Author at Infinum

Secure Your App – OWASP Top 10 Mobile Risks Explained

Renato Turić — Wed, 06 Mar 2024 14:44:47 +0000

The OWASP Top 10 Mobile provides an overview of the critical security risks mobile app providers should keep an eye on.

Nowadays, nobody needs to explain how important mobile apps are for any business. What’s more, with the number of connected devices in the world growing practically by the minute, mobile IoT apps have an important role to play.

With such widespread use, mobile apps are very susceptible to security breaches, and ignoring the security aspect of a digital product and hoping for the best is no longer a viable strategy. In the evolving digital world, safeguarding one’s business interests and maintaining customer trust is crucial for staying competitive.

Our experiment demonstrated that even OWASP-guided prompts leave exploitable gaps when the underlying code is AI-generated — the standard was applied, but system-level assumptions weren’t.

To concentrate their cybersecurity efforts, companies should first be aware of the challenges and the risks that lurk in the digital space, and the OWASP Top 10 Mobile list is the first step in the right direction.

How OWASP Top 10 mobile risks help companies secure their digital assets

Mobile app security is not just about protecting technical assets. Fundamentally, it is about safeguarding a company’s reputation and customer data and possibly avoiding legal repercussions. Data breaches exposing sensitive user information or a company’s intellectual property not only result in financial losses, but severely damage customer trust.

With that in mind, it is very important that we have and nurture communities of security experts who will look into the common issues one might run into in the digital world. The OWASP Foundation is one of those communities. Through freely available resources like articles, methodologies, community-led projects, and conferences, the foundation actively works on enhancing digital security.

To help you digest the biggest mobile dangers of today, we provide a simplified overview of OWASP’s risks and their implications for businesses.

Securing your business from cyberattacks requires a holistic approach. While understanding risks like those in the OWASP Top 10 is essential, penetration testing uncovers vulnerabilities specific to your digital product. Explore our pentesting services to fortify your defenses.

OWASP Top 10 Mobile ranking overview

The OWASP Top 10 mobile risks list presents a refined perspective on the evolving landscape of mobile security threats. Each entry on the list is focused on a specific area of concern, emphasizing the importance of a proactive security mindset.

However, security breaches in real life typically don’t happen on account of a company’s susceptibility to a single risk from OWASP’s list. Often, attackers will exploit multiple weaknesses and leverage social engineering attacks to reach their malicious goals. The examples we provide indicate that a specific risk was acted upon, but we should note that interpretations may vary and that often, only the affected company knows the true cause of a breach.

M1: Improper credential usage

A new entry on the OWASP list, improper credential usage is such a critical issue that it immediately earned the status of the number one security risk for this year. Hardcoded or poorly managed credentials that are not encrypted are very common and very easy to take advantage of.

A famous example of this type of exploit happened to Uber in 2017 when the company reported that the personal information of 57 million users and 600,000 drivers was exposed because hackers discovered a hardcoded Amazon S3 Datastore key in a private GitHub repository used by Uber developers.

Dangers

By gaining unauthorized access to a person’s credentials (i.e. mobile banking PINs, Token OTPs, email passwords, etc.), malicious actors can employ automated attacks or other methods that result in data breaches, privacy loss, and various fraudulent activities. Businesses face severe repercussions, such as reputation damage, fraud, information theft, and unauthorized access to data.

Mitigation strategies

Avoiding hardcoded credentials in the app source or any configuration file, encrypting data transmission, and handling storage securely, together with regular updates of API keys and tokens. There are plenty of static and dynamic code analysis tools for mobile platforms that can help you detect some of the issues.

It is also very important to employ strong authentication protocols to protect against unauthorized access and ensure data integrity. If you want to look into this further, OWASP has a cheat sheet on how to implement proper authentication, including different protocols.

M2: Inadequate supply chain security

Another new entry on the list and also a very common issue is inadequate supply chain security. According to OWASP, supply chain security refers to the entire ecosystem used for developing and distributing mobile apps. This includes third-party libraries, SDKs, vendors, and processes like coding, testing, and distributing.

Failing to implement security measures throughout the process and in some of the mentioned components, we can easily risk serious vulnerabilities in mobile applications, allowing attackers to insert malicious code or exploit third-party libraries. For example, this happened with the EventBot malware discovered in 2020. The malware bypassed security measures by exploiting third-party libraries and SDKs within Android apps to steal user data and financial information.

Dangers

These kinds of attacks can potentially lead to data breaches, malware infections, and in some cases, complete control of the device. Businesses may face financial losses, reputational damage, legal consequences, and interruptions in the delivery of goods or services.

Mitigation strategies

To prevent such scenarios, it’s crucial to implement secure coding practices and conduct thorough testing and code reviews. Also, when picking third-party libraries and components, focus on the community around it, the proactiveness of the maintainers, and the quality of the support. Employing all of this will form a certain level of protection that is crucial in battling this risk.

Keeping your dependencies up to date is also a must, or even better, automating the update process with the available tools. Last but not least, establish robust and secure app signing processes that protect your app signing keys and certificates.

M3: Insecure authentication/authorization

What used to be two separate entries on the list is now one merged entry that is higher on the security risk ranking. Insecure authentication and authorization expose mobile applications to unauthorized access and data breaches.

Dangers

Attackers can exploit these vulnerabilities to perform actions posing as legitimate users or access sensitive data. This can seriously impact a business’s reputation, leading to information theft and financial losses. From a technical perspective, in worst-case scenarios, this can also lead to destroying an entire system.

This is one of the most consistent findings in AI-generated code. Our vibe-coded application security experiment found role-assignment vulnerabilities in every app tested, with no explicit security guidance.

Mitigation strategies

Prevention includes avoiding weak authentication patterns, avoiding offline authentication, and relying on server-side security. Integrating robust authentication mechanisms like multi-factor authentication to ensure data integrity and protect sensitive user information is also a must. In some cases, improper usage of features like biometric authentication can also make for insecure authentication.

M4: Insufficient Input/Output Validation

Another new entry on the list, insufficient input/output validation occurs when an app fails to properly validate data from untrusted sources, leading to the execution of malicious input. This common risk in mobile apps can lead to severe security issues, such as data breaches, SQL and command injection attacks, and unauthorized data manipulation.

Dangers

Exploiting these risks can severely impact an organization’s reputation through data breaches and system failures, eating away at customer trust. It can also lead to legal issues and financial penalties for not adhering to data protection laws.

Mitigation strategies

The necessary thing to do is implement the required validation on both the client and the server side, employing whitelisting approaches and sanitizing data to prevent the execution of harmful input. Also, it’s important to conduct regular security assessments like code reviews and penetration tests.

