Advanced Facility for Evaluating and Testing Security of Mobile Applications and its Threat

Past one decade has witnessed a multi-fold increase in the volume of malicious apps which seem to have outnumbered the benign apps. The major target of these apps is to misuse the critical resources of the mobile devices, get remote access to the devices & try to get un-authorized access to critical user data (such as age, gender to location details, financial details such as information about credit cards, usernames/passwords of bank accounts) by violating the privacy policy. Also they can get information about other applications running on the mobile device. There is a huge risk of misusing the personal data collected by these applications which can be shared to third-parties with a business intension. Also, this personal data being collected can be communicated out of the country and misused for performing targeted attacks by state sponsored actors.

Hence, there is a need to analyze these apps in order to assess the threats posed by them. However, with the latest development technologies and improvements in the mobile operating systems/platforms, there are many challenges involved in the security testing and assessment of the mobile applications.

The main objective of the project is to overcome above mentioned challenges by providing a framework consisting of hardware kits, software tools, techniques, and automated scripts for performing security testing and threat assessment of mobile applications both in android and iOS with the compliance of OWASP Mobile Security Testing Guidelines(MSTG), NIST and other relevant standards. Also evolving mobile application security testing methodologies and best practices.

Inline to the objective of the project the following tools has been developed

• Custom Android Platform (Vishleshak) - Vishleshak is an Android based platform to evade & bypass strong anti-reversing defenses and to get insights of Android applications.

• Security Testing Framework development which consists of

  • Mobile Penetrating Testing Tool Kit (of hardware kits, software tools, techniques, and automated scripts) for performing Security and Threat Assessment of Mobile Applications both in android and iOS.

  • Threat Assessment checklist which is used to measure the threat factor posed by any Mobile Application.

  • Privacy Policy Analyzer which summarizes the privacy policy with key terms which identify different data collection.

Use Cases

• Vishleshak aids in overcoming the challenges posed by anti-reversing defenses during Android app analysis and also eliminates the manual effort involved in the configuring testbed setup which is normally a time-consuming process.

• Security & Threat analysts who are looking for fast paced Android mobile application analysis.

• Threat Assessment checklist which is used to measure the threat factor posed by any Mobile Application.

• Privacy Policy Analyzer which summarizes the privacy policy with key terms which identify different data collection.

Salient Features

• Customized Android Platform (Vishleshak)

  • Evasion of root detection.

  • Evasion of debuggable properties.

  • Integrated Google Play Services for optimal usage of platform.

  • Integrated Frida to custom Android platform and starting as service on boot.

  • Resource access monitoring - Camera/Location/Microphone.

  • Monitoring of App-specific network endpoint communications (i.e IP addresses of endpoints communicated by the app).

  • Evasion of App installation source verification.

  • Monitoring the SMS access by applications.

• Framework consisting of Hardware and Software Infrastructure consisting of tools and methodology for Mobile Security Testing and Threat Evaluation. (Android & iOS)

• Threat Assessment Checklist - to measure the threat factor posed by any Mobile Application.

• Privacy Policy Analyzer which summarizes the privacy policy with key terms which identify different data collection.