[Proposal] DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) for android applicaftions

[AYAN-AMBESH]

Type

Talk

Location

Campus: Noida

About

Android Testing

Static and Dynamic testing on android Apk with hands on demonstration via test application will also go through SMALI but not in depth as its a topic big in itself

Will go from Beginner to Advance

Pre-requisites

Basic knowledge of linux , programming (any langauge)

Duration

2 hours

Level

Beginner

Resources

Currently working on the presentation will share it as soon as possible

Speakers

Ayan Ambesh Linkedin Github

[bloodyvoid13]

Hey, looks good does mid march work for you? (7 or 14)

[AYAN-AMBESH]

yes it works for me

[AYAN-AMBESH]

7 march will be nice

[chanu4321]

Hey, what's the update on presentation?

[AYAN-AMBESH]

Hey i have crafted the presentation in markdown format and im sending that below down i will be presenting it through slides (a program written in go to showcase presentation in terminal)

What is Static Analysis? Examining code without execution

• Identifies potential vulnerabilities like insecure coding practices (e.g., SQL injection), resource leaks (e.g., memory leaks), and unused resources.
• Detects hardcoded credentials (e.g., passwords embedded in the code) and insecure storage of sensitive data.
• Efficient and fast, ideal for large codebases. Limitations:
• Can be limited by obfuscation techniques and dynamic code loading.
• May not detect vulnerabilities that only manifest at runtime.

#

• Identify coding practices that can lead to vulnerabilities specific to the Android platform, such as SQL injection attacks.
• Detect resource-related issues that can impact app performance and stability.

• Uncover instances of hardcoded credentials or insecure data storage, which are major security concerns in Android apps.

  Static Analysis in context of Android

  Scenario: A developer accidentally leaves their API key hardcoded within the Android application's code. Static analysis: Identifies the presence of the hardcoded API key and flags it as a potential security vulnerability. Benefit: This early detection allows the developer to address the issue before the app is released, preventing potential misuse of the API key.

---

What is Dynamic Analysis? Analyzing code while it's running

Benefits in Android Development: Detects vulnerabilities that only manifest at runtime, such as unauthorized network access, attempts to tamper with device settings, and malware injection. Provides a more comprehensive security assessment compared to static analysis. Limitations: Can be time-consuming and resource-intensive. May require additional setup and configuration.

---

Exploits we are gonna cover

• REST API VULNERABILITIES
• SENSITIVE INFORMATION Disclosure
• EXPORTED ACTIVITIES

• WEBVIEW VIA DEEPLINK

  LIST OF API VULNERABILITIES ACCORDING TO OWASP

• Broken Object Level Authorization
• Broken Authentication
• Broken Object Property Level Authorization
• Unrestricted Resource Consumption
• Broken Function Level Authorization
• Unrestricted Access to Sensitive Business Flows
• Server Side Request Forgery
• Security Misconfiguration
• Improper Inventory Management

• Unsafe Consumption of APIs

Avoiding Sensitive Information Leaks in Android Apps

1. Introduction

Problem: Mobile apps are increasingly vulnerable to leaks of sensitive information like passwords, API keys, and user data. Impact: These leaks can compromise user privacy, financial information, and internal systems.

2. Common Vulnerabilities

Hardcoded Secrets: Embedding sensitive data directly in the app's code. Example: A hardcoded secret key allowed decryption of encrypted data. Insecure Logging: Inadvertently logging sensitive information through debugging tools like "adb logcat." Example: Debuggers can reveal sensitive data logged during development or testing.

3. Demonstration

Finding the Process ID (PID): Use adb shell ps -ef | grep to identify the target app's PID. Filtering Logs with PID: Use adb logcat | grep to filter logs specific to the target app.

4. Prevention Strategies

Secure Coding Practices: Avoid Hardcoding: Use environment variables or secure key storage mechanisms for sensitive data. Log Management: Filter Logs: Capture only essential information. Centralized Logging: Use a system with access controls for sensitive logs.

5. Conclusion

Secure coding, responsible log management, and regular security assessments are crucial to protect user data. By adopting these practices, we can build a more secure mobile app ecosystem.