M5: Insecure Communication

This is one of the rare entries ranked lower than in the last year’s release. This is a good sign because it means that the risk is being addressed to some capacity. Nonetheless, insecure communication remains a serious issue. It poses a risk by allowing attackers to intercept or alter data transmitted by mobile applications.

Dangers

Exploiting insecure communication and leaking sensitive data can result in a privacy violation, which compromises the user’s confidentiality and has legal repercussions for businesses.

Mitigation strategies

Implementing end-to-end encryption, using secure protocols like TLS, and regularly updating security certificates are effective strategies. The OWASP web page provides a short list of very concrete best practices for iOS and Android that you can follow to make your app more secure.

If you are interested in a more technical approach, you can check out our article on preparing your Android app networking for a penetration test or the one about SSL pinning on iOS.

M6: Inadequate Privacy Controls

Inadequate privacy controls are another new addition to OWASP’s list of mobile risks to keep an eye on. Privacy controls protect Personally Identifiable Information (PII) such as names, addresses, financial data, and sensitive personal details from unauthorized access.

Dangers

Attackers target this information to commit fraud, steal funds, blackmail, or damage critical data. All of this can have a negative impact on user trust and potentially result in regulatory fines, which depend on the number of affected users. The technical impact of this risk is low but not ignorable.

Mitigation strategies

Businesses can mitigate this risk by implementing robust data access controls, conducting regular privacy assessments, and ensuring compliance with privacy laws and regulations.

M7: Insufficient Binary Protection

Previous entries known as M8: Code Tampering and M9: Reverse Engineering are now one combined entry. We can see that the risk itself moved up in the ranking, which makes it even more important to be aware of.

Insufficient binary protection makes mobile applications vulnerable to reverse engineering and tampering. While somewhat similar, there are important differences between the two. Reverse engineering involves analyzing a system to understand its operation without accessing its documentation or designs. Tampering, on the other hand, refers to unauthorized alterations or manipulations of a system or software to change its behavior or outcomes. Both can lead to intellectual property theft and compromise app integrity.

Dangers

What makes these kinds of exploits dangerous is the fact that attackers may alter app binaries to unlock paid features or simply evade security layers in specific parts of the application. Businesses face significant risk if intellectual property, such as algorithms or AI models, is leaked or stolen by competitors. It is also important to note that all apps are vulnerable to binary attacks.

Mitigation strategies

Protection involves using code obfuscation techniques, implementing tamper-detection mechanisms and root detection, and securing application code against unauthorized modifications. Some useful libraries and tools that can help with this are Google Play Integrity API for Android and the detailed OWASP documentation for iOS.

M8: Security Misconfiguration

Previously known as M10: Extraneous Functionality, this entry has jumped from number ten to number eight in the risks list. While perhaps it is not so easy to exploit, it is a risk we should nonetheless be aware of, especially considering the move in its ranking.

To illustrate, in 2022 Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise user accounts with a single click. Luckily, TikTok responded promptly to Microsoft’s notification by releasing a fix. This example shows how improper security configuration (M8) (in this case, of Android’s WebView) and DeepLink validation (M4) can cause significant harm in the authentication/authorization flow (M3).

Dangers

Security misconfiguration can expose mobile apps to various attacks, leading to unauthorized access and data breaches. This can also cause some application downtime and disrupt a business, which can have a negative effect on the finances and cause brand damage.

Mitigation strategies

Regular security audits, adherence to secure coding practices, and ensuring proper configuration of security settings can help mitigate these risks. A common pitfall is failing to review default configurations of tools and frameworks.

M9: Insecure Data Storage

This entry demonstrates some general improvement in app development, as it dropped from number two to number nine. However, insecure data storage practices can still bring forth significant security risks. For example, this happened to UnderArmour’s MyFitnessPal app in 2018. The breach involved unauthorized access due to insecure data storage and affected 150 million users, exposing their usernames, email addresses, and hashed passwords.

Dangers

Unauthorized access to the device’s file system and interception of data transmission can compromise user privacy and data integrity.

Mitigation strategies

Encrypting stored data, ensuring secure data handling practices, and conducting thorough security testing are key ways of handling these risks. These tactics will also give a boost to your business because organizations that have experienced data breaches or have become known for practicing insecure data storage have a competitive disadvantage in today’s market. Customers will always prioritize and favor competitors with stronger data security records. This is another instance where penetration tests can be a valuable asset.

M10: Insufficient Cryptography

The last entry on the list and another one that fell in the rankings. Insufficient cryptography in mobile applications involves exploitations by various threat agents who take advantage of the fact that many mobile application developers don’t have the proper know-how on how to implement and use cryptography and hash functions the way they are intended. Or, even worse, try to implement it from scratch.

Dangers

These agents target weak encryption, lack of HTTPS, key management flaws, and cryptographic vulnerabilities to decrypt data, manipulate cryptographic processes, or gain unauthorized access.

Mitigation strategies

To address these risks, it’s essential to use strong encryption algorithms and implement secure cryptographic practices. Regular updates and security audits can also help mitigate vulnerabilities and strengthen the overall security layer around your business. On the OWASP web page, you can find best practices about industry-standard processes of handling keys, hash functions, validation and authentication, and more.

A security mindset changes everything

The OWASP Top 10 mobile risk ranking is just one of many open-source tools that businesses can use to improve their digital security. However, no tool or framework can be a cure-all without embracing a proper security mindset.

When we foster a culture of security, it impacts every aspect of a business. We build this culture by recognizing that security is a continuous journey that requires ongoing vigilance, adaptation, and commitment to best practices. The OWASP list and other tools and best practices serve as a vital compass here, guiding us through the complexities of the digital world toward a future where security and business objectives are tightly linked.

Each of these vulnerabilities presents unique challenges but also opportunities for businesses to enhance their security measures, protect sensitive data, and reinforce their commitment to being a trusted service provider for their user base.

If you need help boosting your security posture, check out our cybersecurity services.

The post Secure Your App – OWASP Top 10 Mobile Risks Explained appeared first on Infinum.

How to Prepare Your Android App for a Pentest: The Bits and Pieces

Renato Turić — Wed, 22 Sep 2021 15:40:00 +0000

Android app pentesting is an invaluable tactic for identifying the weaknesses and possible penetration points in your apps. In the age of constantly evolving sophisticated cyber-attacks and data breaches penetration testing is mandatory.

We’ve spoken about networking and data storage issues in our previous blog posts, so this final installment in the series can wrap up the story by covering the “miscellaneous” category, the remaining common cases in a pentest.

