Android…. It is no longer just a mobile phone.
Nowadays Android applications are running anywhere and everywhere. Home Appliances, watches, TVs, car applications and with the Internet of Things kicking in quickly, Android applications will probably become even more prevalent in our lives.
Android is based on a customized Linux OS version. The main differentiation from the classic PC Linux is that the Android OS was adapted to define every Application on the device as a separate User or entity.
Each Application runs on its own Virtual environment within the OS called a “Dalvik Machine (DVM)”*. Application code written in Java is modified to Java Byte Code and then converted to DEX (Dalvik byte code). The DVM will generate, on the fly, machine specific instructions to the ARM CPU (or other CPU in use). All Android applications are packaged as an APK (Android Application Package). The APK is a type of archived file which contains everything the android device needs in order to execute the application downloaded via the Google Play store or an alternate source.
|*Dalvik is being shifted aside (Android L). Newer Android OS versions are using ART (Android Runtime) however the general idea stays the same.|
As Android runs on Linux it is just natural that it will be using the Linux security mechanisms which have earned good reputation over the years.
Security wise, logically and physically separating each App allows processes and files to be protected from tampering and modification. Each App runs in its own Virtual Environment and does not (or rather should not) look into other app data or processes unless specifically allowed. This method of separation provides good basic protection even when developers are careless.
And additional security measure taken by Android is to ensure that APKs are signed. This will not allow the simple user to identify malicious behavior however will allow App integrity validation.
Most applications are installed from the formal Google Play Application store. Google do take a few basic measures to validate app integrity and security (See: Bouncer service) however there have been and will be some malicious developers who upload a malicious app to the store. These are usually detected by Google after a few or more than a few infections have been reported. At that point Google will remove the App from the Store however by that time the App has found its way onto devices and other alternative stores. Note: Android phones do have a setting that disables downloads from sources other than google play however this can easily be disabled.
So it seems that Google have taken significant steps to ensure the User’s security.
Where is the problem? What are we worried about?
Mobile Apps threat model is different and cannot be compared to other Apps such as web apps. Although the server functionality might be very similar between Web and Android Apps, when analyzing the threat model for Android Applications there is an extra major piece to be considered. Client side security concerns.
The attack surface on Android Mobile devices or any mobile device includes a combination of server and client side security concerns. Therefore there are more problems to worry about compared to an equivalent web app.
When performing Penetration tests on regular applications (Non Mobile), testers will issue request to the server side in an attempt to manipulate requests. This does not suffice for Mobile applications. There are additional considerations to keep in mind on the client side such as reverse engineering which is a key requirement when testing Mobile Apps. The Pen tester’s skill set requirements are different.
Tools to analyze Android application security are becoming more available however they are not yet as mature as the ones available for web apps.
Once a malicious user/hacker wants to analyze an application in order to identify vulnerability and plan an attack they will start by downloading the application on their own device. On a rooted device, the hacker can actually analyze the app very thoroughly and identify vulnerabilities within the code. In most cases, a vulnerability detected on a specific app will be exploitable on any other device running that same application.
Application data theft can be performed using standard Server side attacks which have been used for years on web applications. These can include request manipulation, DoS, SQL injections and others.
Most of us have probably experienced losing or having a mobile device stolen. If the wrong person puts their hands on your device, all data stored on the device itself and probably additional data stored on application server side or cloud is accessible. GAME OVER!
There have been multiple occasions of Application Phishing. The technique is actually quite simple. An App masquerading as a different App is published for download. Once it’s downloaded to user’s devices it can perform a variety of attack techniques:
This section discusses the most common vulnerabilities found on Android Mobile Applications however there are many more to be covered when developing or analyzing an application.
Checkout Appuse developed by our partners Appsec Labs who specialize in Application Security testing and education and are at the leading forefront of the industry. Appuse is a full blown solution for Pen testers working with Android Apps.
The blog data is also available as a presentation delivered by our partner Appsec Labs at the following link: https://www.brighttalk.com/webcast/288/116551?autoclick=true1
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.