Introduction
The Mobix platform dynamically analyzes security of mobile apps. The main task of dynamic analysis is to track application’s behavior during its operation, what system calls it makes, how it interacts with other apps, what it sends to the server, how and what it stores locally, and so on. Note that Mobix also uses static analysis, application resource analysis, and many other techniques.
In this article, we will talk about dynamic analysis of mobile apps and specifics of its implementation for Android and iOS.
Dynamic Analysis of Mobile Apps
Dynamic analysis practices include DAST, IAST and API ST.
Dynamic analysis allows you to address the following tasks:
- Analysis of application security without access to its source code. Dynamic analysis does not require access to the source code and analyzes behavior of a running application on a mobile device/emulator.
- Finding unique types of vulnerabilities. Dynamic analysis detects vulnerabilities that cannot be identified by other practices.
- Confirmation of vulnerabilities. With dynamic analysis, you can confirm vulnerabilities identified by other practices and determine which ones can actually be exploited.
In addition, after executing a dynamic analysis, an IS engineer gets all the information about how the application works. This information can be used to further search for more complex vulnerabilities.
Challenges of Implementing Dynamic Analysis
Implementation of dynamic analysis involves a number of challenges that need to be addressed. From our point of view, the most significant of them are the following:
- Creating a test environment. For dynamic analysis, an application needs to run somewhere. This can be virtual devices (emulators or simulators) as well as real mobile devices. They need to be kept up to date and operational.
- Need to work with the application during analysis. In order to perform full-fledged dynamic analysis, you need to interact with the application and go through certain scenarios (authentication, navigation through screens, conducting key business operations, etc.).
- Integration into CI/CD process. It is necessary to deliver new versions of applications under test to the devices in some way, and, moreover, to do it automatically.
The last two problems can be solved with test automation. We will talk about this in one of our next articles. Today we will dwell in more detail on organization of test environments for Android and iOS.
Test Environments for iOS and Android. Devices and Emulators
Dynamic testing of mobile apps requires either real mobile devices for both iOS and Android, or device emulators for Android. There are also iOS simulators, but they require a Mac anyway. Moreover, iOS simulators have a number of limitations that do not allow for full-fledged security testing.
Using Emulators for Dynamic Analysis of Android Apps
Mobix tests security of Android apps using Android emulators. They fully emulate an Android device and can be run on any operating system. This approach has several advantages:
- It allows you to run tests on multiple emulators in parallel, i.e. to scale security testing using the same hardware.
- Using emulators allows you to test security on a pure Android operating system without additional modules from mobile device manufacturers.
- When using mobile devices, in the process they become hot, overloaded, lose network, and malfunction. This makes testing difficult and requires monitoring and support of mobile devices for testing. Emulators allow you to avoid these problems.
- Ultimately, this approach allows for stable, scalable, fully automated security testing.
The main drawback when using emulators is that there are some peculiarities and limitations compared to mobile devices from different manufacturers. However, in testing the security of mobile applications, this approach gives quick and reliable results.
Using Devices for Dynamic Analysis of iOS Apps
iOS is a more closed system compared to Android. In security testing of iOS applications, there are a number of rather strict limitations from the operating system side. As a result, Mobix chose and implemented an approach using real mobile devices. This allows you to get the most accurate results. However, here we work with real devices, which introduces a number of additional challenges when organizing test environment:
- It is necessary to create and maintain a fleet of devices in order to implement a full-fledged launch and testing of applications. As already mentioned, devices get hot, overloaded, lose network, fail. This means that it is necessary to arrange a suitable place for the devices to work, to think about their placement, power supply, stable communication channel, cooling and other nuances. Preparing devices involves a number of challenges. You have to deal with a large number of devices, install all the necessary packages on them, check their correct operation without missing anything. To avoid doing this manually, we have created special scripts.
- Another challenge is device updates. With every new release we change something in the product configuration. To avoid having to do this manually, a mechanism for automatically updating device configurations was implemented. When a new release comes out, the system automatically updates everything.
- It is absolutely necessary to organize monitoring of the entire infrastructure. You need to monitor status of devices and automatically fix problems that arise, as well as to notify administrators if something cannot be done remotely (for example, if a device has simply stopped charging). This ensures that the devices can take over a new task at any time, and that they are always up to date and in working order. This mechanism is also triggered before each scan.
Summary
Dynamic analysis of mobile apps can both complement the results of other scans and identify new types of vulnerabilities, which significantly improves app security. The most interesting vulnerabilities can be found just by dynamic testing. Vulnerabilities found using only public methods for unprivileged apps are the most valuable because they can be exploited immediately after installing a mobile app from Play Market or App Store.
Using proper dynamic analysis tools helps greatly reduce the time it takes to identify vulnerabilities, prevent them from appearing in releases, and significantly reduce the time spent on regression security analysis.
For dynamic analysis, the Mobix platform uses mobile devices for iOS and emulators for Android. This is due to the specifics of iOS and Android operating systems and capabilities of existing emulators and simulators. Intelligent organization of the test environment for dynamic analysis of applications allows you to quickly get accurate and reliable results of application security scans.