You’ll find the previous posts here:

Let’s jump right into the cases in no specific order.

Root detection

The Android operating system on our phones is a commercial version of the OS provided by the manufacturer. This means that the end-user doesn’t have full control over their device due to system-level restrictions and safeguards.

To bypass these, it’s possible to perform rooting, which grants the user root access. With a rooted device, the access control imposed by the operating system is compromised and we can’t guarantee the application sandbox features will securely protect our app’s private data.

In the worst-case scenario, the data can become exposed to malicious software that manages to elevate its privileges to root access.

Preparation phase – What you’ll need to know

To protect apps on rooted devices, we first need to detect whether a device is rooted. We do this by performing root detection.

It is important to know that no solution will give you a 100% accurate result. If the result indicates that the device is in fact rooted, we should follow the best practice recommended by OWASP in their Mobile Security Testing Guide book (page 84). We should notify the user that the app runs on a rooted device and that certain high-risk actions will carry additional risk due to its status, or just completely block our app’s usage.

For detecting rooted devices we recommend using an existing implementation rather than doing it from scratch. Google provides SafetyNet which has a set of API-s that help protect your app against security threats altogether.

SafetyNet has no specific API that can tell us if a device is rooted, it’s not a part of its design. However, we can use it to check the flags that we receive from the SafetyNet backend. The flags that we are looking for are ctsProfileMatch and basicIntegrity. If these two flags turn out false, it implies that the system integrity has been compromised, and rooting is a potential cause.

There is no need to get into implementation details because the official documentation site offers good descriptions. You can also find some code examples in this repo.

However, you might have noticed that SafetyNet has a limit of 10,000 requests per day across your user base. This is a problem for most apps that are actually interested in that kind of a service but fortunately, there are ways to handle this limitation. The official way to handle it is described in the official documentation.

If this option doesn’t work for you, you can implement a workaround that could cover most of your cases. It includes using the RECEIVE_BOOT_COMPLETED permission and running the SafetyNet request only when your application receives the mentioned system reboot event. This will keep your API quota limit under control, but it’s not a future-proof solution. The official way is always the preferred one.

A good alternative to SafetyNet is RootBeer written by Scott Alexander-Bown who also wrote the Android Security Cookbook. You can also use it in combination with safetyNet to control your API quota limit.

Penetration testing is the first step you should take to keep your business safe. Explore our pentesting services and discover any vulnerabilities in your system before malicious actors do.

Logs

Logging is very common in every application. We usually use it to pinpoint an undesired behavior, but we can also use it to track fatal and non-fatal crashes on our crashlytics tools.

Logs can be valuable during the development process. In most cases, we treat them as harmless pieces of characters. Unfortunately, that approach can sometimes put us in an undesirable situation where we can leak sensitive data through our logs.

As Android developers, we use Logcat for inspecting our application’s logs. We only need a couple of command lines and we get a live dump of all the logs, not just from an individual app, but the entire system. A potential attacker could easily do the same and if they found some useful info, they could use it to exploit our application or the entire system.

Preparation phase – What you’ll need to know

To prevent data leakage through logs, it’s best to remove logs from production builds. Luckily, there are some handy tools to handle this task for us.

For example, we can use Timber for logging information and use the Tree feature to separate logging implementations for different application variants. We can use the default DebugTree from Timber to log information through Logcat in debug builds. For release builds we can create our own implementation that we will use to send information to our analytics or crashlytics tools. To implement your own tree, you can extend the Timber.Tree class and add your logic inside the log method:

class ReleaseTree() : Timber.Tree() {

    override fun log(priority: Int, tag: String?, message: String, t: Throwable?) {
    // handle received logs
    }
}

After you have your custom tree implementation you can set it inside the application class depending on the desired buildconfig, something like this:

Timber.plant(if (BuildConfig.DEBUG) Timber.DebugTree else ReleaseTree())

In case you don’t use Timber you might stumble upon a ProGuard option to remove all log messages using this proguard rule:


-assumenosideeffects class android.util.Log {
public static boolean isLoggable(java.lang.String, int);
public static int v(...);
public static int i(...);
public static int w(...);
public static int d(...);
public static int e(...);
public static int wtf(...);
}

Keep in mind that the rule above will not help you with dynamically constructed strings used to log the data using the Log methods later on. This is due to the fact that dynamically constructed strings (i.e using StringBuilder) can still be seen in the bytecode. For more details about this particular issue, you can check the MSTG source.

Also, be careful about the above proguard rule because you can find a lot of similar rules on the Internet that can break your application. Check this article for more information. Always double-check your source when it comes to security!

Tapjack

Tapjacking is an old security issue that was well known on devices running Android versions 4.0.3. However, it can still be dangerous today if a user is unaware of it.

The exploit is based on the Android permission SYSTEM_ALERT_WINDOW which allows an app to draw an overlay over other apps. Attackers can use this option to create an overlay that would essentially hijack user taps and use it to obtain sensitive user information, hence the name tapjack.

The Android runtime permission introduced in Android API level 23 is a good measure of protection against tapjacking attacks because the users have to manually grant the permission to draw over other apps. Before API level 23 any developer could just add the permission in the manifest file and they would be able to use the feature immediately when the app is installed.

On some devices that run Android API level 23, there is a system-level security issue with the SYSTEM_ALERT_WINDOW. An app could use the exploit to draw an overlay over the system permission dialog. That would make it possible for the attacker to change the text of the permission dialog to make the user think the permission they are about to grant is not dangerous, while in reality, it could be the opposite.

In the worst-case scenario, this would allow the attacker to obtain user information from the device. Here you can find more information about that specific case.

Another very popular attack class involving the SYSTEM_ALERT_WINDOW permission is the cloak-and-dagger which also enables some advanced tapjacking attacks.

Preparation phase – What you’ll need to know

Let’s imagine a situation where your app has a login screen and the user has to enter their login credentials. Let’s say that the user also has an app on their device that they trust, but is unaware that the app has malicious intent. That kind of an app can use the SYSTEM_ALERT_WINDOW to draw a transparent overlay over any other app and is specifically designed to track keyboard inputs.

With some additional effort, the attacker could obtain our user’s login credentials for our app. To take it another step further, the attacker could literally obtain anything that the user enters on the keyboard.

To protect your app from these kinds of attacks, Android offers a built-in solution to detect overlays over specific UI elements that we think are exploitable. You can do this by using the following XML tag:

android:filterTouchesWhenObscured=”[true|false]”

Keep in mind that by setting this flag to true, the view will not receive touches whenever a toast, dialog, or other window appears above the view’s window. This will get the job done, but it is not recommended to leave it that way because the users will have a terrible time using your app. Imagine you want to press a button and nothing happens, that’s just bad user experience.

