What sort of security testing tools will we need as we build mobile versions of our Web apps?
Mobile applications can have complicated threat models, so security testing needs to examine a number of different aspects of these systems. There are three major types of security testing tools to look into for mobile app security testing: static, dynamic and forensic. Comprehensive testing programs should use a combination of these vendor-provided and third-party tools.
Static testing tools look at the application while at rest -- either the source code or the application binary. These can be good for identifying certain types of vulnerabilities in how the code will run on the device, usually associated with dataflow and buffer handling. Some commercial static security analysis tools and services have the capability to test mobile application code. It is important to work with the vendor to get a clear understanding of exactly what types of vulnerabilities can and cannot be identified, because most security static analysis tools were originally optimized for testing Web-based applications.
Freely available tools for static analysis of mobile applications include the Clang Static Analyzer, which is a static analysis tool for C, C++ and Objective-C programs. You can use the Objective-C support to test for certain quality and security errors in iOS-based applications, and they can be run both from the command line and from inside Apple's XCode development environment. In addition, the XCode-provided "otool" command can be used to extract information from iOS application binaries that can be used in support of security analysis.
In Android environments, tools exist that extract both DEX assembly code as well as recover Java source code from Android applications. Examples of these tools include DeDexer, which generates DEX assembly code from an Android DEX application binary, and dex2jar, which converts DEX application binaries to standard Java JAR files. Standard Java analysis tools such as FindBugs can then be used to analyze these JARs. In addition, the Java bytecode can be converted back into Java source code with Java decompilers such as JD-GUI. This sets the stage for manual security analysis of an Android app.
Dynamic testing tools allow security analysts to observe the behavior of running systems in order to identify potential issues. The most common dynamic analysis tools used in mobile app security testing are proxies that allow security analysts to observe -- and potentially change -- communications between mobile application clients and supporting Web services. One example of such a proxy tool is the OWASP Zed Attack Proxy. With proxy tools, security analysts can reverse engineer communication protocols and craft potentially malicious messages that would never be sent by legitimate mobile clients. This allows the messages to attack the server-side resources that are a critical component of any nontrivial mobile application system.
Forensic tools allow security analysts to examine artifacts that are left behind by an application after it has been run. Common things analysts might look for include hard-coded passwords or other credentials stored in configuration files, sensitive data stored in application databases and unexpected data stored in Web browser component caches. Analysts can also use forensic tools to look at how components of mobile applications are stored on the device to determine if available operating system access control facilities have been properly used.
Exploring mobile device file systems can be done using tools such as the Android Debug Bridge that comes with the Android Development Kit or third-party tools like the iPad File Explorer, which, despite its name, should work for all iOS devices and not just iPads.
The SQLite database engine is available natively on both iOS and Android systems and is a common way for app developers to store data in a familiar relational database-like environment. Utilities such as the SQLite Database Browser can be used to examine SQLite database files once they have been recovered from a target system.
Have a question about mobile app security testing? Let us know and we'll pass your question on to one of our experts.
This was first published in November 2013