A secure application is an application that operates seamlessly with a good user experience and also protects your user's information, this alone makes security non-negotiable when you are writing code, irrespective of the platform. You have to put security at the forefront of every design and code that you make.
This will go a long way to ensure the app is strong and secure because you'll plunge yourself into a situation whereby you assume that your users are bad, and they are out to compromise your application security in any way possible. Therefore, every coding decision will be geared towards plugging every hole that you can think of, but still, there is a limit to where this can get you.
Here comes Mobile Security Framework (MobSF), a security framework that allows you to put your application to the test and gain considerable insight into the internal workings of your application, including its vulnerabilities. With the knowledge gained from MobSF, you can plug these vulnerabilities.
MobSF is a tool designed to perform automated penetration testing, malware analysis, and security assessment of your mobile applications irrespective of the application's operating system environment, whether it's Microsoft Windows, iOS, or Google Android. Moreover, MobSF is baked with the capability to perform dynamic analysis and static analysis.
Thanks to its thorough analysis and detailed report of an application, MobSF can reveal vulnerabilities in your application. Therefore, you can fix these vulnerabilities before the application is released, but if the application is already out there, you can offer the fix as an update.
Asides from its attractive User Interface, here are the key pointers that helped me to pick MobSF over its counterparts:
Source Code Decompilation: Decompilation is the process of transforming a low-level language into a high-level language.
Manifest File Analysis: includes the process of analyzing the application manifest file which will reveal a general overview of the application like its Config information, components, and permissions.
Malware Detection: An innocent-looking app can perform all its required functions, but scanning the application might reveal malware operating behind the scenes
Detection Of Sensitive Information: Putting an application through MobSF can reveal sensitive information within the application, notably, hard-coded encryption and decryption keys.
Application Component Detection: Analysis can reveal the components of an application; therefore, you can know which particular component is using any particular system resource.
Permission Analysis: A supposed camera application requesting access to the phone contacts and SMS is an obvious red flag.
Vulnerabilities are software design decisions that can potentially lead to a defect in your application, which, in turn, can compromise the security of your application and its users. A quick Google search will reveal an array of mobile application vulnerabilities, but the list below details some well-known and popular ones:
As stated in MobSF official documentation, before you can install MobSF, you need some requirements installed on your system. These requirements are listed below.
After the installation of these tools, I'll suggest you install Git Bash because it provides color highlighting on the command line compared to Windows native Command Prompt. With that out of the way, you can install MobSF.
Open your terminal/command prompt (you can also use Git Bash that I recommended earlier), navigate to your desired folder, enter the command in the next code block to install MobSF.
Please note, initially, it'll require about 1.5 GB of disk space
# This will download MobSF into a folder # called Mobile-Security-Framework-MobSF git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
Depending on your internet connection, the download might take a while to complete. Once the download completes, switch to the MobSF download folder, and you are good to set up MobSF using the next command. Please, ensure you are still connected to the internet because the setup will download additional packages.
# If you are on Linux, replace setup.bat # with setup.sh ./setup.bat
This setup process will take a while to complete, and you'll notice some output on your terminal similar to the image below:
If everything goes alright and the setup completes, the last piece of output on your command line should be similar to the image below:
If that's the case, all is good.
Clear your terminal, and run MobSF by executing the following command:
# If you are on Linux, replace run.bat # with run.sh ./run.bat 127.0.0.1:8000
This will display “MobSF is now running”. Switch to your desired browser, and navigate to
http://localhost:8000. You'll land on MobSF User Interface.
When you observe your terminal, you'll observe some details about what has been going on since you launched MobSF in your Web browser.
With this interface, you can upload the application file that you want to analyze, and you can leave MobSF to perform the analysis. Also, depending on the file size, it might take a while for this process to complete. When MobSF is through with the analysis, it redirects the browser to a page containing detailed results about the application.
On the sidebar of the interface, click on Scan Options, under Decompiled Code. Then, tap on View Source to view the application's source code.
Click on Security Analysis, and select Manifest Analysis. Here you'll find information about some issues with the application, its severity, and a detailed description.
You'll find the Malware Analysis option just below Security Analysis. At the time of writing, I can see these options. Choose the desired option with data beforehand:
- APKiD Analysis
- Quark Analysis
- Server Locations
- Domain Server Check
The image below shows the APKiD Analysis for the tested application:
These are potential confidential information found in the application. You can view such information by clicking on Reconnaissance then Hardcoded Secrets on the sidebar.
You can view the application's components by clicking on Components. Underneath, are details of the application's Services, Receivers, Providers, Libraries, and Files. Below are some files associated with the tested application:
Is the application using the internet? Does it have access to external storage? You'll find the answers to these questions under Permissions.
We've touched some analysis reports mentioned previously, but, keep an eye on two particular sections in the report, namely:
- Code Analysis
- Binary Analysis
This section will detail some actions performed by some specific code snippets of the application, including their severity and CVSS score. For example, the tested application shows that the application is logging sensitive information. Such information should not be logged.
The result in this section can be scary because it details some information that you as a developer should look into when compiling your code.
The manifest analysis of the tested application revealed some alarming results, most notably, the app is set up to use "Clear text traffic" using protocols like HTTP.
This means there is a lack of confidentiality, authenticity, and tampering of the application transmitted data. Other results also show that some Services and Activities are not protected. Therefore, they are accessible by other apps on the device.
A quick look at the code analysis section revealed that some components of the application are using insecure SHA-1 and MD5 hashing algorithms. Both algorithms are known to be vulnerable to hash collision.
Further inspection of the report reveals that the app uses an Insecure Random Number Generator (RNG).
Insecure RNG is known to produce predictable values, and should not be used in a security context.
Among other things, there is also an IP Address disclosure.
This may leak the IP addressing scheme of a company's/organizational network. Finally, the app executes raw SQL, making it vulnerable to SQL injections from untrusted user inputs.
The vulnerabilities discussed in the tested application can also find their way into your application. When that happens, you are better off prepared, therefore, we'll discuss them and their possible fix. As a recap, the vulnerabilities are:
- Insecure Communication
- Insecure Hash functions
- IP Address Disclosure
- SQL Injection
- Insecure Random Number Generator
This happens when your application or some of its components use cleartext HTTP to perform operations, this can lead to interception of sensitive data. Use SSL/TLS for data transmission to overcome the vulnerability.
The SHAttered attack is a collision attack on the Secure Hash Function (SHA) which demonstrates that a "good" file and a bad file can generate the same hash. In addition, MD5 is also vulnerable to a collision attack. The fix:
This can expose the internal IP address used by an organization's infrastructure.
The fix: The addresses should be rewritten with innocuous identifiers.
This happens when malicious SQL is executed on a database. Usually, it occurs as a result of unsanitized user inputs. The fix: Sanitise all user inputs.
When a generator is meant to be random, it should not generate predictable values, if it does, it's considered not secure from a security perspective. The fix: Use cryptographically secure Pseudo-Random Number Generator.
Security is not a one-way street, and it takes dedication and awareness to know the vulnerabilities that might slip into your application without your knowledge. You can deploy MobSF on your system for potential insights into the security of your application. And if the need arises, fix the identified issues or just go back to the drawing board and plan the fix for future updates.