Luckily, we have a way of detecting when exactly this happens. We can override the onFilterTouchEventForSecurity method in a compound view used to place it above other views. That way it can intercept obscured touch events and react to them.

override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
        if (event.flags and MotionEvent.FLAG_WINDOW_IS_OBSCURED == MotionEvent.FLAG_WINDOW_IS_OBSCURED) {
        // React to obscured events
        return false
    }
    return super.onFilterTouchEventForSecurity(event)
}

Fortunately, tapjacking, even though potentially very dangerous, is easy to handle. You should make sure your users are aware of the problem because the lack of awareness itself might be the biggest problem with this exploit.

There are signs that Google might deprecate the permission entirely. Android Go versions are already not allowed to use that feature. Also, features like Facebook Chat bubbles, which rely on the SYSTEM_ALERT_WINDOW permission , are receiving alternate API solutions to cover their use cases. It could be taken as an indication that the long-term plan is permission removal. We will have to wait and see.

Clipboard manager

Clipboard is one of Android’s system components. It is exposed to developers through a class called ClipboardManager which grants copying, monitoring, and paste operations for specified data.

One of the clipboard component’s main characteristics is globally accessible to any app running on the device and no additional permission is needed. This leaves users vulnerable in case there is a malicious app on their device that could sniff out its clipboard and obtain passwords, credit card details, and other sensitive user information. This article shows how Android’s clipboard could be exploited in a password manager app.

Preparation phase – What you’ll need to know

Sadly, there is no good way to mitigate attacks on data contained in the clipboard from within our app, so it should be handled on a system level. There are some mitigation tactics but they strongly depend on the use case you want to achieve. One of the most common and safest approaches is to disable the copying of sensitive data altogether. This better-safe-than-sorry scenario can leave your users with a bad UX, but it protects those less technically savvy.

Screenshots

When you think about it, taking screenshots is very similar to copying plain text. The vulnerability area is very similar to the one from the previous chapter. The only difference, except the data type, is the location of the saved data. Screenshots are usually saved in the device’s internal storage in a folder named Screenshots, but this may slightly vary depending on the manufacturer.

Preparation phase – What you’ll need to know

The mitigation process is also very similar to the one for Clipboard manager. Luckily, we can use the Android built-in API to determine which screens can be screenshotted and which are prohibited. We do this by using the window flag FLAG_SECURED. The snippet below shows how to set the flag in a fragment.

requireActivity().window.setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE)

This will also protect your app from screen-recording apps.

Inter-process communication (IPC)

When we install our apps on the Android OS they run in their own secure sandbox. However, like any other system, Android also gives us IPC capabilities to communicate with the rest of the system or with other apps.

We can use more traditional ways like using shared files to communicate, but this is not recommended since we have more evolved solutions provided by the Android OS. One of those solutions is Services. They are components used for long-running operations in the background, but they can also be used for IPC with bound services where other components can bind to a service and interact with it.

Further, there is ContentProviders or a more advanced mechanism like AIDL.

Probably the most common way we use for communication between different Android components is Intents. An Intent is an abstract description of an operation that we can use to communicate with Activities, BroadcastReceivers, and Services. This is a broad subject so we will try to focus on the main techniques for protecting your application components from unwanted interactions.

Preparation phase – What you’ll need to know

There are several tools at your disposal for making your app safe for IPC. If your app does not handle IPC, make sure that your main components don’t have the exported flag set to true in the manifest. It is false by default, but sometimes we set it to true in case we want to start a specific activity from Android Studio for faster development. Just ensure you don’t forget to check that flag before release or create a custom lint rule if you already don’t have it.

Suppose your components need to be exported for IPC. In that case, you should make it restrictive because sniffing broadcasted Intents is as simple as writing a terminal command using tools like Drozer.

What you want to do is set the corresponding permissions for your components so that you indicate to targets that want to communicate with your application that they need to follow the rules you set. Together with that tag and the protection level you can control the restriction level for your components.

For example, suppose your company has multiple applications in production and you want to make sure that only your applications can communicate with each other in order to avoid impersonated intents from potential attackers. In that case, we can define a custom permission inside our manifest like this:

<manifest  package="com.example.myapp" >

    <permission
      android:name="com.example.myapp.permission.READ_USER_DATA"
      android:label="Read user data"
      android:description="Can access user data like email, username, password, ..."
      android:protectionLevel="signature" />

manifest>

You’ll notice that protectionLevel is set to signature mode, which gives us the desired effect described above. In other words, this is automatically granted to a requesting app if that application is signed by the same certificate. For more information about other protection levels, check the protectionLevel documentation. With our custom permission defined, we can use it in our components. For example, if we want to protect our service with this permission, we would write the following code in our manifest:

<service 
android:name=".data.session.SessionService"
android:permission="com.example.myapp.permission.READ_USER_DATA"/>

We can add this to the application tag in our manifest to protect our entire application with this permission.

Alongside the exported flag and custom permissions we also have intent filters in our arsenal to protect our applications from malicious and undesired IPC.

Intent filters can be used to specify the types of intents that an activity, service, or broadcast receiver can respond to. That way we can anticipate the input in our components. Whatever you decide to use, it is always good practice to check the data you receive programmatically to see if it is something that you expect.

Conclusion

Pentesting is an ever-evolving subject, so this is by no means an exhaustive guide. Some important topics were left out due to their complexity, such as WebView vulnerabilities, reverse engineering, and dependency control.

Protecting your applications from attacks is challenging and sometimes even impossible because more sophisticated attacks are constantly evolving and these won’t be easily withstood using standard tweaks and tricks. Protection against them requires tedious manual analysis, coding, and probably lots of frustration.

One thing is certain though, to prepare your applications in the best possible way it is important to stay in the loop. Keep in touch with the community and experiment with attacks on your own. If you know how malicious code works, it is easier to get the know-how to mitigate it.

Testing tools

As a final note, here is a list of useful tools that can help you analyze your applications and hopefully make them a bit more secure:

If you want to look into more ways to improve the security of your digital product, explore our cybersecurity services.

The post How to Prepare Your Android App for a Pentest: The Bits and Pieces appeared first on Infinum.

Securing Data Storage in Preparation for Pentesting

Renato Turić — Fri, 13 Mar 2020 11:15:00 +0000

Securing the data stored within an app is just as important as it is often ignored.

Because data is commonly not dealt with properly, it ends up being exploited and exposed to unintended leakage a lot more than it should.

