Mobile usage is growing, and so are Mobile Apps. There are around 2 million apps on Apple App Store and 2.5 on Google Play. The latest research shows that 38% of iOS and 43% of Android apps had high-risk vulnerabilities. There are multiple types of vulnerabilities, and some of the dangers are:
Leaking personal user-sensitive data (email, credential, IMEI, GPS, MAC address) over the networkCommunication over the network with little or no encryptionHaving a world-readable/writable fileArbitrary code executionMalware
If you are the owner, the developer, then you should do all it takes to secure your mobile app. There is plenty of security vulnerability scanner for the website, and the following should help you to find the security flaws in Mobile apps. Some of the abbreviations used in this post.
APK – Android Package KitIPA – iPhone application archiveIMEI – International mobile equipment identityGPS – Global positioning systemMAC – Media access controlAPI – Application Programming InterfaceOWASP – Open web application security project
App-Ray
Keep vulnerabilities at bay by using the security scanner by App-Ray. It can check your mobile applications from unknown sources and provides a reputation by integration with EMM-MDM/MAM. The scanner can detect threats before they harm your data and prevents you from installing malicious apps. Integrate your applications with vulnerability analysis while building them. Their REST API lets you perform analysis automatically and elegantly. You can also trigger actions in case you detect any issue to prevent possible risks. It leverages advanced and military-grade technologies to map data and analyze network traffic which includes encrypted communication as well. App-Ray employs multiple analysis techniques – static as well as dynamic and behavior-based analysis. Static code analysis is employed for coding problems, encryption-related issues, data leaks, and anti-debugging techniques. Similarly, dynamic and behavior-based analysis is done for instrumental and unmodified testing, accessing communication files, etc. App-Ray supports iOS and Android platforms. Once the scan is done, you can see all the technical details and let you download the necessary files, including the PCAP file.
Astra Pentest
Scan and fix security weaknesses in your Android and iOS applications with Astra Pentest and secure them against any kind of vulnerability exploit hacking attempt or data breach. Astra’s comprehensive vulnerability scanner and automated and manual pen testing solution, while performing tests, consider every aspect of mobile application parameters including its:
Architecture and designNetwork communication and data processingData storage and privacyAuthentication and session managementMisconfiguration errors in code or build settings
Key Features of Astra Pentest:
Over 3000+ security tests for scanning and pen testing a mobile appAutomated and manual pen testing using multiple tools and techniquesAutomated vulnerability scanning with Astra’s Login Recorder.OWASP Top 10 and SANS25 standard testingVulnerability management dashboard to collaborate and fix vulnerabilities on timeIntegration with CI/CD and other AppsCXO and developer-friendly dashboardPentest test cases for GDPR, HIPAA, PCI-DSS, ISO, and SOC2 compliancePublicly verifiable penetration testing certification
Astra Pentest is a one-stop solution for securing Android and iOS applications from cyberattacks, sensitive data breaches, and other hacking attempts.
Codified Security
Detect and quickly fix security issues using Codified. Just upload your app code and use the scanner to test it. It gives a detailed report highlighting security risks. Codified is a self-serve security scanner. It means you are required to upload your app files into its platform. It is capable of integrating with delivery cycles seamlessly. You can create your rules for static analysis engines and set compliance levels as well. Their security reports are professional and highlight clear details on all the risks associated with your mobile apps. It also shows a list of applicable actions that you can execute to prevent security breaches. Codified supports IPA and APK uploads. It facilitates static, dynamic, and 3rd-party library tests. Additionally, Codified integrates with Phonegap, Xamarin, and Hockey app and also supports Java, Swift, and Objective-C applications.
Mobile Security Framework
The automated and all-in-one mobile app – Mobile Security Framework (MobSF) can be used on Windows, iOS, and Android devices. You can use the app for malware analysis, pen testing, security assessment, etc. It can perform both types of analysis – static and dynamic. MobSF provides REST APIs so you can integrate your DevSecOps pipeline or CI/CD seamlessly. It supports mobile application binaries such as IPA, APK, and APPX in addition to zipped source codes. Using its dynamic analyzer, you can execute assessments for runtime security as well as instrumented testing.
Dexcalibur
Dexcalibur is a reverse engineering Android scanner that focuses on instrumentation automation. The aim of Dexcalibur is to automate all those boring tasks associated with dynamic instrumentation including:
Searching for some interesting things or patterns to hookProcess the data a hook gathers such as a dex file, class loader, invoked method, etc.Decompile intercepted bytecodesWrite hook codesManage hook messages
Dexcalibur’s static analysis engine is capable of executing partial small pieces as well. Its purpose is to render the executed function. It can also render what function can be executed based on call stack depth or configuration value. It helps you to read cleaner bytecode versions by removing opaque and goto predicates that are useless.
StaCoAn
StaCoAn is a great tool that helps developers, ethical hackers, and bug-bounty hunters to perform static code analysis for mobile applications. This cross-platform tool analyzes lines written on a code containing API keys, API URLs, hardcoded credentials, decryption keys, coding errors, and so on. The aim behind the creation of this tool was to provide better graphical guidance and usability in the user interface. At present, StaCoAn supports APK files only, and IPA files would be available soon. As you can guess, it is open-source. StaCoAn includes a drag-and-drop feature for your mobile app file so you can generate a portable and visual report. You can even customize wordlists and settings for a better experience. These reports are easy to browse through a decompiled application. Using the “loot function”, you can bookmark valuable findings. You can also view all your findings on the provided page. StaCoAn supports different file types such as Java, js, XML, and HTML files. Its database comes with a table viewer where you can search the database files for keywords.
Runtime Mobile Security
The powerful interface of Runtime Mobile Security (RMS) helps you in manipulating iOS and Android applications at runtime. Here, you can hook everything in no time, dump loaded classes, trace method arguments, and return a value, including custom scripts, etc. Using its API monitor, you can monitor multiple Android APIs that are categorized into 20 types. You can extend the support by adding extra methods or classes to the JSON file and even check native functions like open, close, write, read, remove, unlink, and so on. A file manager is included so you can explore the private files of the application, and if needed, you can download them.
Ostorlab
Ostorlab lets you scan your Android or iOS app and give you detailed information on the finding. You can upload the APK or IPA application file, and within a few minutes, you will have the security scan report.
Quixxi
Quixxi is focused on providing mobile analytics, mobile app protection & recovery of revenue loss. If you are just looking to do a vulnerability test, then you can upload your Android or iOS application file here. The scan may take a few minutes, and once done, you will get a vulnerability report overview. However, if you are looking for a comprehensive report, then you got to do a FREE registration on their website.
SandDroid
SandDroid performs static and dynamic analysis and gives you a comprehensive report. You can upload APK or zip files with a maximum of 50 MB. SandDroid is developed by the Botnet research team & Xi’an Jiaotong University. It currently performs checks on the following.
File size/hash, SDK versionNetwork data, component, code feature, sensitive API, IP distribution analysisData leakage, SMS, phone call monitorRisk behavior and score
QARK
QARK (Quick Android Review Kit) by LinkedIn helps you to find several Android vulnerabilities in source code and packaged files. QARK is free to use and to install it requires Python 2.7+, JRE 1.6/1.7+ and tested on OSX/RHEL 6.6 Some of the following vulnerabilities are detectable by QARK.
TapjackingImproper x.509 certificate validationEavesdroppingThe private key in the source codeExploitable WebView configurationsOutdated API versionsPotential data leakageand much more…
ImmuniWeb
An online Android and iOS app scanner by ImmuniWeb test application against OWASP mobile top 10 vulnerabilities. It performs static and dynamic security tests and provides an actionable report. You can download the report in PDF format, which contains the detailed analysis results.
Conclusion
I hope the above vulnerability scanners help you to check your mobile application security so you can fix any findings. If you are a security professional, you may be interested in learning Mobile penetration testing. Here are 8 tips for better mobile security.
