Ways of testing vulnerabilities in mobile applications

Authors

DOI:

https://doi.org/10.18372/2073-4751.72.17455

Keywords:

mobile application, vulnerability testing, OWASP MSTG, OWASP MASVS, vulnerabilities testing static way, vulnerabilities testing dynamic way

Abstract

It has been analyzed the applicability ways of vulnerability testing for mobile software applications. After doing this, we have further demonstrated their orientation towards meeting the guidelines of the open source security project for web applications, OWASP. This has led to the identification of static and dynamic vulnerability testing methods. However, the practical application of these ways is limited due to the ambiguous classification of scenarios as either static or dynamic testing, such as exported components, MSTG-STORAGE-6, non-standard certificates, SSL pinning certificates, and MSTG-NETWORK-4. This highlights the relevance of analyzing the applicability ways of vulnerability testing for mobile software applications. Existing research has confirmed the generalized orientation towards meeting OWASP guidelines and ensured the completeness of testing scenarios, resulting in recommendations for reducing the leakage of confidential information. Attention has been focused on preventing attacks on critical software applications, and efforts have been made to expand the capabilities of vulnerability testing tools using appropriate frameworks. The limitations of static and dynamic testing ways have been demonstrated through examples of the use of corresponding tools such as Drozer, MobSF, Xposed, and Frida. Additionally, testing has been conducted on the bypassing of security mechanisms for intercepting and decrypting HTTP traffic, including SSL pinning. We have identified the complexity of determining and establishing dependencies between vulnerability testing scenarios for mobile software applications as the primary challenge in their separate application. Furthermore, the incorrectness of using only dynamic testing has been established. This is because the comprehensive execution of actions is necessary, including static scanning of the mobile software application and manual analysis of the source code by an expert. Additionally, the use of additional frameworks and the development of separate vulnerability testing modules have been explored.

References

Антонішин М.В., Міснік О.І., Цуркан В.В. Оцінювання стану захищеності програмних застосунків операційної системи Android за методологією OWASP Mobile TOP 10. Моделювання та інформаційні технології. – 2018. – Вип. 82. – С. 94-101.

Antonishyn M., Misnik O. Analysis of testing approaches to Android mobile application vulnerabilities. Information Technologies and Security. – Vol. 2577. – Aachen, Germany, 2019. – P. 270-280.

Antonishyn M. Mobile applications vulnerabilities testing model. Information Technology and Security. January - June 2020. – Vol. 8. – Iss. 1 (14). – P. 49-57.

OWASP Mobile Application Security Testing Guide. URL: https://github.com/ OWASP/owasp-mstg/.

OWASP Mobile security verification standard. URL: https://github.com/OWASP/owasp-masvs/.

NIST 800-163. Vetting the Security of Mobile application. [Valid from 2019-04-19]. DOI: https://doi.org/10.6028/NIST. SP.800-163r1.

Lin HY., Chang HC., Su YC. The Study of Improvement and Risk Evaluation for Mobile Application Security Testing. Security with Intelligent Computing and Big-data Services / SL. Peng, SJ. Wang, V. Balas, M. Zhao. Cham: Springer, 2018. – Vol. 733. – P. 248-256.

Oyetoyan T., Milosheska B., Grini M., Soares Cruzes D. Myths and Facts About Static Application Security Testing Tools: An Action Research at Telenor Digital. Agile Processes in Software Engineering and Extreme Programming / J. Garbajosa, X. Wang, A. Aguiar. Cham: Springer, 2018. – Vol. 314. – P. 86-103.

Malek S., Bagheri H., Garcia J., Sadeghi A. Security and Software Engineering. Handbook of Software Engineering / S. Cha, R. Taylor, K. Kang. Cham: Springer, 2019. – P. 445-489.

Mejía J., Maciel P., Muñoz M., Quiñonez Y. Frameworks to Develop Secure Mobile Applications: A Systematic Literature Review. Trends and Innovations in Information Systems and Technologies / Á. Rocha, H. Adeli, L. Reis, S. Costanzo, I. Orovic, F. Moreira. Cham: Springer, 2020. – Vol. 1160. - P. 137-146.

Rahalkar S. Testing Mobile Apps and APIs with Burp Suite. A Complete Guide to Burp Suite. Berkeley: Apress, 2021. – P. 147-164.

Tran AD., Nguyen MQ., Phan GH., Tran MT. Security Issues in Android Application Development and Plug-in for Android Studio to Support Secure Programming. Future Data and Security Engineering / T.K. Dang, J. Küng, T.M. Chung, M. Takizawa. Cham: Springer, 2021. – Vol. 1500. – P. 105-122.

Ogundokun R.O., Misra S., Segun-Owolabi T., Gulanikar A.A., Agrawal A., Damasevicius R. A Web Application Vulnerability Testing System. Recent Innovations in Computing / P.K. Singh, Y. Singh, J.K. Chhabra, Z. Illés, C. Verma. Cham: Springer, 2022. – Vol. 855. – P. 741-751.

Міснік О.І., Антонішин М.В., Цуркан В.В. Аналіз якості роботи сканерів уразливостей веб-застосунків. Моделювання та інформаційні технології. – 2018. – Вип. 83. – С. 77-86.

Luo Y., Wan J., She S. Software Security Vulnerability Mining Based on Deep Learning. Application of Intelligent Systems in Multi-modal Information Analytics / V. Sugumaran, A.G. Sreedevi, Z. Xu. Cham: Springer, 2022. – Vol. 136. – P. 536-543.

Drozer user guide. URL: https://labs. f-secure.com/assets/BlogFiles/mwri-drozer-user- guide-2015-03-23.pdf.

MobSF Documentation. URL: https://mobsf.github.io/docs/#/.

Хposed Framework implementation. URL: https://github.com/topics/xposed-framework.

Frida. URL: https://github.com/frida.

Antonishyn M. Four ways to bypass Android SSL. Verification and Certificate Pinning. International Scientific Journal “Transfer of Innovative Technologies”. – 2020. – Vol. 3. – No. 1. – P. 96-99.

Published

2022-12-15

Issue

Section

Статті