How to Test Security and Vulnerability of Your Android and iOS Apps

How to Test Security and
Vulnerability of Your
Android and iOS Apps
4 December 2013

Ville-Veikko Helppi

Antti Häyrynen

Technical Product Manager

Security Specialist

ville-veikko.helppi@bitbar.com

antti.hayrynen@codenomicon.com

webinar

Agenda
• Mobile Apps & Third-Party Components
• Security, Open Source and Licenses on
Different Mobile Subverticals
• Is Your Mobile App Safe?
• Testdroid Update
• Demonstration
• Q&A

© Copyrights by Bitbar Technologies Ltd. 2013
All rights reserved.

2

webinar

Agenda
• Demonstration
• Q&A


3

webinar

Security Testing for Mobile Apps
• How to test something you don’t know it exists?
• Security testing doesn’t replace white/black box
testing but can complement it very well
• e.g. Android protects
• User data
• System resources
• Application isolation

• Security at the OS level


4

webinar

Hot debate about Android security
• Open Platform – All source code available
• Linux security (e.g. users, process isolation, IPC)
• Filesystem permissions
• Cryptography (API)
• Memory management
•

1.5 -> 4.2

• Application security
• Android has defenses to protect itself – not data!

5

webinar
Mobile Apps & Open Source Components

Blurred
Blurred


6

webinar
Mobile Apps & Third-Party Components
• Majority of today’s applications consist largely of
third-party code/libraries and application-specific
glue to hold everything together
• This is a prudent and well-accepted development
practice that offloads the task of developing code for
non-core functions of the application
• Each piece of third-party code has an associated
license whose terms can affect the distribution and
licensing of your application


7

webinar
Mobile Apps & Third-Party Components
• Identifying 3rd party code, its vulnerabilities and its
licenses, is critical in order to understand your
security exposure and your liability:
•
•
•
•

•

Know those 3rd party components/libs used in your app
Identify binding software licenses for 3rd party code
Identify vulnerabilities in 3rd party components that could
be security risks in your application (and its users)
3rd party components evolve and change – it’s important
to know what is new and what makes your app vulnerable
Instant way of checking any app (Android & iOS) will
enable you to focus on your core activities

8

webinar

Agenda
• Demonstration
• Q&A


9

webinar

Apps for Mobile Subverticals
Games
Utilities & Tools
Video Streaming & Multimedia
Banking & Payment
Retail & Travel
Mobile

• Testdroid has helped
thousands of app
developers in these
subverticals!
• What are the critical
elements in each these
verticals?
• How are the security
requirements different in
each subvertical?


10

webinar

•Top Requirements

Games
Utilities & Tools
Banking & Payment
Retail & Travel
Mobile

–User Experience!
–Resource consumption &
validation (CPU, Mem…)
–Fully utilizing hardware –
e.g. Touch screen
–Access to graphics APIs
(e.g. OpenGL ES)

•Open source license

11

webinar

•Top requirements

Games
Utilities & Tools
Banking & Payment
Retail & Travel
Mobile

–Usability!
–Functional and Behavioral
testing
–Metrics analysis for all
captured data (e.g.
logs, screenshots, perf
stats)
–Relation to other apps

•Open source license

12

webinar

•Top requirements

Games
Utilities & Tools
Banking & Payment
Retail & Travel
Mobile

–Performance!
–Connectivity, robustness
and durability
–Screen orientation
(portrait vs. landscape)
–Graphics quality,
streaming capabilities
–User profiles

•Security & Vulnerability

13

webinar

•Top Requirements

Games
Utilities & Tools
Banking & Payment
Retail & Travel
Mobile

–Security!
–Secure connectivity with
back-end systems
–Top Quality – extremely
brand sensitive vertical
–Compliances and
verification between real
devices and infrastructure

•Security is the no. 1 thing

14

webinar

•Top Requirements

Games
Utilities & Tools
Banking & Payment
Retail & Travel
Mobile

–Data!
–Connectivity and data
connection with back-ends
–Configurability of the app
–Bad quality WILL hurt the
brand and make customers
leave your app

•Security, Licenses

15

webinar

Agenda
•Mobile Apps & Third-Party Components
•Security, Open Source and Licenses on Different
Mobile Subverticals
•Is Your Mobile App Safe?
•Testdroid Update
•Demonstration
•Q&A


16

Is your mobile app safe?
Codenomicon AppCheck

Mobile software
•Software development is increasingly
shifting into mobile
•Android and iOS dominant
platforms, followed by WP and Qt
–All different, even on preferred programming
language level

•Volumes larger than traditionally, average
revenue per user much lower

Mobile software paradigm
•Traditionally software opens files and
handles them.
–Only Android supports this properly via
registering as content handler

•The modern way is to have client / server
architecture
–Mobile device is a client. Payload is usually
json, protobuf, xml or media.

Traditional Threats
•Open malicious file / content (via
email, web etc) that contains an exploit ->
target popped.
•In Android, content handlers can have
these issues.
–Platform somewhat limits what the attacker
can do unless privilege escalation is possible.
–For example PDF readers, video players etc.

Modern threats
•In the modern app paradigm, the mobile
client “enriches” content from pre-defined
server
–Usually SSL protected
–Certificate checks?
•Cert pinning?

•Attacks somewhat limited to either
–Man in the middle
–Injecting malice via server

IOS apps
•IOS apps are Mach binaries usually written
in Objective-C
•Packaging follows the common paradigm –
manifest, code and resources inside zip
•Inside the device executable code is usually
encrypted, but in clear before blessed by
Apple.
–Can be decrypted on jailbroken devices.

•Allows mixing of C into apps -> common
OSS libs can be used.

Anatomy of an Android app
•The simplest form: simple java application.
–Manifest, .dex, resource files

•Manifest has meta data (app name,
permissions, content handler registrations
etc)
•DEX contains java byte code
–With or without proguard obfuscation.

•Resource files contain images etc.
•Optionally native code (usually just ARM) in
lib/

Native code
•Sometimes java is not enough.
–~15% of android apps contain native code
•.so’s in lib/

–Among popular apps, the amount is much
higher

•If the native code processes untrusted data,
it’s out of dalvik supervision.
–Can corrupt memory and contain exploitable
bugs.

Third party code
•Modern world contains plenty of ready
components either as open source or licensable.
•People use them to
–Avoid re-inventing the wheel
–Save time and costs
–Create better software – many of those components
are actually great at what they do.

•Apps that use them inherit the bugs they have.
•Since there’s no “package management” in
Android like in Linux distros, apps bundle third
party code with them.
–Fixing 3rd party bugs require actions from app vendor

Third party code in Android apps
•There are different types of 3rd party libs
popular in Android, for example
–Ad networks
–Protocol clients
–Content decoders/encoders
–Shiny UI widgets
–Cross-platform app frameworks
–Most of the Java 3rd party libs usable in
Android

•Either Java or native

Introducing Appcheck
•Codenomicon Appcheck makes it easy and
fast to increase your application security
•Integrated into Testdroid
•Works on binaries, no source code
necessary.
•Main idea is to look for third party code from
apps and categorize them.

Vulnerabilities
•Third party libraries may contain vulnerabilities that
endanger application security
•Common pitfalls in android libraries include for
example missing certificate checks, missing
crypto, privacy issues
•In native libraries common native code problems
persist.
•Vulnerability feeds provide vulnerability information
on common components
–http://nvd.nist.gov/
–Appcheck performs matching against vulnerability feeds

Ad networks
•Ad networks vary from benign to outright
evil
–Some replace dial tone
–Some have critical vulnerabilities
–Some may send more information than user is
willing to accept

•Appcheck detects all the common ad
networks.

Licenses
•Third party code sometimes comes with some
strings attached in form of licenses
–Eg. GPL requires you to distribute source code of
derivative works
–Apache license requires some attribution
–GPLv3 forbids DRM

•Common pitfall in Android would be to bundle for
example LGPL lib in on .so with rest of the native
code
•Appcheck makes all the used licenses visible

Improving security
•By being aware of security issues of
reusable third party components in their
apps, developers can take action to fix
issues
•If you source software, you can use
Appcheck to check what supplier has
actually bundled inside the app.

Conclusions
•Mobile applications face threats and risks
stemming from bundled 3rd party code.
•Third party code scanning gives you
actionable results to
–Remove or mitigate known vulnerabilities
–Eliminate license risk
–Remove overlapping and unwanted
functionality such as privacy leaks

webinar

Agenda
Mobile Subverticals
•Testdroid Update
•Demonstration
•Q&A


33

webinar

Testdroid Products
Complete Solution for Mobile Apps/Games Testing


34

webinar

Testdroid & Appcheck
– Get Your App an Insurance for Security & Vulnerability!


35

webinar

Testdroid Blog and Webinars
– Because it is important to how to automate your testing!


36

webinar

Codenomicon Website and Events


37

webinar

Agenda
Mobile Subverticals
•Testdroid Update
•Demonstration
•Q&A


38

webinar

Agenda
Mobile Subverticals
•Testdroid Update
•Demonstration
•Q&A


39

webinar


40

How to Test Security and Vulnerability of Your Android and iOS Apps

More Related Content

What's hot (20)

Similar to How to Test Security and Vulnerability of Your Android and iOS Apps (20)

More from Bitbar (7)

Recently uploaded (20)

How to Test Security and Vulnerability of Your Android and iOS Apps