Android Security Testing
Learn about Android security testing in this article by Tony Hsiang-Chih Hsu, a senior security architect, software development manager, and project manager with more than 20 years of experience in security services technology.
It’s a common practice to perform security checks before every Android application release. However, it can be a challenge for frequent and an increasing number of releases. The automated security testing process for an Android mobile application requires the submission of APK (Android Application Package) binaries, reversing the APK for secure source code inspection, manifesting a configuration check, and generating a testing result.
Let’s get started with Android security review best practices.
Android security review best practices
Android application development is primarily based on Java. The MITRE Java secure coding rules still apply to the Android security review. In addition, the Android application includes some unique building components that may introduce new security issues, such as Android manifest configurations, intents, activity, broadcast, content provider, and services:
· Android application secure design / secure coding guidebook by JSSEC
· Android developers documentation — app security best practices
· OWASP mobile security testing guide
For common security issues of APK, the App Security Improvement program of the Google Android developers provides the most recent security issues and the remediation advice, such as path traversal, insecure hostname verification, and fragment injection. It’s also a good reference when the APK is submitted to Google Play.
Secure source code review patterns for Android
The Java secure code review techniques and tools apply to the Android application as well. The secure Java coding is fundamental to the Android security review. There are also specific secure code review techniques for the Android application.
There are some keywords and patterns for potential security issues we need to focus on:
· SQL injection: rawQuery | execSQL | database | .sqlite | SQLiteDatabase
· Insecure SSL handling: ALLOW_ALL_HOST_VERIFIER | NullHostnameVerifier SSLCertificateSocketFactory | SSLSocketFactory setDefaultHostnameVerifier WebViewClient.onReceivedSsLError
· Command injection: getRuntime | ClassLoader
· WebView for XSS: Android.webkit | setJavaScriptEnabled | addJavascriptInterface | setWebContentsDebuggingEnabled(true) loadData | postural
· Insecure files I/O access: MODE_WORLD_READABLE | MODE_WORLD_WRITTABLE OpenFileOutput | openORCreateDatabase file:// | getSharedPreferences | getExternal
· Insecure communication: .netURL | openSteam | netJarURL | HttpURL |HttpRqeuest | HttpsURL
Privacy and sensitive information review
The mobile app is installed on the personal phone; therefore, it’s more sensitive if the application will can access personal information on the phone or abuses the phone services. Whenever the privacy information is handled, we will have to review the purpose and the needs. Some of the techniques for identifying the privacy information access behaviors are as follows:
· Telephony identifiers: Uses of APIs under the TelephonyManager will allow the application to read telephony services and state which may leak sensitive information, such as IMEI, SIM serial number, and cell ID. The examples of APIs (methods) under the TelephonyManager are getCellLocation(), getDeviceId(), getLine1Number(), getNeworkOperator(), getSimSerialNumber().
· Audio/video interception: There are two primary APIs used to do the audio and video recordings, which are all under the MediaRecorder class. The setAudioSource defines the audio sources for recording, and the SetVideoSource configures the source for video recording.
· Suspicious backdoor connection: The class ConnectivityManager can be used to query the state of network connectivity. In addition, the uses of WifiConfiguration.toString can be an indicator of reading WiFi credentials. The use of Socket can be a potential backdoor connection to a remote IP address and port such as ServerSocket, Connect, DatagramSocket.
· Abuses of phone calls and SMS: Android.provider.Telephony.SMS_RECEIVED (defined in AndroidManifest.xml), SmsManager.sendTextMessage, android.intent.action.CALL, and android.intent.action.DIAL may be an indicator of making phone call or SMS.
· Data leakage: The privacy data on the phone can be contacts and SMS. ContactsContract.CommonDataKinds and “content://sms/inbox” APIs are the indicators of reading the data.
· Root behaviors: The application is detecting the rooted device or super user privileges such as superuser, supersu, noshufou; isDeviceRooted; /system/bin/su, /system/xbin/su; RootTools.isAccessGiven.
Security Scanning
To automate the security and privacy security reviews, we apply different tools based on the scenario. Based on these secure implementation and testing practices, here are some automated scanning tools.
Secure code scanning with Fireline
The Fireline is used to scan the Java source code for security issues. It’s a light-weight secure code scanning tools but may require the Java source and the reverse of APK.
Privacy scanning with Androwarn
The Androwarn is specific for privacy and sensitive information scan for any APK files. To automate the privacy scanning with APK, we can use the tool Androwarn which is a Python script to do the privacy information scanning. The execution of Androwarn takes some parameters, such as the APK, the report format, the level of verbosity, and the lookup to Google Play.
APK security analysis
The security analysis of an Android application normally requires a certain reverse engineering process. The APK is a compressed file. The first step would be to get the APK uncompressed and reverse it into DEX bytecode or Smali resource files. These can be seen as Android intermediate resource files. Then, the DEX can further be reversed into Java class in order to get the Java source code. The following diagram shows the process and related tools we will demonstrate in the coming section:
This is a list of the tools for the reverse engineering of APK and security analysis:
· apktool_2.1.0.jar: The APKTool is used to reverse the APK file into Smali, resource files and also extract the manifest.xml
· JADX: It’s used to reverse the APK file into Java source code
· fireline_1.5.6.jar: It’s used to do static secure code scanning based on resource, and Java source codes
· goatdroid.apk: It’s the vulnerable sample APK
Automated security scanning with MobSF
The mobile Security Framework (MobSF) is the integrated Android security scan framework that can do the reverse of APK and secure code scanning. MobSF provides security analysis for the iOS, Windows, and Android applications. It can also do dynamic analysis based on runtime behaviors of the application. The MobSF provides an easy to use UI for users to drag and drop the mobile applications for analysis and also includes rest API interface to do further CI/CD integration with your automation framework.
If you found this article interesting, you can explore Practical Security Automation and Testing as your one stop guide to automating infrastructure security using DevOps and DevSecOps. Practical Security Automation and Testing will teach you to adopt security automation techniques to continuously improve your entire software development and security testing.