Data storage security among top concerns

According to this 2016 research by The Open Web Application Security Project, insecure data storage is among top security concerns in mobile apps, second only to improper platform usage.

Luckily, Android provides us with various ways to keep data safe.

The first post from our Pentesting Series covered some key concepts of a TLS connection and showed how to achieve a secure network layer in an app which would pass a pentest.

This edition will focus on securing user data in the app storage.

Penetration testing is the first step you should take to keep your business safe. Explore our pentesting services and discover any vulnerabilities in your system before malicious actors do.

Shared preferences – a security risk

Shared preferences are probably the most used Android API for storing small amounts of data. It is based on a key-value pair model, and there’s a very simple process evolving in the background.

It saves the key-value pairs into an .xml file, which is located in the app data directory in a directory called shared_prefs. Since the data is saved in a plain .xml file, the sensitive data we save in there is a security risk – especially if our AndroidManifest.xml configuration states that app backups are allowed:

<application android:allowBackup="true" />

The allowBackup attribute is set to true by default when a new project is created, as confirmed in Android Studio 3.5.2. Taking that into account, let’s see how easy it is to extract shared preferences data from an app.

To exploit the allowBackup flag we need adb connection to the device that is running our app. Afterwards, it is enough to run the following command:

$ adb backup com.example.app

This command will result in the entire application backup file, backup.ab. This file contains all the information needed to restore the application in case we want to migrate our system settings and app settings to another device.

To see the contents of the .ab file, use any file-unpacking tool. This example uses Android Backup Extractor. This tool allows us to create a .tar file with the following command:

$ abe unpack backup.ab backup.tar

After acquiring the .tar file and unpacking it, all the contents from the original backup.ab file become available. One of those files is the shared preferences .xml file. By opening the file, we can see all the key-value pairs used in the app.

For example, let’s say the extracted .xml file looked like this:

xml version="1.0" encoding="utf-8"? standalone=”yes” ?>
<map>
    <string name=”AUTH_TOKEN”>89239d28328dj2398do1320942ng>
    <string name=”USER_ID”>qwr3131cng>
map>

Even when using the shared preferences in private mode, it is simple to extract and read sensitive data from the app, as these are in plain text.

What can we do to improve it?

Preparation phase – What you’ll need to know

The first thing that comes to mind is to simply set the allowBackup to false. This is a good first step, but we need to go one step further to really complicate things for attackers.

The above exploit is very simple and can be done by any attacker, so we should expect that extracting this file is always possible to a more experienced attacker, even with backup disabled.

As we don’t have control over the entire Android framework, we have to rely on Google to make it difficult for attackers to access the file. What we can and should do is to focus on the issue of plain text data inside that file.

One way of solving this issue is by using an encryption algorithm. Assuming you already know the basics of cryptography, we will not delve into specifics.

This example will show using a symmetric-key algorithm called AES. This essentially means that there will be one secret key for encryption and decryption.

The general idea is to use that secret key to encrypt the values we store in shared preferences and end up with an .xml file that has only encrypted data.

A cleaner approach is having a separate shared preference file just for sensitive data we want to encrypt and not mixing everything with other data.

Since we use a secret key, we have to secure it doesn’t get in the hands of the attacker – otherwise our efforts would be wasted.

There are several ways to tackle this problem. The first approach is to create a secret key every time we need it. The second is to create it only once and store it somewhere safe.

Recreate a key when needed

Recreating a secret key every time could be based on something only the user knows, like a password. After we acquire the password, we can use a key derivation function, like PBKDF2 to create the secret key.

Keeping in mind that user passwords are usually of low entropy, we should make sure that we have a large number of iterations when deriving the key in order to avoid easy brute-force attacks.

Iteration count is just one of the parameters for PBKDF2. To see other parameters for a more secure key, check out this amazing article.

One of the main cons in this approach is from the app’s UX side.

It is often very hard to incorporate this in the app without annoying the user, especially if we talk about saving and retrieving data from shared preferences, which occurs very often. Also, it could have a negative impact on the app’s performance.

These cons are definitely fixable problems, but the correct solution depends on the particular use cases of the app which we will not go into.

Creating a permanent key

The second approach is creating the key once and securely saving it somewhere for later use. This approach is is easier to integrate seamlessly in our application flow.

But where to store the secret key? The preferred way is using the Android keystore system, available since Android 4.3, API level 18.

Unfortunately, due to some issues, it is advised to use it only from Android 6, API level 23 and up, meaning succeeding gets a bit complicated when supporting lower API levels.

One option is to have the key saved on a server and fetch it when needed.

An alternative is to save the created secret key in shared preferences. In that case, it’s important to use some sort of obfuscation when storing the secret key.

When developing for API level 23+ and not wanting to create custom secure shared preferences, it is highly recommended to use the Security dependency from Jetpack for a complete secure shared preferences solution, called EncryptedSharedPreferences.

Under the hood, it uses the Android keystore system in combination with tink. The Android security team is working together with the tink team to provide support for API level 19 and above, which would be awesome!

That’s a lot of information to take in, so let’s recap it in a table to help you get a better feel of which solution is more suitable for the app in regards of implementation effort and maintenance, security and API level.

Choosing the most suitable app solution

File storage – two main locations to save files

Before we go into the specifics of file storage, it’s important to know what kind of encryption method is used on the device level in the context of user data.

Ever since Android 7, users have been given the benefit of file-based encryption. This means that encryption is run on file level instead of the block level. It isolates and protects files for individual users on their device.

For older OS versions, specifically versions Android 4 through 9, a full-disk encryption is used. Recent changes in the OS makes file-based encryption mandatory for devices that run Android 10. To read more about this classification, check out the official documentation.

Regarding file storage on the application level, Android offers two main locations to save files – the external and internal storages. In case of sensitive data in files, avoid using external storage because every app can gain access to it with the appropriate permission.

In addition, external storage can be removed. For example, when using a removable SD card it is highly advised to encrypt the files. Also, when working with files from external storage, make sure to perform input validation to be sure you are working with the expected file.

Internal storage, on the other hand, is a private sandbox area accessible only to your app. This makes it a more suitable place to save files that contain sensitive data and app’s cache data.

Furthermore, when it comes to internal storage, all data related to the app will be deleted when a user deletes the app, and no permissions will be needed to read/write files in the app’s dedicated directory.

Preparation phase – What you’ll need to know

When saving a file containing sensitive data in the external storage, the file should definitely be encrypted. Depending on the API level supported in the app, there will be different options.

In the case when the minSdk is API level 23, it is highly recommended to use the already mentioned security dependency. From there, you will be able to find a class named EncryptedFile which will allow easy creation and reading of encrypted files.

The creation of an encrypted file is very simple:

val encryptedFile = EncryptedFile.Builder(
    File(*directory*, "my_file.txt"),
    context,
    MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC),
    EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()

After obtaining the EncryptedFile instance, we can either read or write to it.

At the time of writing this post, the above masterKeyAlias parameter is the configuration recommended by the Android security team. Under the hood, the file encryption uses tink to encrypt the contents of the file as segments.

Before API level 23, there is really no out-of-the-box solution provided by the Android framework. One alternative is to use the CipherOutputStream available in javax.crypto.

One of the parameters to create an instance of CipherOutputStream is Cipher, which provides the functionality of a cryptographic cipher for encryption and decryption. The configuration of the cipher depends on the algorithms that are available on the API level your app supports and the app’s use cases.

Both methods for external storage described above can also be applied to saving files in the internal storage. To avoid double encryption of the files, keep in mind that all files in the internal storage are encrypted by default starting from Android 10.

If you want to delete the files, note that the method delete from the File class only removes the file’s reference from the file system table, whereas the file will still exist on the disk until other data overwrites it, leaving it vulnerable to recovery.

In most cases, we won’t need to handle this, but it’s advised to overwrite the data with other random data before deleting the file but as an extra security measure.

Databases – stored in a private directory

Time to focus on SQLite databases on Android.

The SQLite database uses .db files to store data. The .db are stored in the private directory of your application, but the file can easily be extracted using the adb backup command.

Make sure to disable backups, in case there’s sensitive information stored in your SQLite database, similar to the case described in the shared preferences section above.

In addition, note that these databases are not encrypted and that it’s generally not advised to store sensitive data inside an unencrypted SQLlite database.

When doing operations on SQLite databases which contain sensitive information, it’s important to have proper input validation. Otherwise, SQL injection is a viable attack vector.

In other words, an attacker can manipulate an SQL query that will be interpreted as a part of the command or query, and as a result might retrieve arbitrary database records or manipulate database content.

Those kinds of attacks are much more common in the server-side web services, but exploitable instances also exist within mobile apps.

Preparation phase – What you’ll need to know

As mentioned earlier, SQLite does not provide an out-of-the-box solution for encrypting the database. Therefore, it is not recommended to save sensitive information, especially if that data is not encrypted beforehand.

One way to solve this problem is by using SQLCipher, a popular SQLite extension that offers a password-encrypted database.

Other than a small performance hit, the most noticeable negative side of using SQLCipher is its relatively big footprint on the APK size of around 7MB, unless you are using app bundles.

To use SQLCipher with Room, a persistence library that provides an abstraction layer over SQLite, follow the official instructions on the Github page. Another alternative is to use cwac-saferoom and reap the benefits from SQLCipher.

Regarding SQL injection attacks, it is advised to use parameterized query methods (query, delete, and update). To understand the exploit, check this very common example of a custom SQL query prone to an SQL injection attack:

String sql = "SELECT * FROM users WHERE username = ’" + username + "’ AND password = ’" + password +"’";
Cursor c = db.rawQuery( sql, null );

Now imagine that the user enters this in the input fields:


username = 1’ or ’1’ = ’1
password = 1’ or ’1’ = ’1

This would result in the following query:

SELECT * FROM users WHERE username=’1’ OR ’1’ = ’1’ AND Password=’1’ OR ’1’ = ’1’

The above query will return all records in the users table due to the condition ‘1’ = ‘1’ being evaluated as true. This can have some negative impact on the apps logic but could be easily avoided by using input validation.

For more information on this topic and how to avoid these exploits, check this OWASP resource or consult this cheat sheet as guidance on preventing SQL Injection flaws.

No excuse to keep data unprotected

Dealing with sensitive information can be tricky.

Luckily, Android offers many data protection tools. In most cases, a standard encryption algorithm will be enough to secure your data but researching alternative options is advisable.

Finally, remember to always check the proven and stable methods when working with encryption algorithms. And unless you are an expert, don’t try to invent an encryption algorithm (at home).

If you want to look into more ways to improve the security of your digital product, explore our cybersecurity services.

The post Securing Data Storage in Preparation for Pentesting appeared first on Infinum.

How to Prepare Your Android App for a Pentest – Networking Edition

Renato Turić — Mon, 13 Jan 2020 09:54:00 +0000

Android app penetration testing is a must when developing an application, especially if you deal with sensitive user information. To identify the weak spots in your application’s security, it is good practice to have it tested by mobile security experts. The testing method they use for this is called penetration testing.

Penetration tests, aka pentests, are simulated cyber attacks on your application designed to find exploitable vulnerabilities. Android developers can then use the penetration test results to improve the app’s security.

Penetration testing is the first step you should take to keep your business safe. Explore our pentesting services and discover any vulnerabilities in your system before malicious actors do.

The comprehensive guide to Android app penetration testing

In this blog post, we will concentrate on the networking part of Android app penetration testing – specifically on the TLS protocol, and tips on making your app as secure as possible when connecting to a specific web service.

Furthermore, this post is the first in a series of articles about pentesting, which will present an overview of what you can expect when having your app pentested. The pentesting articles will also provide recommendations on the necessary preparations ahead of it.

Disclaimer: In our examples, we will use OkHttp for the integration part, because it is a well established library and probably the most popular one in the Android community.

TLS connection

Most applications today communicate with a web service of some kind. Therefore, it’s very important to have a secure connection.

The worst case scenario is having an app that uses HTTP connection without the Transport Layer Security (TLS) protocol. It will inevitably fail because your data will be transferred in plain text – and therefore, very easy to track. TLS is a core part of encrypted communication, which makes HTTPS calls secure and authenticated.

Even though it is based on SSL 3.0, you will often hear people using SSL as a synonym for TLS- That’s not 100% correct as SSL, a predecessor for TLS, was deprecated in 2015 by the IETF.

In fact, most of the big companies are switching to TLS 1.2 as the Internet’s new minimum standard, starting from early 2020. (Mozzila, Google, Microsoft, Apple).

What does Android OS offer, with regard to TLS?

According to the documentation, Android supports TLS 1.2 since API level 16, and is enabled by default since level 21. Unfortunately, this is not 100% correct either.

Yes, you can rely on TLS 1.2 from API level 21/22 and above. However, you cannot count on that for API levels 16 to 19. There is an excellent article written by Ankush Gupta that describes this problem in more detail, so feel free to check it out if you want to know more about the how and why.

With the knowledge of what Android OS offers and the goal of achieving a secure connection using at least TLS 1.2, we’re moving on to the implementation guide.

Preparation phase in Android app penetration testing – What you’ll need to know

We will cover two specific cases in this section of the Android app penetration testing guide. The first case is when your minSdk is between API levels 16 and 19. In the other case, your minSdk is API level 21 or higher.

MinSdk between API levels 16 and 19

If you want TLS 1.2 enabled on versions before Android 5, you will have to extend the SSLSocketFactory and create your own implementation. The implementation is quite straightforward, and would look something like this:

class TlsSocketFactory constructor(private val socketFactory: SSLSocketFactory) : SSLSocketFactory() {

    override fun getDefaultCipherSuites(): Array<String> {
        return socketFactory.defaultCipherSuites
    }

    override fun getSupportedCipherSuites(): Array<String> {    
        return socketFactory.supportedCipherSuites
    }

    override fun createSocket(socket: Socket?, host: String?, port: Int, autoClose: Boolean): Socket {
        return socketFactory.createSocket(socket, host, port, autoClose).enableTls()
    }

    override fun createSocket(host: String?, port: Int): Socket {
        return socketFactory.createSocket(host, port).enableTls()
    }

    override fun createSocket(host: String?, port: Int, localHost: InetAddress?, localPort: Int): Socket {
        return socketFactory.createSocket(host, port, localHost, localPort).enableTls()
    }

    override fun createSocket(host: InetAddress?, port: Int): Socket {
        return socketFactory.createSocket(host, port).enableTls()
    }

    override fun createSocket(address: InetAddress?, port: Int, localAddress: InetAddress?, localPort: Int): Socket {
        return socketFactory.createSocket(address, port, localAddress, localPort).enableTls()
    }

    private fun Socket.enableTls(): Socket {
        if (this is SSLSocket) enabledProtocols += TlsVersion.TLS_1_2.javaName()
        return this
    }
}

This implementation contains our own socketFactory object, which we use as a delegate and simply update the enabled protocols.

Now that we have a custom SSLSocketFactory implementation, we have to tell OkHttp to use it via the sslSocketFactory builder parameter:

 if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) {
    val sslContext = SSLContext.getInstance(TlsVersion.TLS_1_2.javaName())
    sslContext.init(null, *yourTrustManagers*, null)

    sslSocketFactory(TlsSocketFactory(sslContext.socketFactory), *yourTrustManager*)
 }

The yourTrustManagers represent an array of TrustManager instances. If you don’t know how to create your own trust manager – or if you don’t need custom implementation, you can always load the default one. You will learn how to load the default trust manager in the next section, discussing certificates.

Note that the above-stated TlsSocketFactory implementation only sets the specified protocol as the default. It does not cover the case in which the protocol is not installed on the device. To cover that instance, you will have to use the ProviderInstaller from Google Play services.

Also, keep in mind that you can either call installIfNeeded(context) or installIfNeededAsync(context), and that it has to be done before creating the TlsSocketFactory.

For a more specific implementation, you can check the sample implementation on these gists: installIfNeeded, installIfNeededAsync. These implementations are provided by the OWASP team and can be found in the OWASP-MSTG book 1.1.3 on pages 206, 207 and 208.

MinSdk API level 21+

If this is the case, you should use at least OkHttp 3.13.x – and it works only on Android 5+. If you’re already using that version of Android, you’re good to go, as this library version already uses TLS 1.2 as a default for all HTTPS calls.

If you are using an older version of the OkHttp library and cannot update it for whatever reason, you must follow the steps described in the section MinSdk between API levels 16 and 19 above.

By the way, if you are interested in the history of TLS configuration in OkHttp, this is a superb read.

Returning to the topic – now that your app uses a more secure version of the TLS protocol, it’s important to know how to successfully verify a TLS connection.

Verifying a TLS connection

Two parts are essential in the process of verifying a TLS connection:

Certificate verification (Certificate pinning)
Hostname verification

In the following paragraphs, we’ll go over the specifics of each one.

Certificate verification (Certificate pinning)

This section of the Android app penetration testing guide will focus on certificate pinning and how to implement it. In addition, we’ll briefly examine how certificate verification is done.

For a TLS connection to work as expected, the Client must have a way of verifying that a certificate used on the server is trusted and valid. In our case, the Client is the Android app. This is where Certificate Authorities (CA) enter the stage.

A CA is an entity that is eligible to issue a trusted, time-limited certificate. The certificate issued by a CA is a verifiable small data file that contains identity credentials to help websites, people, and devices represent their authentic online identity.

But how does our Android device differentiate between the certificates issued by a CA and those so-called self-signed certificates? With the help of a set of CAs, which the device has stored on the Android system level. As of 4.2, Android contains over 100 CAs, which are updated in each release.

To view all certificates in an Android device programmatically, you can load the default TrustManager. That way, you will see all the file paths that correspond to system-level certificates and the user-installed certificates. These certificates are also known as root certificates. To retrieve the default TrustManager you can use this code:

private fun getDefaultTrustManager(): Array<TrustManager>? {
    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
    trustManagerFactory.init(null as KeyStore?)
    val trustManagers = trustManagerFactory.trustManagers
    if (trustManagers.size != 1 || trustManagers[0] !is X509TrustManager) {
        throw IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers))
    }
    return trustManagers
}

When an Android device tries to establish a secure connection with a service, it goes through the TLS handshake process. During connection setup, the server can send an entire chain of certificates which the device has to verify with its set of trusted CAs.

The certificate chain is also known as the chain of trust, which is a linked path of verification and validation from the end user (in our case the Android device) to a root certificate.

The certificates in the chain consist of a root certificate, zero or more intermediate certificates and a leaf certificate.

Check out the image below to clarify this confusion a bit:

Certificates in the chain are co-dependent

As you can see, the chain certificates depend on each other. This means that attackers can exploit the chain of trust even if just one of the certificates’ CA is compromised. Developers can use the compromised CA to issue a certificate that will be automatically trusted by your Android device due to the default TrustManager.

To further protect your app from fraudulently issued certificates, you can use a technique known as certificate pinning. Certificate pinning is an extra defense mechanism against MITM (ie. man-in-the-middle) attacks, in which the developer implements a custom trust manager that contains only the certificates which can validate the web server that the app is communicating with. Your app will neither trust any other system-trusted CA nor the user-installed certificates.

Certificate pinning is one of the most common test cases in a penetration test, so the following paragraph will elaborate on how to prepare an app for it.

Preparation phase in Android app penetration testing – What you’ll need to know

This section will show you how to successfully implement certificate pinning for both self-signed certificates and those issued by a CA. To pin a certificate, the first step is to decide which certificate from the certificate chain to pin.

