Strengthen your Android or iOS Application Security using MobSF - Learn by example (2021)

Habdul Hazeez - Dec 3 '21 - - Dev Community

A secure application is an application that operates seamlessly with a good user experience and also protects your user's information, this alone makes security non-negotiable when you are writing code, irrespective of the platform. You have to put security at the forefront of every design and code that you make.

This will go a long way to ensure the app is strong and secure because you'll plunge yourself into a situation whereby you assume that your users are bad, and they are out to compromise your application security in any way possible. Therefore, every coding decision will be geared towards plugging every hole that you can think of, but still, there is a limit to where this can get you.

Here comes Mobile Security Framework (MobSF), a security framework that allows you to put your application to the test and gain considerable insight into the internal workings of your application, including its vulnerabilities. With the knowledge gained from MobSF, you can plug these vulnerabilities.

What is MobSF, and Why Should You Use It?

MobSF is a tool designed to perform automated penetration testing, malware analysis, and security assessment of your mobile applications irrespective of the application's operating system environment, whether it's Microsoft Windows, iOS, or Google Android. Moreover, MobSF is baked with the capability to perform dynamic analysis and static analysis.

Thanks to its thorough analysis and detailed report of an application, MobSF can reveal vulnerabilities in your application. Therefore, you can fix these vulnerabilities before the application is released, but if the application is already out there, you can offer the fix as an update.

Asides from its attractive User Interface, here are the key pointers that helped me to pick MobSF over its counterparts:

  • Source Code Decompilation: Decompilation is the process of transforming a low-level language into a high-level language.

  • Manifest File Analysis: includes the process of analyzing the application manifest file which will reveal a general overview of the application like its Config information, components, and permissions.

  • Malware Detection: An innocent-looking app can perform all its required functions, but scanning the application might reveal malware operating behind the scenes

  • Detection Of Sensitive Information: Putting an application through MobSF can reveal sensitive information within the application, notably, hard-coded encryption and decryption keys.

  • Application Component Detection: Analysis can reveal the components of an application; therefore, you can know which particular component is using any particular system resource.

  • Permission Analysis: A supposed camera application requesting access to the phone contacts and SMS is an obvious red flag.

Vulnerabilities Plaguing Your Mobile Application

Vulnerabilities are software design decisions that can potentially lead to a defect in your application, which, in turn, can compromise the security of your application and its users. A quick Google search will reveal an array of mobile application vulnerabilities, but the list below details some well-known and popular ones:

Installing MobSF

As stated in MobSF official documentation, before you can install MobSF, you need some requirements installed on your system. These requirements are listed below.

After the installation of these tools, I'll suggest you install Git Bash because it provides color highlighting on the command line compared to Windows native Command Prompt. With that out of the way, you can install MobSF.

Open your terminal/command prompt (you can also use Git Bash that I recommended earlier), navigate to your desired folder, enter the command in the next code block to install MobSF.

Please note, initially, it'll require about 1.5 GB of disk space

# This will download MobSF into a folder
# called Mobile-Security-Framework-MobSF
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
Enter fullscreen mode Exit fullscreen mode

Depending on your internet connection, the download might take a while to complete. Once the download completes, switch to the MobSF download folder, and you are good to set up MobSF using the next command. Please, ensure you are still connected to the internet because the setup will download additional packages.

# If you are on Linux, replace setup.bat
# with setup.sh
./setup.bat
Enter fullscreen mode Exit fullscreen mode

This setup process will take a while to complete, and you'll notice some output on your terminal similar to the image below:

MobSF setup out

Set up process

If everything goes alright and the setup completes, the last piece of output on your command line should be similar to the image below:

MobSF setup completion

MobSF GUI

If that's the case, all is good.

Running MobSF on Your Local System

Clear your terminal, and run MobSF by executing the following command:

# If you are on Linux, replace run.bat
# with run.sh
./run.bat 127.0.0.1:8000
Enter fullscreen mode Exit fullscreen mode

This will display “MobSF is now running”. Switch to your desired browser, and navigate to http://localhost:8000. You'll land on MobSF User Interface.

MobSF User Interface on Firefox

When you observe your terminal, you'll observe some details about what has been going on since you launched MobSF in your Web browser.

MobSF running on Git Bash Terminal on Windows 10

With this interface, you can upload the application file that you want to analyze, and you can leave MobSF to perform the analysis. Also, depending on the file size, it might take a while for this process to complete. When MobSF is through with the analysis, it redirects the browser to a page containing detailed results about the application.

