Android Application Security Testing Part-11: STATIC ANALYSIS

STATIC ANALYSIS

Static analysis involves examining an application's components without executing them. It may be similar to white-box testing. During static analysis, the mobile app's source code is analysed to ensure appropriate implementation of security controls. In most cases, a hybrid automatic/manual approach is used. With Reverse engineering concept we can examine the source code and we can find vulnerabilities.

Reverse Engineering: Reverse engineering, also called back engineering, is the process of where a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object.

In android also we can apply this concept, let me explain how it is? Android application is just an archive file renamed with APK extension. We can rename it as .zip extension [I will explain clearly in reverse engineering part], then when we extract .zip file we can observe the different type of file like dex file, assets, lib, META-INF file which contains signature data of the application and more what are the things used by developer.

Regarding security testing we need to do the following files analysis clearly.

• Androidmanifest.xml file analysis
• Source Code Analysis

Tools we use in static analysis:

Automated: AndroBugs_Framework; MobSF

Manual: apktool, dex2jar, JD-GUI, Drozer.

To test with Drozer in Windows OS we need Pentest box with genymotion emulator/ Android device.