We recommend pining the leaf certificate as the attack surface is very small, thanks to the app interacting with that certificate first. The app will not be usable if that certificate can’t be verified.

Self-signed certificates

Pinning self-signed certificates is something you should only do for testing environments. To pin a certificate in an Android app, the first thing to do is to acquire the certificate, which can quickly be done with OpenSSL via the terminal:

$ openssl s_client -connect example.com:443 -showcerts

The command above will return a list of the entire certificate chain for the specified website. If you want to save the certificates in a local file or download one via a browser, find out how to do that here.

After acquiring the needed certificate, the next step is creating your custom TrustManager containing the certificate. This can be done as follows:

private fun createCustomTrustManager(context: Context): Array<TrustManager>? {
    val keyStore = KeyStore.getInstance("BKS").apply { load(null, null) }
    val certificateFactory = CertificateFactory.getInstance(CERT_TYPE)
    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())

    context.resources.openRawResource(R.raw.leaf_cert_expires_1_1_2077).use {
        keyStore.setCertificateEntry("MyLeafCert", certificateFactory.generateCertificate(it))
    }

    trustManagerFactory.init(keyStore)
    return trustManagerFactory.trustManagers
}

This code loads a leaf_cert_expires_1_1_2077.pem file from the raw resource folder and sets it as a certificate entry inside our empty keystore, under MyLeafCert alias. After setting the required certificate in the keystore, use the same keystore to initialize the trustManagers.

With everything ready, it’s time to pass the instance of our TrustManager to OkHttp via the sslSocketFactory builder function, as described in the TLS connection section above. We sometimes call this method hard certificate pinning because we bundle the pinned certificate in our app, and we have to upload a new version of the app that contains the new certificate every time the certificate changes or gets renewed.

Certificates signed by a trusted CA

Developers can similarly use the previous code sample for certificates signed by a trusted CA. This is a good approach if you want just one implementation for all cases. However, OkHttp does provide a different mechanism for pinning non self-signed certificates, using the CertificatePinner class. Find more information about this class here.

CertificatePinner employs a different kind of pinning, using the certificate’s subject cryptographic public key for verification. Unlike the previously described approach, in which you need to bundle the pinned certificate with your app, public key pinning only needs the base64 SHA-256 hash value of the certificate public – considering that the hash can be safely stored as a plain string in your app without causing security issues.

The implementation is much more straightforward:

const val MY_LEAF_CERT_EXPIRES_1_1_2077 = "sha256/A23dA8l41A46gjAcAiAA32AAA8juvAnvvlk85kub6A5="

private fun buildCertificatePinner(): CertificatePinner {
    return CertificatePinner.Builder()
        .add("yourHostname.com", MY_LEAF_CERT_EXPIRES_1_1_2077)
        .build()
}

// Setting up OkHttp with the CertificatePinner object
OkHttpClient.Builder()
    .certificatePinner(buildCertificatePinner())
    .build()

So there you have it – a straightforward and intuitive approach. In addition to easier implementation, this approach has another noticeable benefit. If the certificate expires, the server can renew the certificate, without changing the cryptographic public key of the certificate.

You won’t need to update the app if the certificate gets renewed. One of the downsides of this method is that it does not support self-signed certificates.

Also, in the implementation above, you probably noticed the yourHostname.com string. This value is used for hostname verification and we will discuss this in the next section.

Finally, keep in mind that this is only a brief introduction to certificate pinning, just enough to understand the basics and to be able to prepare your app for penetration tests. For more straightforward implementation and maintenance, certificate pinning should be agreed upon with the administrators of the web service the app is communicating with, to see whether it is a good fit.

If you decide on certificate pinning, ensure a better understanding of the entire process.

Hostname verification

Finally, we’ve reached the second key part in verifying a TLS connection: hostname verification.

A common mistake developers make is setting a permissive hostname verifier, or even worse – accepting all hostnames. This means that the attacker can issue a valid certificate with a compromised CA, choose any domain name for it, and execute a MITM attack.

If you use OkHttp, the default implementation of the HostnameVerifier will be enough to verify your connection to the host. Nevertheless, we will show you a couple of examples of how to implement HostnameVerifier to gain a better understanding of how it works.

Preparation phase in Android app penetration testing – What you’ll need to know

If you aren’t using CertificatePinner for hostname verification, you can use the Java’s HostnameVerifier, as it is the base interface for hostname verification. OkHttp supports this interface, you just have to pass it to the hostnameVerifier builder function.

During the TLS handshake, the verification mechanism can call back to implementers of this interface to determine whether this connection should be allowed. The specific verification can be done using the OkHostnameVerifier, although you will stumble upon some implementations where HttpsURLConnection.getDefaultHostnameVerifier() is used.

Under the hood, this is still using the OkHostnameVerifier but from an internal Android version of the same class.

We’re ready to check a sample implementation using OkHostnameVerifier.INSTANCE.verify:

hostnameVerifier { _, session ->
    OkHostnameVerifier.INSTANCE.verify("yourHostname.com", session)
}

The code above will check whether the entered hostname yourHostname.com is contained inside the certificate of the current SSLSession. Only if it is, the verification will succeed. In case you want to trust an entire subdomain, you can use the wildcard pattern notation, but you will have to use the verifyHostname method like this:

hostnameVerifier { hostname, _ ->
    OkHostnameVerifier.INSTANCE.verifyHostname(hostname, "*.yourHostname.com")
}

Your chosen implementation will depend on your environment and all the services your app connects to.

Conclusion and notes

Hopefully, you will better understand the TLS connection and how to prepare your Android app penetration testing by this point. Look for the two critical parts of a TLS connection: certificate and hostname verification. If one of these two verifications is broken, the entire TLS connection is nullified and the app becomes an easy target for MITTM attacks.

To deepen your knowledge on handling a proper TLS connection in a WebView and more, check out the OWASP Mobile Security Testing Guide.

Also, if you (have) encounter(ed) any problems during the setup of a proper TLS connection, please check ssl-debugging for answers and solutions.

One last thing – in this post we did not cover the Android Network security configuration. This powerful tool lets apps customize their network security settings without modifying the app code.

Unfortunately, it is available only since Android 7. Still, if you are lucky enough to work on minSdk API level 24 or you are okay with having two separate pinning implementations, depending on the SDK level, then this approach should be the preferred way for handling your network configurations.

If you want to look into more ways to improve the security of your digital product, explore our cybersecurity services.

The post How to Prepare Your Android App for a Pentest – Networking Edition appeared first on Infinum.