Recently I had the opportunity to discuss automated security testing of mobile applications at OWASP’s AppSec Europe 16 conference. My presentation centered on the top challenges facing mobile app pentesters, mobile malware analysts, developers, and web pentesters today, and the best strategies for addressing them. I also gave an overview and demo of MobSF (Mobile Security Framework), a free, open source tool for mobile app security testing.
Mobile App Security: Not as Evolved as Web Security
One of the biggest issues facing organizations developing mobile apps is that security testing technologies haven’t kept pace with the volume of new vulnerabilities cropping up in these apps. In my research into mobile banking applications widely used in India and Europe, I’ve found several critical issues. Vulnerabilities such as SSL bypass in both native code and WebView and weak crypto are commonplace.
At AppSec Europe 16, I discussed how easily a mobile app pentesting environment can be set up with MobSF, as compared to a pentesting environment with multiple tools, which can be cumbersome to set up and maintain. I also went into detail about how developers can easily integrate MobSF for effective security during the software development lifecycle. Finally, I gave details about how to easily fuzz web APIs used by mobile apps, using the context and data awareness capabilities of MobSF.
A Better Security Testing Framework for Mobile Apps
With MobSF, developers can identify vulnerabilities in mobile apps at all stages of development. MobSF is an intelligent, automated pen-testing framework capable of performing static and dynamic analysis. It can be used for security analysis of Android and iOS applications and supports both binaries (APK and IPA) and zipped source code. MobSF can also perform web API security testing with its API Fuzzer, which provides information gathering, analyzes security headers, identifies mobile API-specific vulnerabilities such as XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting. MobSF is hosted in your environment, so your applications and data are never sent to the cloud.
Challenges of Dynamic Analysis
Some Android apps are built with security in mind, with features such as VM detection, root detection, and certificate pinning. These are good from a security perspective, but they can make a pentester’s life difficult. Mobile Security Framework has built-in evasion modules including Android Blue Pill, RootCloak, and JustTrustMe to circumvent these issues. These are very useful “Xposed” modules. Xposed is an instrumentation framework that allows users to hook into API calls and override them, similar to how RASP solutions work with web frameworks.
Fuzzing Web APIs
Fuzzing web APIs for security vulnerabilities is a pain for security analysts, especially when they’re working in a black box environment. It’s a known fact that black box testing is time-consuming and yields fewer results compared to a white box testing environment. With MobSF capturing API calls during the dynamic analysis phase, along with the context and type of the data, this process can be automated. In this scenario, the fuzzer knows the format of expected data and can fuzz those entry points efficiently to detect vulnerabilities.
MobSF’s API Fuzzer can detect a variety of vulnerabilities such as SSRF and XXE, which are not covered by most traditional web scanners. The fuzzer is designed with the mobile app ecosystem in mind. It takes into account login, logout, pin, and register APIs, which are common for mobile apps to effectively identify cross-talk or insecure direct object references (IDOR), missing API rate limiting, and session related vulnerabilities.
The framework will soon see the addition of SQLMap and Commix for SQLi and RCE detection. Tools like SQLMap and Commix are the benchmark of their category, but they’re limited in that they need someone to tell them what to fuzz and where to fuzz, since they lack crawling capabilities. When we combine the context-aware API Fuzzer of MobSF to these tools, the results are expected to be promising.
Meanwhile, active open source volunteers are contributing to the MobSF project, with new developments in Windows phone app static analysis, web API fuzzer improvements, and iOS app dynamic analysis with jailbroken devices all in progress now. To learn more about MobSF, check out my full presentation and slides from AppSec Europe 16.
To Protect the App, Protect the Web Service
When it comes to mobile app security, it’s important to understand the big picture. In most cases, mobile apps are backed by a web service, so security protections must extend to the web service. When we use apps like Evernote or Uber, the app is really just talking to a service. It’s critical to understand that the web service infrastructure backing the mobile app is vulnerable to common web app security issues such as SQL injection and remote command execution, so it’s important to address this issue. Runtime Application Self-Protection (RASP) solutions protect the APIs in web services.