Mobile App Security Testing – Static Analysis Overview

Introduction

The mobile industry is booming like never before. This has created a number of types of mobile devices, mobile OS.

The mobile boom is not without its risks. Developer generally creates application from a “functionality first” perspective, but with security as a low priority. This is an unfortunate reality.

In fact, using mobile devices is getting to be tricky, as mobile security is getting to be a constant concern.

Owasp – Mobile Top 10 2016

Some of the mentioned risks above can be discovered using static analysis tools.

What is Static Analysis ?

Static testing tools look at the application while at rest — either the source code or the application binary. Some commercial static security analysis tools and services have the capability to test mobile application code.

Static Analysis Tools Examples :

  • MobSF (Mobile Security Framework)
  • MARA (Reverse Engineering & Analysis Framework)
  • Jadx (Java Code Decompiler)
  • Ghidra ( Reverse Engineering Tool or iOS)

Vulnerabilities discovered by static analysis :

Below are some examples for what Static Analysis tools can discover , We used MobSF against a vulnerable Android Application (links will be listed at the end of this article).

App in use : InsecureShop.apk

MobSF – Application Analysis Dashboard

Certificate Analysis

Application Permissions

*Permissions status is relative
Example :
Application which need camera or location permission to function is not vulnerable in this case.

Manifest Analysis

The generated report has more analysis not only the sections that was mentioned here.

Links :

MobSF
https://github.com/MobSF/Mobile-Security-Framework-MobSF

Insecure Shop (Android app)
https://github.com/optiv/InsecureShop/releases/download/v1.0/InsecureShop.apk

A Mobile Application Penetration Testing Virtual Machine
https://mobexler.com

That’s for today 🙂 , hope you find it useful.

Please share your tips, experience, comments, and questions for further enriching this topic of discussion.

One response to “Mobile App Security Testing – Static Analysis Overview”

  1. [[..PingBack..]]
    This article is curated as a part of #58th Issue of Software Testing Notes Newsletter.
    https://softwaretestingnotes.substack.com/p/issue-58-software-testing-notes

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: