Solved

Android Security Testing

Posted on 2015-01-18
9
315 Views
Last Modified: 2015-01-27
Hello
I am initiating Android mobile testing and acquired some basic information on the process and checklist. Even I have zeroed to some tools. I am not sure about the tools how it works but I am exploring. I have one basic question on best practice. Should we do performance testing directly on the device or through some emulator? I have not categorised the tools accordingly whether to execute on device or emulator. Please provide some insight.

Some tools which I will be considering --

App-Ray analyzes apps and highlights vulnerabilities, data leaks, and privacy breaches.

DidFail (Droid Intent Data Flow Analysis for Information Leakage) uses static analysis to detect potential leaks of sensitive information within a set of Android apps

DroidBench is a set of open source real-life Android applications to be used as a testing ground for static and dynamic security tools

FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.  

Thanks
0
Comment
Question by:PERF_ETC79
  • 4
  • 3
  • 2
9 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40558947
it seems you have already had a good research on tools to be used for performance test but just got stuck on the difference between running on physical device and SDK simulator.

IMPO, you need BOTH in terms of result comparison, hardware compatibility and limit, test cost or convenience.

1. hardware based test is always required for final test before each release whatever it is alpha or beta release.

2. hardware based test is also required if hardware specific or dependent features are to be test, such as graphics acceleration for games, low-level hardware access for network or bluetooth communication, user experience on cutomised touching gestures etc. these are something that can't be done properly in a simulator enviroment.

3. simulator based test is highly  recommended or even required for algorithm verification and performance comparison especially for unit tests as you may easily determine the speed differences.

4. simulator based test may also help developer observe more details on UI design and implementation as the screen can be easily zoomed and capatured.

5. Obviously, testing with a simulator is more convenient for developers especially for code debudding.

basically you need BOTH according to the test requirement and scenarios.

does it make sense?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40558957
Know the threat to address with threat modelling but that is separate topic, that chart your testing direction typically...

Regardless, I will look at it from the dynamic and static verification and validation as the overall scope to chart the testing.

- Dynamic : in terms of code execution, treating the target Android platform and apps concerned as blackbox. This can include passive network monitoring and analyzing, active network capturing and manipulating and also methods for runtime analysis, manipulation and file manipulation. Tools can include Wireshark, BurpSuite, Intent Sniffer, Intent Fuzzer, androidAuditTools etc

- Static : in term of code validation, treating the Android apps code as whitebox, with run through on secure coding practice. This can include methods such as reverse engineering and automatic/manual source code analysis. Tools include dex2jar, JD-GUI, Androwarn, Andrubis, ApkAnalyser

I suggest looking at SEI and OWASP for good practices - they suggested tools and testing defined methodology. In fact, I see that you listed also SEI developed tools as well which I see it as good inclusion too. However, they may required very deep tech skillset (most listed are static based) to even read the output (see blog on Didfail) ... second link touch how it can help to sieve out potential (hidden) vulnerability ...
http://blog.sei.cmu.edu/post.cfm/secure-coding-tools-analyzing-android-apps-118
http://blog.sei.cmu.edu/post.cfm/android-heartbleed-testing-devops-sei-midyear-review-181

So do not overwhelm yourself by having many tool collection as the clear objective is to achieve within your check scope first and avoid running tools that is duplicative in each test domain (you can go for 1-2 but not more).  On top of those list, may consider others (not necessary tools)
- Androick: Tool to analyze an Android application e.g. retrieve from the apk, all the data and the database in sqlite3 and csv format. However, it is only for Pentesters or Researchers.
- Mobile SCALe: Rules and Analysis for Secure Java and Android Coding

OWASP has top 10 Mobile security risk (and controls) which most of the scanner would be based on and I will say that can be a baseline or practice you can kickstart with to sieve out the low hanging fruit. See the main page and the relevant tab to Mobile security testing, Mobile tools and Secure mobile code development:
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

in term of simulator or real platform, there are a few mentioned already in the same link stated above. I see the simulator as firing range for test out on tools and possible exploitation and the real platform to finalise the tool output and also to test criteria which simulator can be inaccurate like the use of interactive interfaces for wifi, usb, etc. Note the simulator also may not have the latest OS version and can be specific to OEM and model.

Real test findings should be derive from platform and simulator is just diligence as prior check as training ground in preparation. E.g. OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security.
0
 

Author Comment

by:PERF_ETC79
ID: 40561319
Both the answers have made the things very clear and will help me to hit the bull's eye. I don't know if i should continue to ask a related question here .. but anyhow I am quoting the same.

Is rooted or Jailbreaked devices are must for security or penetration testing? I have started using Android Security Testing framework provided by AppUse and I am not able to connect to device as the same is not rooted.

Let me know if Should ask this as a new question.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40561326
in fact the moment it is rooted or jailbroken state as inspected, it is already a "loosely" control device and it is definitely as must as it may just not be practical to scan or check further as the very first rule of security of being in trusted stated is already not attainable and assured. you have to review the objective of the scanning. most Enterprise policy do not even allow that and even in BYOD, that rooted device simply let the wild come in and even securely coded apps cannot be guarantee installed in those device, some apps do not even run in those devices too.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:PERF_ETC79
ID: 40561334
So can I presume that rooted or jail breaked device is not must for security assesment?
0
 
LVL 61

Expert Comment

by:btan
ID: 40561340
in fact, it is what need to be detected but you can put  in the assessment scope as to assume clean slate depending on req. However, we always will not only trust without verification. I will still take it as part of assessment if poss.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40568779
IMPO, jail broken or not actually does not have direct relation to the security test you are doing as one is for OS level and the other (your tests) is for application level only.

of course, a jial broken device may expose more security issues as the OS based application protection has been disabled or passed around, therefore some not-well-behaved apps may take the advantage to access system resources excessively and improperly, which me accordingly cause data leakage, slow performance and system crash.

anyway, for well-behaved apps, technically, jail broken or not does not make any difference to the apps as well as their behaviour and performance.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40568780
IMPO, jail broken or not actually does not have direct relation to the security test you are doing as one is for OS level and the other (your tests) is for application level only.

of course, a jial broken device may expose more security issues as the OS based application protection has been disabled or passed around, therefore some not-well-behaved apps may take the advantage to access system resources excessively and improperly, which me accordingly cause data leakage, slow performance and system crash.

anyway, for well-behaved apps, technically, jail broken or not does not make any difference to the apps as well as their behaviour and performance.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40568786
jailbroken is normally what vulnerability scanner can surface but that is tool wise, for your overall security testing it needs to go beyond that besides identifying that as the intent and key objective for testing is to apprise whoever is reading that report or service rendered to how to make better informed decision on the available measures to mitigate and remediate the surfaced finding. Note typically there should be severity level and measures to remove risk and exposure.

Security testing is not the typical doctor health check per se , you surface know and potential point of failure and importantly, actionable findings to close gaps meant a lot to the device owner and service provider. of course it depends on your scope of testing which you should define in your methodology too...
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now