Application of OWASP Mobile TOP 10 Methodology for Testing Android Applications
By Prempal Singh
According to survey about OWASP Mobile TOP 10 Vulnerabilities, of the top 30 applications with more than 500,000 installations, 94% contain at least three medium-risk vulnerabilities, and 77% contain at least two high-risk vulnerabilities. Out of 30 applications, 17% were vulnerable to MITM (Men-In-The-Middle) attacks, exposing all data to interception by intruders.
In addition, 44% of applications contain sensitive data with strict encryption requirements, including passwords or API keys, and 66% use functionality that can compromise the privacy of users.
That’s why mobile devices are the subject of many discussions on security issues. Taking all this into account, we decided to consider the OWASP Mobile TOP 10 methodology in order to demonstrate the process of analyzing mobile applications for vulnerabilities.
OWASP Mobile TOP 10 is one of the main methodologies for testing applications on a vulnerability. Table 1 describes the 10 vulnerabilities that are used to describe the security level of the application.
OWASP Mobile TOP 10 Vulnerabilities and their description
| No. | Vulnerability | Description |
| M1 | Bypassing architectural constraints (Improper Platform Usage) | This vulnerability involves the abuse of platform features, circumvention of restrictions or non-use of platform security management control systems.It is typical for the Android platform, for iOS (bypassing the limitations of Touch ID and Keychain) and other mobile OS. It affects security control systems that are part of the mobile operating system. |
| M2 | Insecure Data Storage | This vulnerability is a combination of M2 + M4 Mobile Top Ten 2014. This includes unsafe storage and unintended data leaks. |
| M3 | Insecure Communication | Insufficient confirmation of reliability of communication sources, incorrect versions of SSL, insufficient reconciliation check, transfer of confidential data in clear form (cleartext), etc. |
| M4 | Insecure Authentication | This vulnerability applies to end-user authentication or incorrect session management. Includes the following items:
|
| M5 | Weak cryptography (Insufficient Cryptography) | Application of crypto-resistant algorithms for the transmission of sensitive information. The use of cryptoalgorithms may not be sufficient in particular cases. This category describes options for inappropriate use of cryptographic elements, weak or insufficient cryptographic strength. Everything related to TLS or SSL belongs to the M3 category. If the application does not use cryptographic tools, if necessary, this is classified as M2. |
| M6 | Insecure Authorization | This vulnerability describes the lack of authorization (client validation, validation, etc.). Such events differ from authentication problems (for example, registration device, user identification, etc.). If the application does not authenticate users as needed (for example, providing anonymous access to some resources or services, if authentication is not authenticated and denying unauthorized access), this is an authentication error, and not an authorization failure. |
| M7 | Monitoring the content of client applications (Client Code Quality) | This category considers the control of input data. Problems in implementing code technologies in client-side applications, different from writing code and implementing in server-side applications. This includes buffer overflow, format string vulnerabilities, and other errors at the code level, where the solution is to rewrite the code that runs on the mobile device. |
| M8 | Data modification (Code Tampering) | This category describes the change of executable files, local resources, interception of calls of third-party processes, substitution of runtime methods and dynamic memory modification. After installing the application, its code remains resident in the device’s memory. This allows the malicious application to modify the code, the contents of the memory, change or replace the system API methods, modify the data and resources of the application. This can provide an attacker with the ability to manipulate third-party applications to commit illegitimate actions, steal data, or extract other financial benefits. |
| M9 | Source code analysis (Reverse Engineering) | This vulnerability involves the analysis of binary files to determine the source code, libraries, algorithms, etc. Software such as IDA Pro, Hopper, otool and other reverse engineering tools can give an idea of the internal operation of the application. This can be used to find the vulnerabilities of the application, extract critical information, such as the back-end server, encryption keys or intellectual property. |
| M10 | The hidden functionality (Extraneous Functionality) | Often, developers include hidden functionality in the application code, backdoor or other mechanisms whose functionality is intended for general use. A well-known definition of security through obscurity is suitable for this category. The developer can accidentally leave the password as a comment in the hybrid application. Alternatively, it can be disabling two-factor authentication during testing. |
According to OWASP Mobile TOP 10, we did not use online and file-sharing resources, but only used a set of programs, the description of which is given in Table 2.
Table 2: Used programs
| No. | Name | Description |
| 1 | Apktool | The program for unpacking apk-files. Used to localize the software, analyze the structure of the application, etc. |
| 2 | adb | This is a tool that is installed with the Android-SDK and allows you to manage devices running OS Android. Works on the principle of client-server. Uses the 5037 port. |
| 3 | dex2jar | This is the tool that is used to convert a modified APK file to a jar file. |
| 4 | Drozer | This is a framework that contains tools to search for vulnerabilities of mobile devices and programs. It functions as an application and interacts with the Dalvik virtual machine, other applications and the operating system. |
| 5 | VCG scanner | It is a tool for static analysis of source code and can analyze the following programming languages: C / C ++, Java, C #, VB and PL / SQL. |
| 6 | JD-GUI | It is a tool that is used together with dex2jar. It provides the opening of a decompiled source code. |
| 7 | Genymotion | The software, which is designed to create test virtual machines running Android OS. |
| 8 | Pidcat | The program for displaying the logs of the program and the operating system. |