MobSF Scan result

Navigating Through MobSF

MobSF Scan Options

On the sidebar of the interface, click on Scan Options, under Decompiled Code. Then, tap on View Source to view the application's source code.

MobSF View Decompiled Source

Manifest Analysis

Click on Security Analysis, and select Manifest Analysis. Here you'll find information about some issues with the application, its severity, and a detailed description.

Manifest Analysis in MobSF scan results

Malware Analysis

You'll find the Malware Analysis option just below Security Analysis. At the time of writing, I can see these options. Choose the desired option with data beforehand:

  • APKiD Analysis
  • Quark Analysis
  • Server Locations
  • Domain Server Check

The image below shows the APKiD Analysis for the tested application:

Malware Analysis in MobSF scan results

Hardcoded Secrets

These are potential confidential information found in the application. You can view such information by clicking on Reconnaissance then Hardcoded Secrets on the sidebar.

Hardcoded Secrets in MobSF scan results

Components

You can view the application's components by clicking on Components. Underneath, are details of the application's Services, Receivers, Providers, Libraries, and Files. Below are some files associated with the tested application:

File component results in MobSF scan results

Permissions

Is the application using the internet? Does it have access to external storage? You'll find the answers to these questions under Permissions.

Permission Result in MobSF

Other Notable Analysis Report

We've touched some analysis reports mentioned previously, but, keep an eye on two particular sections in the report, namely:

  • Code Analysis
  • Binary Analysis

Code Analysis

This section will detail some actions performed by some specific code snippets of the application, including their severity and CVSS score. For example, the tested application shows that the application is logging sensitive information. Such information should not be logged.

Code Analysis in MobSf

Binary Analysis

The result in this section can be scary because it details some information that you as a developer should look into when compiling your code.

Binary Analysis Result in MobSF scan result

Test Application Vulnerability Report

The manifest analysis of the tested application revealed some alarming results, most notably, the app is set up to use "Clear text traffic" using protocols like HTTP.

Manifest Analysis in MobSF

This means there is a lack of confidentiality, authenticity, and tampering of the application transmitted data. Other results also show that some Services and Activities are not protected. Therefore, they are accessible by other apps on the device.

Service and Activity analysis in MobSF

A quick look at the code analysis section revealed that some components of the application are using insecure SHA-1 and MD5 hashing algorithms. Both algorithms are known to be vulnerable to hash collision.

Code Analysis in MobSF Scan Results

Further inspection of the report reveals that the app uses an Insecure Random Number Generator (RNG).

Insecure RNG result in MobSF scan results

Insecure RNG is known to produce predictable values, and should not be used in a security context.

Among other things, there is also an IP Address disclosure.

IP Address Disclosure Result in MobSF

This may leak the IP addressing scheme of a company's/organizational network. Finally, the app executes raw SQL, making it vulnerable to SQL injections from untrusted user inputs.

Possible SQL injection vulnerability in MobSF Scan Result

Plugging Security Holes In Your Application

The vulnerabilities discussed in the tested application can also find their way into your application. When that happens, you are better off prepared, therefore, we'll discuss them and their possible fix. As a recap, the vulnerabilities are:

  • Insecure Communication
  • Insecure Hash functions
  • IP Address Disclosure
  • SQL Injection
  • Insecure Random Number Generator

Insecure Communication

This happens when your application or some of its components use cleartext HTTP to perform operations, this can lead to interception of sensitive data. Use SSL/TLS for data transmission to overcome the vulnerability.

Insecure Hash Functions

The SHAttered attack is a collision attack on the Secure Hash Function (SHA) which demonstrates that a "good" file and a bad file can generate the same hash. In addition, MD5 is also vulnerable to a collision attack. The fix: Use SHA-256.

IP Address Disclosure

This can expose the internal IP address used by an organization's infrastructure.

The fix: The addresses should be rewritten with innocuous identifiers.

SQL Injection

This happens when malicious SQL is executed on a database. Usually, it occurs as a result of unsanitized user inputs. The fix: Sanitise all user inputs.

Insecure Random Number Generator

When a generator is meant to be random, it should not generate predictable values, if it does, it's considered not secure from a security perspective. The fix: Use cryptographically secure Pseudo-Random Number Generator.

Conclusion

Security is not a one-way street, and it takes dedication and awareness to know the vulnerabilities that might slip into your application without your knowledge. You can deploy MobSF on your system for potential insights into the security of your application. And if the need arises, fix the identified issues or just go back to the drawing board and plan the fix for future updates.

References

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .