Static analysis of mobile applications

 
 
One of the stages of testing a mobile application is static analysis. Static application analysis is an application analysis without performing any application functions. The most convenient for me from open source frameworks is MobSF. Who cares, welcome under cat. link .
 
 
After installing MobSF - run the following batnichek to start the server (I wrote for myself, therefore, drive D).
 
d:
cd .MobSF
python .manage.py runserver

 
 
Next you need to go to the address http[:]//???.1:8000 and the main page opens (Fig. 1). There is not much functionality here:
 
3r366.  
file upload;
 
view reports on past scans;
 
go to API documentation;
 
transition to GitHub project.
 
 
 
Fig. 1. Homepage.
 
 
After the file has been downloaded and analyzed, a page appears with the result of the analysis (Fig. 2). On the left is a menu that allows you to navigate quickly across the entire page (the result is simply volume). What useful information is on this screenshot:
 
3r366.  
application hash sum;
 
supported OS versions of Android;
 
the number and types of components (exported or not) is important, as exported components can lead to critical vulnerabilities;
 
the ability to view and download java- and smali-files that can be analyzed by other tools or manually;
 
view the manifest file for analysis.
 
 
 
3r388.
 
Fig. 2. The result of the analysis.
 
 
We go further. In fig. 3 shows information on the certificate that signed the application.
 
 
3r399.
 
Fig. 3. Certificate Information.
 
 
The following is a description of the permissions analysis, which are described in the AndroidManifest.xml file (Fig. 4). MobSF analyzes the permissions of the application, determines its status, for criticality and the description of permissions. Here you need to understand the architecture of the Android OS for the actual criticality of the application.
 
 
3r31-10.
 
Fig. 4. Analysis of Android Permissions /
 
 
The Security Analysis -> Code Analysis tab (Figure 5) shows the result of the analysis of java-code by a static analyzer, which identifies potential vulnerabilities, determines their criticality and the files in which this type of vulnerability was found. In many ways, these results are false positive, but you need to recheck it all.
 
 
 
Fig. 5. Code analysis.
 
 
The next tab (Fig. 6) is the analysis of files on the virustotal.com service. In this case, the file was not detected as infected.
 
 
3r33132.
 
Fig. 6. File analysis.
 
 
The URLs tab (Figure 7) displays the list of URLs, IP addresses and the files in which they are stored or called. This section analyzes where the application sends the data or where it stores the information.
 
 
3r3143.
 
Fig. 7. Tabs URLs.
 
 
The “Strings” tab (Fig. 8) analyzes the text files that are in the res directory. When analyzing an application, these files may contain hard-to-find accounts and other sensitive data. Although in my memory this was not.
 
 
3r3154.
 
Fig. 8. Analysis of text files.
 
 
The “Components” tab (Fig. 9) displays a complete list of components (activity, service, content provider and receives), imported libraries and files without defining an extension.
 
 
3r3165.
 
Fig. 9. List of components.
 
 
Additionally, the source code can be analyzed using the VCG scanner static analyzer. VCG needs source code. The source code can be downloaded via the Download Java Code button (Figure 10). The file is downloaded in a zip archive. Next you need to extract the folder with the files from the archive (Fig. 11).
 
 
3r3176.
 
Fig. 10. Downloading source code.
 
 
3r3183.
 
Fig. 11. Extract the source code.
 
 
Scanning the source code is done as follows:
 
3r3192.  
In the “Settings” tab, select the “Java” item - Figure 12. 3-333201.  
In the “File” tab, select “New Target Directory” - Figure 13. 3r3-33201.  
In the “Scan” tab, select “Full scan” - figure 14.
 
 
 
3r3208.
 
Fig. 12. The choice of source code.
 
 
 
Fig. 13. Uploading the file directory.
 
 
 
Fig. 14. Start scanning.
 
 
After the scan is completed, the scanner issues the names of the vulnerability, its criticality, a brief description and place in the source code (Fig. 15). You can get a complete list of vulnerabilities and sort them by their criticality (Fig. 16).
 
 
Fig. 15. Description of vulnerabilities.
 
 
 
Fig. 16. Full list of vulnerabilities.
 
 
Conclusion
 
 
Static analysis of the application and source code provides basic concepts about the architecture of the application and the potential attack vectors. According to the methodology used in the company 3r33232. Hacken
the analysis of any applications from the client that came to Pentest begins with it.