Solved

Android Security Testing

Posted on 2015-01-18
9
321 Views
Last Modified: 2015-01-27
Hello
I am initiating Android mobile testing and acquired some basic information on the process and checklist. Even I have zeroed to some tools. I am not sure about the tools how it works but I am exploring. I have one basic question on best practice. Should we do performance testing directly on the device or through some emulator? I have not categorised the tools accordingly whether to execute on device or emulator. Please provide some insight.

Some tools which I will be considering --

App-Ray analyzes apps and highlights vulnerabilities, data leaks, and privacy breaches.

DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses static analysis to detect potential leaks of sensitive information within a set of Android apps

DroidBench is a set of open source real-life Android applications to be used as a testing ground for static and dynamic security tools

FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.  

Thanks
0
Comment
Question by:PERF_ETC79
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40558947
it seems you have already had a good research on tools to be used for performance test but just got stuck on the difference between running on physical device and SDK simulator.

IMPO, you need BOTH in terms of result comparison, hardware compatibility and limit, test cost or convenience.

1. hardware based test is always required for final test before each release whatever it is alpha or beta release.

2. hardware based test is also required if hardware specific or dependent features are to be test, such as graphics acceleration for games, low-level hardware access for network or bluetooth communication, user experience on cutomised touching gestures etc. these are something that can't be done properly in a simulator enviroment.

3. simulator based test is highly  recommended or even required for algorithm verification and performance comparison especially for unit tests as you may easily determine the speed differences.

4. simulator based test may also help developer observe more details on UI design and implementation as the screen can be easily zoomed and capatured.

5. Obviously, testing with a simulator is more convenient for developers especially for code debudding.

basically you need BOTH according to the test requirement and scenarios.

does it make sense?
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40558957
Know the threat to address with threat modelling but that is separate topic, that chart your testing direction typically...

Regardless, I will look at it from the dynamic and static verification and validation as the overall scope to chart the testing.

- Dynamic : in terms of code execution, treating the target Android platform and apps concerned as blackbox. This can include passive network monitoring and analyzing, active network capturing and manipulating and also methods for runtime analysis, manipulation and file manipulation. Tools can include Wireshark, BurpSuite, Intent Sniffer, Intent Fuzzer, androidAuditTools etc

- Static : in term of code validation, treating the Android apps code as whitebox, with run through on secure coding practice. This can include methods such as reverse engineering and automatic/manual source code analysis. Tools include dex2jar, JD-GUI, Androwarn, Andrubis, ApkAnalyser

I suggest looking at SEI and OWASP for good practices - they suggested tools and testing defined methodology. In fact, I see that you listed also SEI developed tools as well which I see it as good inclusion too. However, they may required very deep tech skillset (most listed are static based) to even read the output (see blog on Didfail) ... second link touch how it can help to sieve out potential (hidden) vulnerability ...
http://blog.sei.cmu.edu/post.cfm/secure-coding-tools-analyzing-android-apps-118
http://blog.sei.cmu.edu/post.cfm/android-heartbleed-testing-devops-sei-midyear-review-181

So do not overwhelm yourself by having many tool collection as the clear objective is to achieve within your check scope first and avoid running tools that is duplicative in each test domain (you can go for 1-2 but not more).  On top of those list, may consider others (not necessary tools)
- Androick: Tool to analyze an Android application e.g. retrieve from the apk, all the data and the database in sqlite3 and csv format. However, it is only for Pentesters or Researchers.
- Mobile SCALe: Rules and Analysis for Secure Java and Android Coding

OWASP has top 10 Mobile security risk (and controls) which most of the scanner would be based on and I will say that can be a baseline or practice you can kickstart with to sieve out the low hanging fruit. See the main page and the relevant tab to Mobile security testing, Mobile tools and Secure mobile code development:
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

in term of simulator or real platform, there are a few mentioned already in the same link stated above. I see the simulator as firing range for test out on tools and possible exploitation and the real platform to finalise the tool output and also to test criteria which simulator can be inaccurate like the use of interactive interfaces for wifi, usb, etc. Note the simulator also may not have the latest OS version and can be specific to OEM and model.

Real test findings should be derive from platform and simulator is just diligence as prior check as training ground in preparation. E.g. OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security.
0
 

Author Comment

by:PERF_ETC79
ID: 40561319
Both the answers have made the things very clear and will help me to hit the bull's eye. I don't know if i should continue to ask a related question here .. but anyhow I am quoting the same.

Is rooted or Jailbreaked devices are must for security or penetration testing? I have started using Android Security Testing framework provided by AppUse and I am not able to connect to device as the same is not rooted.

Let me know if Should ask this as a new question.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40561326
in fact the moment it is rooted or jailbroken state as inspected, it is already a "loosely" control device and it is definitely as must as it may just not be practical to scan or check further as the very first rule of security of being in trusted stated is already not attainable and assured. you have to review the objective of the scanning. most Enterprise policy do not even allow that and even in BYOD, that rooted device simply let the wild come in and even securely coded apps cannot be guarantee installed in those device, some apps do not even run in those devices too.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:PERF_ETC79
ID: 40561334
So can I presume that rooted or jail breaked device is not must for security assesment?
0
 
LVL 62

Expert Comment

by:btan
ID: 40561340
in fact, it is what need to be detected but you can put  in the assessment scope as to assume clean slate depending on req. However, we always will not only trust without verification. I will still take it as part of assessment if poss.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40568779
IMPO, jail broken or not actually does not have direct relation to the security test you are doing as one is for OS level and the other (your tests) is for application level only.

of course, a jial broken device may expose more security issues as the OS based application protection has been disabled or passed around, therefore some not-well-behaved apps may take the advantage to access system resources excessively and improperly, which me accordingly cause data leakage, slow performance and system crash.

anyway, for well-behaved apps, technically, jail broken or not does not make any difference to the apps as well as their behaviour and performance.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40568780
IMPO, jail broken or not actually does not have direct relation to the security test you are doing as one is for OS level and the other (your tests) is for application level only.

of course, a jial broken device may expose more security issues as the OS based application protection has been disabled or passed around, therefore some not-well-behaved apps may take the advantage to access system resources excessively and improperly, which me accordingly cause data leakage, slow performance and system crash.

anyway, for well-behaved apps, technically, jail broken or not does not make any difference to the apps as well as their behaviour and performance.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40568786
jailbroken is normally what vulnerability scanner can surface but that is tool wise, for your overall security testing it needs to go beyond that besides identifying that as the intent and key objective for testing is to apprise whoever is reading that report or service rendered to how to make better informed decision on the available measures to mitigate and remediate the surfaced finding. Note typically there should be severity level and measures to remove risk and exposure.

Security testing is not the typical doctor health check per se , you surface know and potential point of failure and importantly, actionable findings to close gaps meant a lot to the device owner and service provider. of course it depends on your scope of testing which you should define in your methodology too...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now