How To: (Continuously) Hacking Your App
Yep. Today post is a practical guide: how you can hack a mobile application (that you wrote, otherwise it might be illegal) continuously — meaning, each time a new code is pushed.
For the same reason we’re running tests continuously — so we can know that (a) our app behaves like expected and (b) it continues to behave like that even when the code change. Security should not be different — we’re expecting that our app is secure and that it is keeping to stay secure even when the code change. This is why we need security testing.
How can we write security tests? There are many ways to do that, but the simplest way is to take a real hacking tool that is used by real hackers (or penetration testers), and run them on our app, continuously. The tool will inspect our app and report about any vulnerability that exists in our code. Today I will focus on one tool — MobSF, explain what it does — and also show how simple it is to run it continuously. In case you’re not interested in the details, check out this repo, which contains a step by step guide.
MobSF (Mobile Security Framework) is:
an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
MobSF is a web application (which also has RESTful API), and it can be used to scan mobile application. You upload the executable of your application (for example, the
apk for Android applications) to MobSF, and then you have a detailed report of all the various security issues in your application.
To get a feeling of how valuable it can be, let’s take it to a test drive. For the test drive, I’ll use InsecureBankV2, which is (like the name implies) an insecure Android application. This is a great use case for intentionally broken application — it can be used to evaluate and compare various security tools. By running the security tool on a vulnerable application, you can assess how many issues the tool detected. This could give you a good indication of the tool’s quality.
MobSF: Scanning InsecureBankV2 Manually
To run MobSF, we can use the official Docker image:
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
And now open
http://localhost:8000 in your browser. You should see MobSF welcome page. The next step is uploading InsecureBankV2 apk to MobSF, and pressing scan. The scan can take some time, but when it is finally over, we can go over the report to see all the juicy finding. For the purpose of this post, I’m going to focus only on one thing— security issues related to Android manifest.
The manifest is where you can define all the activities, services and broadcast receivers of your application. Those components can introduce security issues when misconfigured — malicious applications can exploit them to trigger a custom functionality of your app. To find out more about this issue, and how to fix it, you can read this section from the Mobile Security Testing Guide by OWASP. Now that we understood what it is, let’s take a look on the manifest analysis:
MobSF reported various issues related to the manifest, rank them and provide actionable information — that we can use to fix those issues. This is valuable information — now let’s see how we can get the same information in an automated manner.
MobSF: Scanning InsecureBankV2 Automatically
MobSF has an API, and we can use this API to perform all the operation we did in the previous step: Upload an APK, start a scan and get a report. The API is documented here, in case you want to take a look. To create an automated scan, all that is required is:
- Writing a script that interacts with MobSF (perform all the API requests)
- Running it on docker-compose (one container running MobSF, and one running our scan script from the previous step)
- Integrate it with the CI.
What about CI integration? As all the scan is running on Docker containers, it is really simple to run it on a CI server. This is good, but not enough. We need to fail the build if any security issues found. The developers also need a mechanism to ignore false positives. All this can be solved with OWASP Glue — a tool that eases the integration of security tools into the CI. Glue can parse MobSF’s report and fail the build on any reported issues. Use Docker to run Glue, using the following command (assuming the report file is
report.json and it is located in the current directory):
docker run -it -v $(pwd):/app owasp/glue:raw-latest ruby bin/glue -t Dynamic -T /app/report.json --mapping-file mobsf --finding-file-path /app/android.json -z 2
The command will pass the report produced by MobSF to Glue. Glue will produce nice text output and fail the build if any issue that is medium or higher found. Glue can do a lot more than that — check the documentation to find all the different options.
Now, after integrating MobSF into the CI, you can rest assured. Each time someone will push a new code, MobSF will scan the code, and Glue will fail the build on new issues. This will allows you guarantee that your app is secure, and is staying secure over the time — by continuously hacking it.
And one last note. This post focused on testing Android applications, but MobSF is capable to scan also iOS applications. That mean you can use the same approach, maybe with some customization. If you gave it a try — please share! I’m looking forward hearing about your experience.