Update: Dynamic analysis results are now available in the 2016 NowSecure Mobile Security Report, click here to download the report.
This past year, the NowSecure Research Team built a dynamic analysis system that performs security testing of mobile applications (both iOS and Android). This system, which also powers the NowSecure Lab (API), provides automatic, scalable analysis using real devices to test mobile applications for common security problems such as sending sensitive data without proper encryption.
We define dynamic analysis as the process of testing mobile applications during runtime and checking their live behavior. The devices used to perform dynamic analysis are instrumented to capture an applicationUs interaction with the user, operating system, and network. The dynamic analysis system runs the following services:
- An intelligent UI automator that provides fake data and interacts with the application to execute its functionalities as a real user would
- A service that captures, records, and analyzes important system interactions made by the application
- A network proxy that captures and analyzes application network traffic for interesting patterns and tainted values
- A service that brings test devices to a clean state on each application run
How Our System is Different
Our system evaluates applications on actual devices, instead of emulators. Applications may exhibit many idiosyncrasies that cause them to run improperly on emulators. Thus, the need for a new solution was born.
As you can see in the illustration above, the dynamic analysis system uses several mobile devices, a controller that interacts with the applications, a wireless router, and a computer (RhostS). As applications run on the system, instrumentation data is recorded. At the end of the run, a high level report summary is compiled.
The system is scalable and production ready. The APIs will be available shortly for developers and enterprises for continuous and automated testing of their apps as a part of our NowSecure Lab API product.
Issues We Identify
The dynamic analysis system currently checks for the following issues:
- Filesystem Tests: Checks for multiple types including world-writable and world-readable files, and the possibility of arbitrary code execution
- Network Tests: Checks for sensitive data leaks in network transmissions such as imei, username, password among others in various encoding formats as well as the possibility of arbitrary file writes
- IPC Tests: Checks the mechanisms by which different types of Android components communicate and identifies common vulnerabilities
- Improper use of system frameworks: Improperly using cryptographic APIs, insecure use of dynamic code, etc
Along with user submitted applications, the dynamic analysis system also allows us to test applications available on official app stores. For example, we found that 25% of the most popular 400,000 mobile applications on Google Play have at least one of the above mentioned security issues. In the coming weeks, we will be releasing our 2016 Mobile Application Security Study which goes into the details of our findings. Sit tight!