Our mobile application penetration testing expert conducted a study on the Google Play market, selecting about 100 mobile applications at random and statically analyzing them with QARK to discover the most common mobile application vulnerabilities.
'Important results are shared with the application owner via email.'
What is static mobile application analysis?
Static mobile application analysis is the process of analyzing an app without running it. This is done by looking at the app's byte code, which is the code that is run on a device when the app is installed.
Static mobile application analysis can be done manually. However, generally, it is done using a tool like QARK. QARK(Quick Android Review Kit) is a static analysis tool that is specifically designed for Android apps.
Which vulnerabilities can be found in static analysis?
There are a number of vulnerabilities that can be found in static analysis. Some of the most common ones include:
- Injection vulnerabilities: These vulnerabilities occur when untrusted data is inserted into an app, such as user input. This can allow an attacker to execute malicious code or access sensitive data.
- Security misconfiguration vulnerabilities: These vulnerabilities occur when an app has been incorrectly configured, such as by leaving ports open that should be closed. This can allow an attacker to gain access to the app or the device it is running on.
- Broken authentication and session management vulnerabilities: These vulnerabilities occur when an app does not properly verify user credentials or sessions. This can allow an attacker to gain access to sensitive data or resources.
- Insufficient logging and monitoring vulnerabilities: These vulnerabilities occur when an app does not log enough information or does not monitor activity closely enough. This can make it difficult to detect and respond to attacks.
- Poor coding practices: These vulnerabilities occur when an app is poorly written, leading to insecure coding practices. This can allow an attacker to take control of the app or steal data.
- Bypassing Certificate Pinning: These vulnerabilities occur when an attacker is able to bypass security measures, such as SSL protection. This can allow the attacker to access sensitive data or execute malicious code.
Static Analysis vs Dynamic Analysis
Dynamic analysis is the process of running an app and observing its behavior. This can be done manually or using a tool like Drozer or Frida.
Dynamic analysis can find vulnerabilities that are not found with static analysis. However, it is more time-consuming and can be more difficult to use.
Which type of mobile application security testing should you use?
The type of mobile application security testing that you should use depends on your needs and resources. Static analysis is a good option for organizations that want to quickly and easily scan apps for common vulnerabilities. However, it does not find all vulnerabilities and cannot detect behavioral issues. Dynamic analysis is better for organizations that want to find all vulnerabilities and also detect behavioral issues. However, it is more time-consuming and can be more difficult to use.
Organizations should use a combination of static and dynamic analysis to get the most comprehensive security testing. This will allow them to find both common and rare vulnerabilities.
Selection of random about 100 mobile app category of these mobile apps are given below:
- Health
- Communication
- Transportation
- Entertainment
- Payment
- Education
Analyzing Process
We used QARK with our scripts to automate all processes. Total analyzing time took 126 minutes with an average laptop (16 GB ram, core i7 7HQ, Ubuntu OS).
All outputs are parsed with simple bash commands.
Output
Conclusion
Static analysis is a good option for organizations that want to quickly and easily scan apps for common vulnerabilities. However, it does not find all vulnerabilities and cannot detect behavioral issues. Dynamic analysis is better for organizations that want to find all vulnerabilities and also detect behavioral issues. However, it is more time-consuming and can be more difficult to use. Organizations should use a combination of static and dynamic analysis to get the most comprehensive security testing. This will allow them to find both common and rare vulnerabilities.
control security posture