This series of posts is in no way showcases a full penetration test, which does a much deeper dive into an application’s risks and utilizes many more tools and manual techniques.
Continuing from our previous “Gone In 60 Mobile Apps” post – today we will be reviewing 60 different Android mobile applications within the Automotive industry. These applications will be chosen at random and evaluated using Mobile Security Framework (MobSF).
As with the previous post in this series, we will leverage MobSF, an automated mobile application pentesting platform.
Please see the previous post to see how to quickly setup MobSF w/Docker.
This time we will also be doing a toolset comparison. For any of the 60 applications that contain some sort of sensitive information (i.e. passwords, API keys, encryption keys), we will also run Quick Android Review Kit (QARK). QARK, developed by LinkedIn, is “a tool to look for several security related Android application vulnerabilities.” More information can be found here.
Application Testing Results:
Leveraging MobSF, and based on professional experience , I have ranked the overall risk of each mobile application based on the issues identified:
Here is an example issue found through MobSF:
MobSF discovered multiple OAuth tokens hard coded within the source code.
These results are very helpful, however, how does QARK’s detection compare?
Let’s see if QARK can discover the same instances. Here are our results of the same application from QARK:
The HTML result file contained a lot of false positives, with over 1000 entries of potential issues. However, QARK was unable to discover the multiple hard-coded OAuth tokens that MobSF accurately identified.
There is no silver bullet. One tool isn’t going to give us all of the answers. It is important to utilize multiple different toolsets to ensure a full coverage of mobile applications from a static and dynamic perspective and validate the output.
Referring to the previous blog post the following options should be implemented to remediate common issues found in the source code:
- Remove the hardcoded credentials
- Disable debugging
- Turn on root / jailbreak detections
- Deploy anti-tamper technology
- Implement code obfuscation tools