SlideShare a Scribd company logo

IRJET- Secure Android Application Development and Security Assessment

IRJET Journal
IRJET Journal

This document discusses secure Android application development and security assessment. It provides a step-by-step procedure for assessing the security of an Android application, including static and dynamic analysis. Static analysis involves tools like apktool to decompile the APK, while dynamic analysis uses tools like Drozer and BurpSuite. Common vulnerabilities found during assessment are then discussed, such as improper permission settings, debuggable flags enabled, unrestricted component exposure, CORS misconfigurations, verbose server banners, insecure cookie settings, and lack of root detection. Solutions to address each vulnerability are also provided. The goal is to help developers improve security during the application development process.

Engineering
1 of 5
Download to read offline
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 323 Secure Android Application Development and Security Assessment Vandana.H.K1, Dr. H.D. Phaneendra2 1Student, MTech- Information Technology, The National Institute of Engineering, Mysuru-09 2Professor & Head, Dept. of CS&E, The National Institute of Engineering, Mysuru-09 ---------------------------------------------------------------------***---------------------------------------------------------------------- Abstract - Nowadays mobile has taken a main part in everyday life of an individual, all important information are stored in mobile database and accessible by mobile applications. Even online transactions are through mobile applications; hence, mobilesecurityrequiresthemainpriority. Android applications undergo static and dynamic analysis during security testing. These analysis requires tools like apktool, adb, BurpSuite, Drozer, dex2jar, JDGui and jadX. This paper consists of step-wise procedure for an android application security assessment through whichvulnerabilities can be found and solutions to overcome vulnerabilities. Key Words: BurpSuite, apktool, Drozer, CORS, Verbose Server Banner, Root Detection, AndroidManifest.xml. 1. INTRODUCTION Mobile plays an important part in recent yearsand replaced personal computer to more extent. Applications are builtfor every need including e-commerce, online transactions, health care, etc. These applications consists of sensitivedata of an individual and needs to be secured. Only securing android device is not enough one should also look into that each application is secured or not. Android application undergo static and dynamic analysis during security assessment. Generally, static analysis of an android application consists of source code review, side channel leakage, reverse engineering etc. Dynamic analysis consists of review of interception of api betweenapplication and server. Static analysis requires apktool, dex2jar, jadx, JDGUI tools. Dynamic analysis requires adb, Drozer, BurpSuite tools. 2. METHODS 2.1 Method-I Once an android application is givenforsecurityassessment, it will be in .apk form. Apktool is the tool utilized for reverse engineering of an android application where we can decompile full source code into .smali form. Even modifying and recompiling .apk is easy using this tool. Download the apktool for free from google as it is an open source. Once installed, using following command in terminal you can reverse engineer the .apk file. Fig -1: Result of >apktool; command Fig-2: Result of >java –jar apktool.jar d –s application_name.apk; command 2.1.1 Problem A Consider an example for Dangerous permissions used vulnerability, as “write_external_storage” permission set as shown in figure 3. This permission allows the application to store the application data onto the external storage like memory card, which is accessible to all other applications. Anything stored in the external storage is accessible to all the application irrespective the device is rooted or not. Confidentiality of the sensitive data is compromised, as the data is openly accessible. Fig -3: AndroidManifest.xml where write_external_storage permission is set. Solution A It is recommended to remove this permissionandallowonly those permissions, which are needed or required for the
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 324 application to work properly. [6] Provide knowledge about all uses-permission in android. 2.1.2 Problem B Consider debuggable flag enabled vulnerability as shown in fig- 4,the debug tag in AndroidManifest.xml defineswhether the application can be debugged or not.Iftheapplication can be debugged then it can provide plenty of information to an attacker since the local storage of the application is accessible to attacker and it will also make easy in gaining intercepted API between application and server. Attacker needs to have physical access to rooted devices or there should be a malware app running in background, which can read through unencrypted sensitive data saved within sandbox of the app. Proxy can be adjusted and interception can be done using Burp Suite, this will explained in next method. Fig -4: AndroidManifest.xml where debuggable and allowBackup flags are set to true Consider allowBackup flagenabledvulnerabilityasshownin figure 4, this flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of thedevice. Android backups rely on the Android Debug Bridge (ADB) command to perform backup and restore. ADB, however, has been a soft target for attacker and is still not trusted by respected developers. The idea that someone can inject maliciouscode into your backup data is unsettling. Attackers can read its internal sensitive data like password, tokens etc.and modify these sensitive data or configurations. Even though the flag is set to false or flag is only removed, attacker can modify them and recompile .apk file ,as shown in following steps Step 1: Open AndroidManifest.xml file in text editorandadd android:debuggable=”true” inside <application> tag as shown in fig- 4. Step 2: Recompile the above modified files using following command. >java –jar apktool b modified_folder –o modified_app_name.apk Step 3: The new .apk formed should be signed by apk signer application before installing into mobile. Solution B It is recommended that Android applications that are not in the production state are expected to have this attribute set to true to assist the testers and developers however before the actual release of the application this tag should be set to false. It is also recommended to Set android:allowBackup=false in Androidmanifes.xml or even better is to remove that tag. Fig -5: AndroidManifest.xml where debuggable and allowBackup flags are set to false 2.1.3 Problem C Consider Improper export of android application components vulnerability as shown in figure 5, The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. Intents can be used to launch an activity, to send it to any interested broadcast receiver components, and to communicate with a background service. Intents messages should be reviewed to ensure that they does not contain any sensitive information that could be intercepted. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting withthe maliciousapplication.Ifaccessto an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. Fig -6: Drozer utility used to list activities exported in the target application. MWR Labs developed a framework called Drozer, which is one of the best Android security assessment tools available for security assessments. To perform a security assessment using Drozer, the users will run the commands on console of their workstation and it is sent to an agent who execute the task.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 325 com.isi.testapp.MainActivity is the home screen which in order to be launched, it should be exported. Here, com.isi.testapp.Welcome is the name of the activity which is triggered after the login screen. Using Drozer, launch that activity. Fig -7: Drozer utility used to exploit vulnerabilities This command provides an appropriate intent in the background in order to launch the activity, which is to bypass authentication during logging in to an application. Solution C It is recommended to make android:exported=false for unwanted functionalities in AndroidManifest.xml. Fig -8: AndroidManifest.xml where exported flag set to false 2.2 Method-II After all static analysis, let’s see how BurpSuite will be used for security assessment. Download the BurpSuite- Community Edition for free from google as it is an open source. Set every settings required to intercept the traffic, exchanged between application and server. Proxysettings is similar to what we set during web application pentesting , but the change is instead of localhost we choose all interface option. In mobile device, we have to set proxy according to machine IP address, which has burpsuite running on it. Here we discuss some basic vulnerabilities, which are found during this assessment. 2.2.1 Problem D Consider,CrossOriginResourceSharing(CORS)vulnerability where CORS defines whether resources on other domains can interact with this server. An attackercanplacemalicious JavaScript on his domain that can exploit the unrestrictive CORS policy to access sensitive data on this server or perform sensitive operations without the user’s knowledge. Additionally, an attacker could exploit security vulnerabilities on other domains to compromise serviceson this server. The CORS policy relaxes the Same Origin Policy, an important security control that isolates potentially malicious resources to its respective domain name. If a script attempts to violate the Same Origin Policy by interacting with another domain, modern browsers will check a server’s CORS policybyissuinga “pre-flightrequest”. The browser allows the interaction only if the server responds with an Access-Control-Allow-Origin header that lists the script’s domain or a wildcard match (*). A wildcard match allows interaction from any other domain, which allows any malicious content to retrieve content from this server or perform user actions. An unrestricted CORS policy allows an attacker to access sensitive data or perform unauthorizeduseractionswithout user knowledge. Malicious JavaScript can perform these actions even if the server uses Cross Site Request Forgery tokens. Hence, an attackercanaccesssensitivedata ofvictim. This vulnerability comes under category M3-Insecure Communication. Fig -9: Access-Control-Allow-Origin header in response reflecting injected Origin in request Solution D The Access-Control-Allow-Originheadershouldnot besetto a wildcard match. In most cases, this header can be safely removed. However, if the applicationrequiresa relaxationof the Same Origin Policy, the Access-Control-Allow-Origin header should whitelist onlydomainsthataretrustedbythis server. Fig -10: Whitelisting trusted domains for server Fig -11: Access-Control-Allow-Origin header in response reflecting only trusted domains. 2.2.2 Problem E Consider, Verbose Server Banner vulnerability where the server information is sent in the HTTP responses from the server. The information is commonly included in the server response headers and can disclose information like server name, type, and version number.Byknowingversion,typeof webserver, how each type of web serverrespondstospecific commands and keeping this information in a web server fingerprint database, an attacker can send these commands
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 326 to the web server, analyze the response, and compare it to the database of known signatures. By knowing the information about the server, an attacker can plan attacksin future, with the information obtained. There may be publically knownexploitsandvulnerabilitiesassociatedwith the server hosted, whose information gets disclosed in the banner. Verbose server banners provide additional information that allows an attacker to perform targeted attacks to the specific technology stack in use by the application and underlying infrastructure.Thisvulnerability comes under category W6 – Security Misconfiguration. Fig -12: Server banner disclosure (not secured) Fig -13: Server Apache has above configurations in it’s httpd.conf file Fig -14: PHP has above configurations in its php.ini file Solution E Verbose server information should be removed from all HTTP responses. This can be performed by modifying the server's configuration files.Itisrecommendedtousegeneric error message response from server,sothatserverbanneris not disclosed in the error message responsefromtheserver. Fig -15: Changing configurations of Server Apache in its httpd.conf file Fig -16: Changing configurations of PHP in its php.ini file Fig -17: Server banner after changing configurations of servers. 2.2.3 Problem F Consider, Improper Cookie Configuration vulnerability where the session cookie is set without including the HttpOnly and Secure flags. The HttpOnly flag helps mitigate (but doesn't completely prevent) the risk of client side scripting accessing the cookie value (assuming the browser supports the flag setting). This helps prevent cross-site scripting from accessing the cookie fromtheDOM,leadingto potential session hijacking. The secure flag ensures that the cookie is not transmitted in an http request, forcing the cookie to be transmitted only when using HTTPS. Thishelps prevent disclosure of the session cookie if a request is submitted using HTTP insteadofHTTPS.Cookievaluewill be transmitted unencrypted over http which leadsmaliciousor unintentional disclosureofthesessioncookievalue.Attacker can use this vulnerability to perform cross site scripting and session hijacking.
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 327 Fig -18: Cookie with no httponly or secure flags Solution F The secure flag and Http only flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. Fig -19: Updating setcookie with httponly or secure flags in code Fig -20: Cookie with httponly or secure flags. 2.2.4 Problem G Consider, lack of root detection vulnerability where the application will not detect rooted android device. Android implements containerization so thateachappisrestricted to its own sandbox. A regular app cannot accessfilesoutsideits dedicated data directories, and access to system APIs is restricted via app privileges. As a result, an app’s sensitive data as well as the integrity of the OS is guaranteed under normal conditions. However, when an adversary gains root access to the mobile operating system, the default protections can be bypassed completely. Attacker should have physical access on the device, however rooted device remotely accessible in case user root SSH not protected. Applications on a rooted device run as root outside of the android sandbox. This can allow applications to access sensitive data contained in other apps or install malicious software negating sandboxing functionality. The risk of malicious code running as root is higher on rooted devices, as many of the default integrity checks are disabled. Solution G Developers of apps that handle highly sensitive data should therefore consider implementing checks that either prevent the app from running under these conditions, or at least warn the user about the increased risks. 3. CONCLUSIONS This paper provides basic vulnerabilities found during security assessment and solutions for developers to overcome them. The main aim of this paper is to provide basic improvements that can be done during an android application development so that during security assessments, tester can concentrateonmajorvulnerabilities rather than spending time on testing these basic vulnerabilities. ACKNOWLEDGEMENT I would like to thank Dr. H.D. Phaneendra, Professor &Head, Dept. of CS&E at NIE, Mysore for his guidance and support in doing case study of the above paper. REFERENCES Karthick S, Dr. Sumitra Binu- “Android Security Issues and Solutions”- International Conference on Innovative Mechanisms for Industry Applications (ICIMIA 2017). [1] Igor Khokhlov, Leon Reznik -“Android System Security Evaluation”- 2018 15th IEEE Annual Consumer Communications & Networking Conference (CCNC). [2] Sebastian Lekies, Martin Johns and Walter Tighzert – “The State of the Cross-domain Nation”- 2011 IEEE Security. [3] https://www.medianova.com/en-blog/2019/02/20/a- technical-introduction-to-cors-cross-origin-resource- sharing. [Online] [4] https://technumero.com/disable-server-signature-by- editing-htaccess-apache/. [Online]. [5] Cheng-Liang Kuo , Chung-Huang Yang-“Security Design for Configuration Management of Android Devices”- 2015 IEEE 39th Annual Computer Software and Applications Conference.

Recommended

IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep Learning
IRJET Journal
 
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
csandit
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
IJNSA Journal
 
SECTZG629T_FR_2012HZ78512
SECTZG629T_FR_2012HZ78512SECTZG629T_FR_2012HZ78512
SECTZG629T_FR_2012HZ78512Najeem M Illyas
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault Analysis
IRJET Journal
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
IRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance SystemIRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance System
IRJET Journal
 
A Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android ApplicationsA Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android Applications
IOSR Journals
 

Recommended

IRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep LearningIRJET- Android Malware Detection using Deep Learning
IRJET- Android Malware Detection using Deep Learning
IRJET Journal
 
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
csandit
 
Androinspector a system for
Androinspector a system forAndroinspector a system for
Androinspector a system for
IJNSA Journal
 
SECTZG629T_FR_2012HZ78512
SECTZG629T_FR_2012HZ78512SECTZG629T_FR_2012HZ78512
SECTZG629T_FR_2012HZ78512Najeem M Illyas
 
Malware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault AnalysisMalware Bytes – Advanced Fault Analysis
Malware Bytes – Advanced Fault Analysis
IRJET Journal
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
IRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance SystemIRJET- Usage-Based Automotive Insurance System
IRJET- Usage-Based Automotive Insurance System
IRJET Journal
 
A Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android ApplicationsA Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android Applications
IOSR Journals
 
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
IBM Security
 
I03402059063
I03402059063I03402059063
I03402059063
theijes
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Bug Tracking System (BTS)
Bug Tracking System (BTS)Bug Tracking System (BTS)
Bug Tracking System (BTS)
IRJET Journal
 
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET Journal
 
Vulnerable Hunter
Vulnerable HunterVulnerable Hunter
Vulnerable Hunter
IJERA Editor
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
Ronen Mendezitsky
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine Learning
IRJET Journal
 
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGESAPPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
IJCSEIT Journal
 
Android Based Smart Department
Android Based Smart DepartmentAndroid Based Smart Department
Android Based Smart Department
IRJET Journal
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android SystemNizar Maan
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET Journal
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
IOSR Journals
 
License Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial ApplicationLicense Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial Application
IRJET Journal
 
43 automatic
43 automatic43 automatic
43 automatic
aissmsblogs
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
IRJET Journal
 
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET Journal
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Android Application For Decentralized Family Locator
Android Application For Decentralized Family LocatorAndroid Application For Decentralized Family Locator
Android Application For Decentralized Family Locator
IRJET Journal
 
Pentestflashkeybpardpaper
PentestflashkeybpardpaperPentestflashkeybpardpaper
Pentestflashkeybpardpaper
Andrey Apuhtin
 

More Related Content

What's hot

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
IBM Security
 
I03402059063
I03402059063I03402059063
I03402059063
theijes
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Sonatype
 
Bug Tracking System (BTS)
Bug Tracking System (BTS)Bug Tracking System (BTS)
Bug Tracking System (BTS)
IRJET Journal
 
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET Journal
 
Vulnerable Hunter
Vulnerable HunterVulnerable Hunter
Vulnerable Hunter
IJERA Editor
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Sonatype
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
Ronen Mendezitsky
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine Learning
IRJET Journal
 
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGESAPPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
IJCSEIT Journal
 
Android Based Smart Department
Android Based Smart DepartmentAndroid Based Smart Department
Android Based Smart Department
IRJET Journal
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android SystemNizar Maan
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET Journal
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
IOSR Journals
 
License Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial ApplicationLicense Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial Application
IRJET Journal
 
43 automatic
43 automatic43 automatic
43 automatic
aissmsblogs
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
IRJET Journal
 
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET Journal
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 

What's hot (20)

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
 
I03402059063
I03402059063I03402059063
I03402059063
 
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
Snippets, Scans and Snap Decisions: How Component Identification Methods Impa...
 
Bug Tracking System (BTS)
Bug Tracking System (BTS)Bug Tracking System (BTS)
Bug Tracking System (BTS)
 
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...IRJET- Implementation of Handling Android Application using SMS(Short Mes...
IRJET- Implementation of Handling Android Application using SMS(Short Mes...
 
Vulnerable Hunter
Vulnerable HunterVulnerable Hunter
Vulnerable Hunter
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
 
Permission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine LearningPermission Driven Malware Detection using Machine Learning
Permission Driven Malware Detection using Machine Learning
 
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGESAPPLICATION WHITELISTING: APPROACHES AND CHALLENGES
APPLICATION WHITELISTING: APPROACHES AND CHALLENGES
 
Android Based Smart Department
Android Based Smart DepartmentAndroid Based Smart Department
Android Based Smart Department
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
 
IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...IRJET - System to Identify and Define Security Threats to the users About The...
IRJET - System to Identify and Define Security Threats to the users About The...
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
License Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial ApplicationLicense Generator using MAC Address for Industrial Application
License Generator using MAC Address for Industrial Application
 
43 automatic
43 automatic43 automatic
43 automatic
 
Android Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and DefensesAndroid Security: A Survey of Security Issues and Defenses
Android Security: A Survey of Security Issues and Defenses
 
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
IRJET- A Review on Several Vulnerabilities Detection Techniques in Androi...
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 

Similar to IRJET- Secure Android Application Development and Security Assessment

Android Application For Decentralized Family Locator
Android Application For Decentralized Family LocatorAndroid Application For Decentralized Family Locator
Android Application For Decentralized Family Locator
IRJET Journal
 
Pentestflashkeybpardpaper
PentestflashkeybpardpaperPentestflashkeybpardpaper
Pentestflashkeybpardpaper
Andrey Apuhtin
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
IRJET Journal
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
IRJET Journal
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
IRJET Journal
 
Self-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsSelf-Protecting Technology for Web Applications
Self-Protecting Technology for Web Applications
IRJET Journal
 
IRJET- TRACKITUP-An Android Application to Track Multiple Users
IRJET- TRACKITUP-An Android Application to Track Multiple UsersIRJET- TRACKITUP-An Android Application to Track Multiple Users
IRJET- TRACKITUP-An Android Application to Track Multiple Users
IRJET Journal
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
Cognizant
 
Irjet v7 i3811
Irjet v7 i3811Irjet v7 i3811
Irjet v7 i3811
aissmsblogs
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
IRJET Journal
 
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET Journal
 
IRJET- DocLock Application for Secure Document Sharing
IRJET- DocLock Application for Secure Document SharingIRJET- DocLock Application for Secure Document Sharing
IRJET- DocLock Application for Secure Document Sharing
IRJET Journal
 
IRJET- Displaying Data of Smart Phone using Firebase
IRJET- Displaying Data of Smart Phone using FirebaseIRJET- Displaying Data of Smart Phone using Firebase
IRJET- Displaying Data of Smart Phone using Firebase
IRJET Journal
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdf
Talha Naqash
 
IRJET- Displaying Smart Phone Data in the Desktop using Firebase
IRJET- Displaying Smart Phone Data in the Desktop using FirebaseIRJET- Displaying Smart Phone Data in the Desktop using Firebase
IRJET- Displaying Smart Phone Data in the Desktop using Firebase
IRJET Journal
 
Cw comp1661 211574_mo233_20131122_234918_1314
Cw comp1661 211574_mo233_20131122_234918_1314Cw comp1661 211574_mo233_20131122_234918_1314
Cw comp1661 211574_mo233_20131122_234918_1314
Owen Muzi
 
AN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILESAN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILES
IRJET Journal
 
Forensic Tool for Android Mobile Device
Forensic Tool for Android Mobile DeviceForensic Tool for Android Mobile Device
Forensic Tool for Android Mobile Device
IRJET Journal
 
Application Security framework for Mobile App Development in Enterprise Setup
Application Security framework for Mobile App Development in Enterprise SetupApplication Security framework for Mobile App Development in Enterprise Setup
Application Security framework for Mobile App Development in Enterprise Setup
Eswar Publications
 

Similar to IRJET- Secure Android Application Development and Security Assessment (20)

Android Application For Decentralized Family Locator
Android Application For Decentralized Family LocatorAndroid Application For Decentralized Family Locator
Android Application For Decentralized Family Locator
 
Pentestflashkeybpardpaper
PentestflashkeybpardpaperPentestflashkeybpardpaper
Pentestflashkeybpardpaper
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
IRJET- Root Security Firewall
IRJET- Root Security FirewallIRJET- Root Security Firewall
IRJET- Root Security Firewall
 
Self-Protecting Technology for Web Applications
Self-Protecting Technology for Web ApplicationsSelf-Protecting Technology for Web Applications
Self-Protecting Technology for Web Applications
 
IRJET- TRACKITUP-An Android Application to Track Multiple Users
IRJET- TRACKITUP-An Android Application to Track Multiple UsersIRJET- TRACKITUP-An Android Application to Track Multiple Users
IRJET- TRACKITUP-An Android Application to Track Multiple Users
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Irjet v7 i3811
Irjet v7 i3811Irjet v7 i3811
Irjet v7 i3811
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
IRJET- Enabling Identity-Based Integrity Auditing and Data Sharing with Sensi...
 
IRJET- DocLock Application for Secure Document Sharing
IRJET- DocLock Application for Secure Document SharingIRJET- DocLock Application for Secure Document Sharing
IRJET- DocLock Application for Secure Document Sharing
 
IRJET- Displaying Data of Smart Phone using Firebase
IRJET- Displaying Data of Smart Phone using FirebaseIRJET- Displaying Data of Smart Phone using Firebase
IRJET- Displaying Data of Smart Phone using Firebase
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdf
 
IRJET- Displaying Smart Phone Data in the Desktop using Firebase
IRJET- Displaying Smart Phone Data in the Desktop using FirebaseIRJET- Displaying Smart Phone Data in the Desktop using Firebase
IRJET- Displaying Smart Phone Data in the Desktop using Firebase
 
Cw comp1661 211574_mo233_20131122_234918_1314
Cw comp1661 211574_mo233_20131122_234918_1314Cw comp1661 211574_mo233_20131122_234918_1314
Cw comp1661 211574_mo233_20131122_234918_1314
 
AN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILESAN ANDROID APP FOR BUILDING STUDENT PROFILES
AN ANDROID APP FOR BUILDING STUDENT PROFILES
 
Forensic Tool for Android Mobile Device
Forensic Tool for Android Mobile DeviceForensic Tool for Android Mobile Device
Forensic Tool for Android Mobile Device
 
Application Security framework for Mobile App Development in Enterprise Setup
Application Security framework for Mobile App Development in Enterprise SetupApplication Security framework for Mobile App Development in Enterprise Setup
Application Security framework for Mobile App Development in Enterprise Setup
 

More from IRJET Journal

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
IRJET Journal
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
IRJET Journal
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
IRJET Journal
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil Characteristics
IRJET Journal
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
IRJET Journal
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
IRJET Journal
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
IRJET Journal
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
IRJET Journal
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADAS
IRJET Journal
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
IRJET Journal
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
IRJET Journal
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
IRJET Journal
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare System
IRJET Journal
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridges
IRJET Journal
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web application
IRJET Journal
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
IRJET Journal
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
IRJET Journal
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
IRJET Journal
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
IRJET Journal
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
IRJET Journal
 

More from IRJET Journal (20)

TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
TUNNELING IN HIMALAYAS WITH NATM METHOD: A SPECIAL REFERENCES TO SUNGAL TUNNE...
 
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURESTUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
STUDY THE EFFECT OF RESPONSE REDUCTION FACTOR ON RC FRAMED STRUCTURE
 
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
A COMPARATIVE ANALYSIS OF RCC ELEMENT OF SLAB WITH STARK STEEL (HYSD STEEL) A...
 
Effect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil CharacteristicsEffect of Camber and Angles of Attack on Airfoil Characteristics
Effect of Camber and Angles of Attack on Airfoil Characteristics
 
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
A Review on the Progress and Challenges of Aluminum-Based Metal Matrix Compos...
 
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
Dynamic Urban Transit Optimization: A Graph Neural Network Approach for Real-...
 
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
Structural Analysis and Design of Multi-Storey Symmetric and Asymmetric Shape...
 
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
A Review of “Seismic Response of RC Structures Having Plan and Vertical Irreg...
 
A REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADASA REVIEW ON MACHINE LEARNING IN ADAS
A REVIEW ON MACHINE LEARNING IN ADAS
 
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
Long Term Trend Analysis of Precipitation and Temperature for Asosa district,...
 
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD ProP.E.B. Framed Structure Design and Analysis Using STAAD Pro
P.E.B. Framed Structure Design and Analysis Using STAAD Pro
 
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
A Review on Innovative Fiber Integration for Enhanced Reinforcement of Concre...
 
Survey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare SystemSurvey Paper on Cloud-Based Secured Healthcare System
Survey Paper on Cloud-Based Secured Healthcare System
 
Review on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridgesReview on studies and research on widening of existing concrete bridges
Review on studies and research on widening of existing concrete bridges
 
React based fullstack edtech web application
React based fullstack edtech web applicationReact based fullstack edtech web application
React based fullstack edtech web application
 
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
A Comprehensive Review of Integrating IoT and Blockchain Technologies in the ...
 
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
A REVIEW ON THE PERFORMANCE OF COCONUT FIBRE REINFORCED CONCRETE.
 
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
Optimizing Business Management Process Workflows: The Dynamic Influence of Mi...
 
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic DesignMultistoried and Multi Bay Steel Building Frame by using Seismic Design
Multistoried and Multi Bay Steel Building Frame by using Seismic Design
 
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
Cost Optimization of Construction Using Plastic Waste as a Sustainable Constr...
 

Recently uploaded

Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
MdTanvirMahtab2
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
Jayaprasanna4
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
seandesed
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
Pipe Restoration Solutions
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
FluxPrime1
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
SupreethSP4
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
AmarGB2
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Dr.Costas Sachpazis
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 

Recently uploaded (20)

Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
ethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.pptethical hacking in wireless-hacking1.ppt
ethical hacking in wireless-hacking1.ppt
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
The Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdfThe Benefits and Techniques of Trenchless Pipe Repair.pdf
The Benefits and Techniques of Trenchless Pipe Repair.pdf
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
DESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docxDESIGN A COTTON SEED SEPARATION MACHINE.docx
DESIGN A COTTON SEED SEPARATION MACHINE.docx
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Runway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptxRunway Orientation Based on the Wind Rose Diagram.pptx
Runway Orientation Based on the Wind Rose Diagram.pptx
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
 
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 

IRJET- Secure Android Application Development and Security Assessment

  • 1. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 323 Secure Android Application Development and Security Assessment Vandana.H.K1, Dr. H.D. Phaneendra2 1Student, MTech- Information Technology, The National Institute of Engineering, Mysuru-09 2Professor & Head, Dept. of CS&E, The National Institute of Engineering, Mysuru-09 ---------------------------------------------------------------------***---------------------------------------------------------------------- Abstract - Nowadays mobile has taken a main part in everyday life of an individual, all important information are stored in mobile database and accessible by mobile applications. Even online transactions are through mobile applications; hence, mobilesecurityrequiresthemainpriority. Android applications undergo static and dynamic analysis during security testing. These analysis requires tools like apktool, adb, BurpSuite, Drozer, dex2jar, JDGui and jadX. This paper consists of step-wise procedure for an android application security assessment through whichvulnerabilities can be found and solutions to overcome vulnerabilities. Key Words: BurpSuite, apktool, Drozer, CORS, Verbose Server Banner, Root Detection, AndroidManifest.xml. 1. INTRODUCTION Mobile plays an important part in recent yearsand replaced personal computer to more extent. Applications are builtfor every need including e-commerce, online transactions, health care, etc. These applications consists of sensitivedata of an individual and needs to be secured. Only securing android device is not enough one should also look into that each application is secured or not. Android application undergo static and dynamic analysis during security assessment. Generally, static analysis of an android application consists of source code review, side channel leakage, reverse engineering etc. Dynamic analysis consists of review of interception of api betweenapplication and server. Static analysis requires apktool, dex2jar, jadx, JDGUI tools. Dynamic analysis requires adb, Drozer, BurpSuite tools. 2. METHODS 2.1 Method-I Once an android application is givenforsecurityassessment, it will be in .apk form. Apktool is the tool utilized for reverse engineering of an android application where we can decompile full source code into .smali form. Even modifying and recompiling .apk is easy using this tool. Download the apktool for free from google as it is an open source. Once installed, using following command in terminal you can reverse engineer the .apk file. Fig -1: Result of >apktool; command Fig-2: Result of >java –jar apktool.jar d –s application_name.apk; command 2.1.1 Problem A Consider an example for Dangerous permissions used vulnerability, as “write_external_storage” permission set as shown in figure 3. This permission allows the application to store the application data onto the external storage like memory card, which is accessible to all other applications. Anything stored in the external storage is accessible to all the application irrespective the device is rooted or not. Confidentiality of the sensitive data is compromised, as the data is openly accessible. Fig -3: AndroidManifest.xml where write_external_storage permission is set. Solution A It is recommended to remove this permissionandallowonly those permissions, which are needed or required for the
  • 2. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 324 application to work properly. [6] Provide knowledge about all uses-permission in android. 2.1.2 Problem B Consider debuggable flag enabled vulnerability as shown in fig- 4,the debug tag in AndroidManifest.xml defineswhether the application can be debugged or not.Iftheapplication can be debugged then it can provide plenty of information to an attacker since the local storage of the application is accessible to attacker and it will also make easy in gaining intercepted API between application and server. Attacker needs to have physical access to rooted devices or there should be a malware app running in background, which can read through unencrypted sensitive data saved within sandbox of the app. Proxy can be adjusted and interception can be done using Burp Suite, this will explained in next method. Fig -4: AndroidManifest.xml where debuggable and allowBackup flags are set to true Consider allowBackup flagenabledvulnerabilityasshownin figure 4, this flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of thedevice. Android backups rely on the Android Debug Bridge (ADB) command to perform backup and restore. ADB, however, has been a soft target for attacker and is still not trusted by respected developers. The idea that someone can inject maliciouscode into your backup data is unsettling. Attackers can read its internal sensitive data like password, tokens etc.and modify these sensitive data or configurations. Even though the flag is set to false or flag is only removed, attacker can modify them and recompile .apk file ,as shown in following steps Step 1: Open AndroidManifest.xml file in text editorandadd android:debuggable=”true” inside <application> tag as shown in fig- 4. Step 2: Recompile the above modified files using following command. >java –jar apktool b modified_folder –o modified_app_name.apk Step 3: The new .apk formed should be signed by apk signer application before installing into mobile. Solution B It is recommended that Android applications that are not in the production state are expected to have this attribute set to true to assist the testers and developers however before the actual release of the application this tag should be set to false. It is also recommended to Set android:allowBackup=false in Androidmanifes.xml or even better is to remove that tag. Fig -5: AndroidManifest.xml where debuggable and allowBackup flags are set to false 2.1.3 Problem C Consider Improper export of android application components vulnerability as shown in figure 5, The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. Intents can be used to launch an activity, to send it to any interested broadcast receiver components, and to communicate with a background service. Intents messages should be reviewed to ensure that they does not contain any sensitive information that could be intercepted. If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting withthe maliciousapplication.Ifaccessto an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. Fig -6: Drozer utility used to list activities exported in the target application. MWR Labs developed a framework called Drozer, which is one of the best Android security assessment tools available for security assessments. To perform a security assessment using Drozer, the users will run the commands on console of their workstation and it is sent to an agent who execute the task.
  • 3. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 325 com.isi.testapp.MainActivity is the home screen which in order to be launched, it should be exported. Here, com.isi.testapp.Welcome is the name of the activity which is triggered after the login screen. Using Drozer, launch that activity. Fig -7: Drozer utility used to exploit vulnerabilities This command provides an appropriate intent in the background in order to launch the activity, which is to bypass authentication during logging in to an application. Solution C It is recommended to make android:exported=false for unwanted functionalities in AndroidManifest.xml. Fig -8: AndroidManifest.xml where exported flag set to false 2.2 Method-II After all static analysis, let’s see how BurpSuite will be used for security assessment. Download the BurpSuite- Community Edition for free from google as it is an open source. Set every settings required to intercept the traffic, exchanged between application and server. Proxysettings is similar to what we set during web application pentesting , but the change is instead of localhost we choose all interface option. In mobile device, we have to set proxy according to machine IP address, which has burpsuite running on it. Here we discuss some basic vulnerabilities, which are found during this assessment. 2.2.1 Problem D Consider,CrossOriginResourceSharing(CORS)vulnerability where CORS defines whether resources on other domains can interact with this server. An attackercanplacemalicious JavaScript on his domain that can exploit the unrestrictive CORS policy to access sensitive data on this server or perform sensitive operations without the user’s knowledge. Additionally, an attacker could exploit security vulnerabilities on other domains to compromise serviceson this server. The CORS policy relaxes the Same Origin Policy, an important security control that isolates potentially malicious resources to its respective domain name. If a script attempts to violate the Same Origin Policy by interacting with another domain, modern browsers will check a server’s CORS policybyissuinga “pre-flightrequest”. The browser allows the interaction only if the server responds with an Access-Control-Allow-Origin header that lists the script’s domain or a wildcard match (*). A wildcard match allows interaction from any other domain, which allows any malicious content to retrieve content from this server or perform user actions. An unrestricted CORS policy allows an attacker to access sensitive data or perform unauthorizeduseractionswithout user knowledge. Malicious JavaScript can perform these actions even if the server uses Cross Site Request Forgery tokens. Hence, an attackercanaccesssensitivedata ofvictim. This vulnerability comes under category M3-Insecure Communication. Fig -9: Access-Control-Allow-Origin header in response reflecting injected Origin in request Solution D The Access-Control-Allow-Originheadershouldnot besetto a wildcard match. In most cases, this header can be safely removed. However, if the applicationrequiresa relaxationof the Same Origin Policy, the Access-Control-Allow-Origin header should whitelist onlydomainsthataretrustedbythis server. Fig -10: Whitelisting trusted domains for server Fig -11: Access-Control-Allow-Origin header in response reflecting only trusted domains. 2.2.2 Problem E Consider, Verbose Server Banner vulnerability where the server information is sent in the HTTP responses from the server. The information is commonly included in the server response headers and can disclose information like server name, type, and version number.Byknowingversion,typeof webserver, how each type of web serverrespondstospecific commands and keeping this information in a web server fingerprint database, an attacker can send these commands
  • 4. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 326 to the web server, analyze the response, and compare it to the database of known signatures. By knowing the information about the server, an attacker can plan attacksin future, with the information obtained. There may be publically knownexploitsandvulnerabilitiesassociatedwith the server hosted, whose information gets disclosed in the banner. Verbose server banners provide additional information that allows an attacker to perform targeted attacks to the specific technology stack in use by the application and underlying infrastructure.Thisvulnerability comes under category W6 – Security Misconfiguration. Fig -12: Server banner disclosure (not secured) Fig -13: Server Apache has above configurations in it’s httpd.conf file Fig -14: PHP has above configurations in its php.ini file Solution E Verbose server information should be removed from all HTTP responses. This can be performed by modifying the server's configuration files.Itisrecommendedtousegeneric error message response from server,sothatserverbanneris not disclosed in the error message responsefromtheserver. Fig -15: Changing configurations of Server Apache in its httpd.conf file Fig -16: Changing configurations of PHP in its php.ini file Fig -17: Server banner after changing configurations of servers. 2.2.3 Problem F Consider, Improper Cookie Configuration vulnerability where the session cookie is set without including the HttpOnly and Secure flags. The HttpOnly flag helps mitigate (but doesn't completely prevent) the risk of client side scripting accessing the cookie value (assuming the browser supports the flag setting). This helps prevent cross-site scripting from accessing the cookie fromtheDOM,leadingto potential session hijacking. The secure flag ensures that the cookie is not transmitted in an http request, forcing the cookie to be transmitted only when using HTTPS. Thishelps prevent disclosure of the session cookie if a request is submitted using HTTP insteadofHTTPS.Cookievaluewill be transmitted unencrypted over http which leadsmaliciousor unintentional disclosureofthesessioncookievalue.Attacker can use this vulnerability to perform cross site scripting and session hijacking.
  • 5. International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056 Volume: 06 Issue: 05 | May 2019 www.irjet.net p-ISSN: 2395-0072 © 2019, IRJET | Impact Factor value: 7.211 | ISO 9001:2008 Certified Journal | Page 327 Fig -18: Cookie with no httponly or secure flags Solution F The secure flag and Http only flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. Fig -19: Updating setcookie with httponly or secure flags in code Fig -20: Cookie with httponly or secure flags. 2.2.4 Problem G Consider, lack of root detection vulnerability where the application will not detect rooted android device. Android implements containerization so thateachappisrestricted to its own sandbox. A regular app cannot accessfilesoutsideits dedicated data directories, and access to system APIs is restricted via app privileges. As a result, an app’s sensitive data as well as the integrity of the OS is guaranteed under normal conditions. However, when an adversary gains root access to the mobile operating system, the default protections can be bypassed completely. Attacker should have physical access on the device, however rooted device remotely accessible in case user root SSH not protected. Applications on a rooted device run as root outside of the android sandbox. This can allow applications to access sensitive data contained in other apps or install malicious software negating sandboxing functionality. The risk of malicious code running as root is higher on rooted devices, as many of the default integrity checks are disabled. Solution G Developers of apps that handle highly sensitive data should therefore consider implementing checks that either prevent the app from running under these conditions, or at least warn the user about the increased risks. 3. CONCLUSIONS This paper provides basic vulnerabilities found during security assessment and solutions for developers to overcome them. The main aim of this paper is to provide basic improvements that can be done during an android application development so that during security assessments, tester can concentrateonmajorvulnerabilities rather than spending time on testing these basic vulnerabilities. ACKNOWLEDGEMENT I would like to thank Dr. H.D. Phaneendra, Professor &Head, Dept. of CS&E at NIE, Mysore for his guidance and support in doing case study of the above paper. REFERENCES Karthick S, Dr. Sumitra Binu- “Android Security Issues and Solutions”- International Conference on Innovative Mechanisms for Industry Applications (ICIMIA 2017). [1] Igor Khokhlov, Leon Reznik -“Android System Security Evaluation”- 2018 15th IEEE Annual Consumer Communications & Networking Conference (CCNC). [2] Sebastian Lekies, Martin Johns and Walter Tighzert – “The State of the Cross-domain Nation”- 2011 IEEE Security. [3] https://www.medianova.com/en-blog/2019/02/20/a- technical-introduction-to-cors-cross-origin-resource- sharing. [Online] [4] https://technumero.com/disable-server-signature-by- editing-htaccess-apache/. [Online]. [5] Cheng-Liang Kuo , Chung-Huang Yang-“Security Design for Configuration Management of Android Devices”- 2015 IEEE 39th Annual Computer Software and Applications Conference.