The mobile industry is booming like never before. This has created a number of types of mobile devices, mobile OS.
The mobile boom is not without its risks. Developer generally creates application from a “functionality first” perspective, but with security as a low priority. This is an unfortunate reality.
In fact, using mobile devices is getting to be tricky, as mobile security is getting to be a constant concern.
Owasp – Mobile Top 10 2016
- M1: Improper Platform Usage
- M2: Insecure Data Storage
- M3: Insecure Communication
- M4: Insecure Authentication
- M5: Insufficient Cryptography
- M6: Insecure Authorization
- M7: Client Code Quality
- M8: Code Tampering
- M9: Reverse Engineering
- M10: Extraneous Functionality
Some of the mentioned risks above can be discovered using static analysis tools.
What is Static Analysis ?
Static testing tools look at the application while at rest — either the source code or the application binary. Some commercial static security analysis tools and services have the capability to test mobile application code.
Static Analysis Tools Examples :
- MobSF (Mobile Security Framework)
- MARA (Reverse Engineering & Analysis Framework)
- Jadx (Java Code Decompiler)
- Ghidra ( Reverse Engineering Tool or iOS)
Vulnerabilities discovered by static analysis :
Below are some examples for what Static Analysis tools can discover , We used MobSF against a vulnerable Android Application (links will be listed at the end of this article).
App in use : InsecureShop.apk
*Permissions status is relative
Application which need camera or location permission to function is not vulnerable in this case.
The generated report has more analysis not only the sections that was mentioned here.
Insecure Shop (Android app)
A Mobile Application Penetration Testing Virtual Machine
That’s for today 🙂 , hope you find it useful.
Please share your tips, experience, comments, and questions for further enriching this topic of discussion.