Android Application Security Testing Part-9: Android Application Security Testing [VAPT]

Android Application Vulnerability Assessment and Penetration Testing [VAPT]:

Structure of Security Testing

1) Preparation

·         Defining the scope of security testing, including identifying applicable security controls, the organization's testing goals, and sensitive data. More generally, preparation includes all synchronization with the client as well as legally protecting the tester (who is often a third party). Remember, attacking a system without written authorization is illegal in many parts of the world

2) Intelligence Gathering

·         Analysing the Environmental and Architectural context of the app to gain a general contextual understanding.

o    Environmental Analysis

§  Focus on the company behind the app and their business case and the relating stakeholders

§  Analyse internal processes and structures

o    Architectural Analysis

§  App (network interfaces, used data, communication with other resources, session management, jailbreak/rooting detection, …)

§  Runtime environment (MDM, jailbreak/rooting, os version)

§  Backend services (application server, databases, firewall, …)

3) Vulnerability Assessment

·         Vulnerability analysis is usually the process of looking for vulnerabilities in an app. Although this may be done manually, automated scanners are usually used to identify the main vulnerabilities. 

·         Types of Vulnerability Analysis:

1.    Static Application Security Testing [SAST]

§  During static analysis, the mobile app's source code is analyzed to ensure appropriate implementation of security controls. In most cases, a hybrid automatic/manual approach is used

2.    Dynamic Application Security Testing [DAST]

§  The focus of dynamic analysis is the testing and evaluation of apps via their real-time execution

3.    Forensic Analysis

§  In Forensic Analysis we will test data storage in the device

·         Avoiding False Positives

Automated testing tools' lack of sensitivity to app context is a challenge. These tools may identify a potential issue that's irrelevant. Such results are called "false positives."

4) Exploitation

·         In this phase, the security tester tries to penetrate the app by exploiting the vulnerabilities identified during the previous phase. This phase is necessary for determining whether vulnerabilities are real (i.e., true positives).

5) Reporting 

·         In this phase, which is essential to the client, the security tester reports the vulnerabilities he or she has been able to exploit and documents the kind of compromise he or she has been able to perform, including the compromise's scope (for example, the data he or she has been able to access illegitimately).

Useful Links:

https://sushi2k.gitbooks.io/the-owasp-mobile-security-testing-guide/content/0x04b-Mobile-App-Security-Testing.html

https://www.owasp.org/images/0/04/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf