This document discusses three angles for performing mobile application security testing: client side checks, dynamic/runtime checks of local storage, databases and more, and static code analysis. It focuses on static code analysis, explaining that it covers over 50% of the OWASP Mobile Top 10 risks. It provides details on fetching APKs, converting them to source code, manual and automated static code analysis tools like MobSF and QARK, and common issues like improper use of Android intents that can be discovered through static analysis.

1. Mobile Application Security Testing
3 Angles to perform a successful security
testing
1. Client Side Checks;
2. Dynamic / Runtime / Local Storage / DB /
SD Checks &
3. Static Code Analysis (a.k.a Reverse Engg.)
By : Abhilash @ IBM

2. Static Code Analysis
Why Static Code Analysis is required ?
In Lay-man terms  Code analysis
of ApK file….

3. M1, M4, M5,
 M1 : Improper Platform Usage : Android Intents,
permissions
 M4 : Insecure Authorization : Identifying Session keys,
session mgmt. logic
 M5 – Insufficient Cryptography : covering cryptographic
keys (like Md5, SHA keys) and encryption logic

4. M7, M8, M9,M10
 M7 – Client Code Quality : like buffer overflows, format string
vulnerabilities, and various other code-level mistakes
 M8 – Code Tampering : covers binary patching, local resource
modification, method hooking and dynamic memory
modification.
 M9 – Reverse Engineering : analysis of libraries, algorithms,
and other assets.
 M10 – Extraneous Functionality : Hidden backdoor
functionalities , commented code (accidently left by
developer)

5. 7/10 M’s are covered in Static Code
Analysis
Which is >50%

6. Fetching APK
 For enterprise / intranet Applications  Product Team
 Via Online
 https://apkpure.com/
 http://apps.evozi.com/apk-
downloader/?id=com.vng.g6.a.zombie
https://play.google.com/store/apps/details?id=com
.vng.g6.a.zombie&hl=en

7. Conversion of APK to Source Code
 Manual via dex2jar/Apktool
 http://stackoverflow.com/questions/12732882/reverse-engineering-from-an-apk-
file-to-a-project
 Via Online
 http://www.javadecompilers.com/apk
 Apk files are nothing but zip files.
 Zip files contains resources and assembled java code
 But unzip will miss classes.dex and resources.arsc files

8. ANDROID APP STRUCTURE

9. Methods to perform Code Analysis
 Manual
 Automated

10. Manual Code Analysis

11. Installing and Configuring Text Editors
 Android Studio (or)
 Sublime Text
Why Sublime Text ?
Goto Anything functionality
Search of Key strokes
Quick File Switching
 Demo

13. What needs to be looked :

14. Samples - hardcoded passwords

16. Samples - Encryption

20. Automated Code Analysis

21.  MobSF (Mobile Security Framework)
 QARK (Quick Android Review Kit)
 ApkTool
 & Many more…… both commercial and open source tools
available…
*These are open source tools

22. Installing and Configuring MobSF
 Demo

25. Installing and Configuring QARK
 Demo

28. Installing and Configuring ApkTool
 Demo

31. Android Intents
 An intent is a Messaging
Object
 which can be used to
request an Action from
an another App
Component.
 App Components can be
 Activities ; Services ;
 Broadcast Receivers ;
 Content Providers
 2 types of Intents
 Explicit
 Implicit

32. Some of the uses of Intents are
 Start a Service
 Launch an Activity
 Display a web page
 Display List of Contacts
 Broadcast a Message and
 Many More …………………………….

33. Doubt !!!
Y intents are used Y not APIs ?
API Intent
API calls are Synchronous Intent based calls are
Asynchronous
API calls are compile-time
binding
Intent based calls are run-
time binding
BUT …. Intents can similarly be
used as APIs  Explicit

34. Implicit Intents
 Implicit intents
are often used
to activate
components in
other
applications.
 Doesn’t Specify
the
Component…

35. Common Flaws
 Dangerous to send/broadcast sensitive information / data
across implicit intents
 Since unprivileged implicit intent can use the same
data
 Intercept your data
 Malicious Injection at
 Broadcast Level
 Activity Level
 Service Launch

36. Explicit Intents
 An explicit intent is most
commonly used when
launching an activity (from
another one) within the
same application.
 Specifies the component

37. Example

38. Next Time 
 Playing around Intents
 Deep-drive in Intent Filters
 Malicious Intents
 Intent Spoofing and intent traffic analysis
 Prevention techniques
 Self signing of Android app for reverse engg.

39. Thankyou….