But as a general rule of thumb, opting for tools with the cross-platform applicability and the ability to perform static and dynamic analysis tasks is a reasonable start.

It is also vital to apply both static and dynamic analysis to a single application because these methods help prevent attacks during data transmission and local attacks on devices where hackers use injections and malicious code.

Here are some of the tools we use for testing mobile applications for security vulnerabilities:

1. Kiuwan. It can be integrated with a wide range of IDE programs and supports many programming languages.
2. Synopsys. Used for both static and dynamic code analysis. This solution combines multiple security testing tools to find vulnerabilities in an application.
3. CodifiedSecurity. It identifies and fixes security vulnerabilities. This automated mobile app security testing tool can test an application on the client’s side and use built-in APKs and IPAs.
4. QARK. This is a static code analysis tool created by LinkedIn. It generates Android Debug Bridge commands which help detect vulnerabilities in an app. After scanning all the components of a mobile application, QARK generates a report detailing vulnerabilities and including recommendations on how to fix them.
5. Veracode. This multitasking solution provides static, dynamic, and behaviour analysis.
6. Mobile Security Framework. An open source tool which supports both iOS and Android platforms, creates reports, and explains all security vulnerabilities. It uses a local environment, so data from an application never reaches a cloud server.
7. Drozer. Used for mobile application security and penetration testing on Android.

There are a number of tools for analysing code and performing penetration actions to check whether an application complies with security requirements. Let’s take a closer look at the most common threats and how to protect mobile apps from them.

SQL injections

SQL injections are among the most popular attacks as they access sensitive user information. To determine which elements of an app are vulnerable to SQL injections, we can use Dozer, a leading framework for security assessment on Android, and Sieve, a password manager app (available for download here). More details on how to set up your environment can be found here.

In order to make an SQL injection using Sieve, you need to start a new session in Drozer. Go to the directory where Drozer is installed and run virtualenv:

Then, use the Drozer Agent on a device and run the Embedded Server. The server listens on port 31415 by default. Use adb to redirect this port to the local host interface then launch Drozer on the host to connect to the agent.

A successful start to the session looks like this:

To see the list of available packages, run the following command:

You will see the Sieve package. If the program is not installed on the device, this package will not be available.

Database-backed content providers can lead to data leakage. To retrieve sensitive data from an application, we need to get accessible content URIs.

After that, we can finally run our SQL injection and retrieve user account data from the database:

With these simple manipulations, we can check any available packages from the list for open access to the user database, including your application.

Another technique to protect against the loss of confidential information is checking for the most popular malicious tools and libraries used on devices. In the case of iOS mobile application security testing, it’s jailbreak, and in case of Android mobile application security testing, it’s root access.

Android:

Substrate for Android
Xposed
Frida
Introspy-Android
Drozer
RootCloak
Android SSL Trust Killer

IOS:

/private/var/stash
/private/var/lib/apt
/private/var/tmp/cydia.log
/private/var/lib/cydia
/private/var/mobile/Library/SBSettings/Themes
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/var/cache/apt
/var/lib/apt
/var/lib/cydia
/var/log/syslog
/var/tmp/cydia.log
/bin/bash
/bin/sh
/usr/sbin/sshd
/usr/libexec/ssh-keysign
/usr/sbin/sshd
/usr/bin/sshd
/usr/libexec/sftp-server
/etc/ssh/sshdconfig
_/etc/apt
/Applications/Cydia.app
/Applications/RockApp.app
/Applications/Icy.app
/Applications/WinterBoard.app
/Applications/SBSettings.app/Applications/MxTube.app
/Applications/IntelliScreen.app
/Applications/FakeCarrier.app
/Applications/blackra1n.app

Of course, you can never guarantee absolute protection in an application, but a high level of security makes attacking an app pointless. Checking the previously mentioned files serves as an excellent barrier against intruders.

Another common liability is the interception of data in transit during a man-in-the-middle attack. It is important to make the connection secure enough to transmit sensitive information using TLS (Transport Layer Security).

TLS encrypts the user's data using symmetric cryptography, making the connection between a client and a server secure. It limits the chances of third parties accessing the information. We use Certificate Pinning: a client authenticates a server during the handshake when the TLS connection is established, thus verifying that a server certificate is trusted. In some cases, it’s reasonable to use Hard Certificate Pinning.

An application usually has accurate information about a pre-configured server certificate. It verifies that the received server certificate corresponds to the previously configured one. If there is no match, the application doesn’t work and informs the user there’s an error.

If the application doesn’t validate the certificate, certificate substitution and the interception of data in transit by third parties can take place.

Any user wants to feel safe, while any product owner wants to develop their projects and avoid financial losses. To achieve this, there’s no denying that application security is an integral part of success. While making an app, you must be aware of what mobile application security testing is and how it is implemented during the development process.

Luckily, there are numerous established practices in development and testing that help to eliminate vulnerabilities and increase the level of protection through security assessments. To implement these, follow specific mobile app security testing checklists: define which types of tests are needed, what areas of coverage matter, and what requirements you need for your project. It’s essential to set the right priorities, select the right tools, and consider all of the possible risks.

At MadAppGang, we provide a full range of security audits and check the level of an app’s protection against all major types of attack. If you’re looking for a comprehensive risk assessment or a full security strategy for your next project, get in touch with us and we’d be happy to help out!

20 May 2019