When penetration testers choose their mobile app security testing tools there are a number of choices to make, allowing the developer to work through a number of threat models. In addition, when working with other companies there needs to be a way to understand the aims of mobile app security testing, the standards to test against, and how the tools you choose fit with these aims. One of the problems penetration testers face is choosing the right suite of tools and being able to create some level of automation for ease of use and accuracy for repeated testing. We take a look at some of the tools available for static, dynamic, forensic, and open source testing.
Static mobile app security testing tools
Static tools test a mobile application’s code at rest, either analysing the app’s source code or compiled binary file. We recommend tools that use the app binary file if possible, since these reflect the environment and configuration of the end user.
Static tools help with the identification of potential vulnerabilities that can be exploited when the code runs on a device, in particular dataflow and buffer handling issues. Unfortunately there are few commercial static analysers suitable for mobile app security testing.
Two free static analysis tools we think are worth looking into include the Clang Static Analyser for C, C++ and Objective-C and FindBugs for Android. These are relatively straightforward to run from the standard development tools and we recommend that you include these as part of your development workflow.
FindBugs on Android
The FindBugs Gradle plugin is a great way to add FindBugs to your Android development with minimal effort. To include the plugin add the following code to your app module build.gradle file:
apply plugin: 'findbugs'
task findbugs(type: FindBugs) {
ignoreFailures = false
effort = "default"
reportLevel = "medium"
classes = files("${project.rootDir}/app/build/intermediates/classes")
source = fileTree('${project.rootDir}/app/src/main/java/')
classpath = files()
reports {
html.enabled = true
xml.enabled = false
}
}
To perform the analysis you just need to run the findbugs Gradle task, either from the command line or within Android Studio. You can also run the standard Android linter using the check task, which may also highlight some common errors. Both tools output HTML reports to the app/build/reports folder within your Android project.
Clang on iOS
Static analysis on iOS is super-easy, and involves simply running the Analyse task from the Build menu. To integrate the Clang static analyser more deeply into your development workflow you can also run analysis during a build. To implement this navigate to your project build settings and search for ‘analysis’ you should see the following settings somewhere near the bottom:
Dynamic mobile app security testing tools
Dynamic testing tools show the behaviours of the mobile app code when executed, often picking up flaws that static analysis will miss. A lot of dynamic tools rely on proxies to observe the exchange of data between the app’s client code and external web services. Proxies let testers break communication protocols, send false messages, and launch attacks on the server-side. The downside of dynamic mobile app security testing is the high rate of false positives that are raised. These are often time consuming and counter-productive to verify, especially for inexperienced users.
A well-known proxy tool is OWASP Zed Attack Proxy, which can be configured to work with mobile applications with a little bit of effort. Firstly, you’ll need to ensure that your mobile device is on the same network as your laptop and that the proxy is reachable. If you’re connecting to your server over SSL/TLS (and you should be) then you’ll also need to generate a root certificate and install this on your mobile device.
Charles Proxy is a commercial proxy tool, which automates a lot of the setup process above. Though more of an analysis tool than Zed Attack Proxy it can be very useful for debugging and could be a useful option if you’re struggling with the Zed setup process.
If you did manage to connect your secure mobile application to Charles or Zed using the generated root certificate this may indicate that your application is susceptible to Main in the Middle (MiTM) attacks. To avoid attacks of this nature you should implement certificate key pinning within your mobile application.
Forensic mobile app security testing tools
Forensic mobile app security testing involves analysing the data that is left over after a mobile application has run. This can include credentials in configuration files, sensitive data in app databases and caching. Forensic tools help to determine whether proper access controls have been implemented.
Forensic mobile app security testing looks at the data that is left over after a mobile app has run. This includes credentials in configuration files, sensitive data on app databases and caching. Forensic tools help to determine whether access control has been implemented properly.
The Android Debug Bridge and the iPad File Explorer (works on all iOS devices) are good tools for exploring mobile device file systems. If you’re on macOS you can also use the Android File Explorer from Google, which provides a nicer interface than the command line tool.
Open source mobile app security testing tools
There are various open source security testing tools available. These can be quite complicated to use however, and with minimal updates or technical support can be a source of frustration.
A a popular tool is Drozer from MWR Infosecurity. Drozer helps identify issues in Android apps as well as the devices themselves, allowing you to assess threats to your organisation.
Anyone using these open source tools will need to set up a testing environment, know how to jailbreak or root a device for testing, perform reverse engineering, and enough network experience to set up WiFi networks. As a result these tools can be quite daunting to use.
There is a choice here for anyone who wants to do security tests of mobile apps, find, understand, and build a suite of tools that need continued maintenance, updates, and tweaking or to go for a solution that gives you the benefit of all these tools while allowing you to focus on the heavy lifting. Another problem to consider is the high false positive rate of most of these tools, this leads to time lost verifying each potential problem and is a good reason to look for products that use some level of manual analysis to lower the false positive rate.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing in under a minute try out Codified Security.