There are two basic approaches to analyzing mobile apps to identify security flaws: static and dynamic. In a static analysis approach, the development team must provide the source code or compiled binaries of the application for programmatic analysis. The code is analyzed to ensure security controls are in place in areas like authentication, authorization, session management, data storage and information disclosure. The app (even native apps) should also be tested for web application vulnerabilities because many mobile apps are vulnerable to these.
Dynamic security analysis is the testing and evaluation of a program by executing data in real-time. The main objective of this analysis is to find the security weak spots in a program while it is running. Dynamic analysis is conducted against the app’s backend services and APIs. The types of tests run vary depending on the type of mobile app being tested (native or browser-based).
Dynamic pen test tools communicate with browser-based mobile apps through their web front-end, in order to identify potential security vulnerabilities and architectural weaknesses in the app, without the need for access to source code.
In general, dynamic analysis is performed to check whether the following controls are in place:
Most mobile apps are architected such that client software is installed locally on the mobile device. Users can download these apps from places like the App Store or the Android Market. To penetration-test these apps, you need a rooted Android device or jailbroken iOS device, or an emulator. It’s always better to conduct penetration testing using the original (rooted or jailbroken) mobile device, if available. Examples of emulators for popular mobile client systems include Google Android Emulator, MobiOne, iPhoney and Blackberry Simulator.
Besides an emulator or root-accessible mobile device, mobile app pen testing also requires a decompiler so you can decompile the binary application files. During black-box engagements, decompilation is essential in order to gain a complete understanding of the app’s internals. Decompilers for mobile apps include .NET Reflector for Windows Mobile, class-dump-x for iPhone, dex2jar and JD-Gui for Android and Coddec for Blackberry.
Once you’ve successfully decompiled the application, consider using a code analysis tool to identify vulnerabilities in the source code. Tools for this purpose include Klocwork Solo, Flawfinder and Clang. When performing penetration testing in these environments, you check for the presence of controls to mitigate vulnerabilities related to:
Eliminating security vulnerabilities in iOS apps is especially critical, not only because iOS usage is so widespread, but also because many users—and maybe even some IT decision-makers—think the platform is invulnerable to hackers.
Every iOS device has a Unique Device Identifier (UDID). It functions somewhat like a serial number. Mobile apps can collect these identifiers through an API, or hackers can sniff them out from the network traffic. With this data it has also become possible to observe a user’s browsing patterns. It’s also feasible to observe users’ geolocation data with their UDID. Apple and others make use of this data; fortunately, it’s not linked to users’ identities. Applications installed on mobile devices use device memory to store their data. About 75% of apps do this. Usually, on-device data storage is used to help improve performance or support offline usage. Although, according to one source, 10% of apps store passwords in clear text on the device.
On iOS, apps run in a “sandbox” with “mobile” privileges. Each app gets a private area of the file system. iOS app data is mainly stored in these locations: property list (plist) files, the keychain, logs, screenshots, and the app’s home directory. Few key names are …
Appname.app - Contains the application code and static data
Documents - Contains data that may be shared with a desktop application through iTunes
Library - Contains application support files
Library/Preferences/ - Contains app-specific preferences
Library/Caches/ - Contains data that should persist across successive launches of the application but doesn’t need to be backed up Tmp - Temporary files that do not need to persist across successive launches of the application
Besides this there are other important files that exhibit some responsibility to the security of mobile app.
Plist files - Plist files are primarily used to store users’ application properties; /var/mobile/Applications/[appid]/Documents/Preferences. Apps store key/value pairs in binary format. These can be easily extracted and modified with a property list editor (plutil). It is recommended to not store clear text data in plist files. During a pen test, look for usernames, passwords, cookies, etc. within plist files. (Some apps may take authentication/authorization decisions; e.g., admin=1, timeout=10.)
Keychain - iOS apps use an SQLite database for storing sensitive data. This database has four tables (genp, inet, cert and keys) located at: /var/Keychains/Keychain-2.db. For encryption of keychain data, iOS uses a hardware encryption key, along with the user’s passcode, which depends on continuous access to the keychain entry. Developers are meant to leverage keychains for secure data storage. Keychains are accessible to all apps. Normally an app can only access its own keychain items, but on a jailbroken device that safeguard can be bypassed. A Keychain Dumper tool is available to check which keychain items are accessible to an attacker if an iOS device is jailbroken. The best way to keep data stored in a keychain secure is to use a data protection API.
Error logs - Apps may write sensitive data in logs, such as for debugging, troubleshooting or requests/responses. Logs can be found at /private/var/log/syslog. To view iOS logs you can download a Console app from the App Store. File cache - iOS apps can store files in various formats, such as PDF, XLS and TXT, when viewed from the app. When a user opens a file from an email, it gets cached. For optimal security, apps that are storing temporary files on the device should clear those files upon logout/close.
Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.