Testin, the global leader in QA for its one-stop testing services, released its Mobile Security Monitoring Report Q1 2017, which highlighted five high-risk mobile security categories among the overall 18 categories.
The five high-risk categories are:
- Code security: decompilation
- Code security: code obfuscation
- Open vulnerability webview remote code execution
- Open vulnerability Https weak check
- Data transfer middleman hijacking
Of the high-risk categories, financial management tops the list, accounting for 17.32% of the overall data. The other 4 categories that round out the top five are: travel, life service, shopping, and social.
|High-risk categories and sub-categories ranked from highest frequency to lowest:
- Code decompilation – common tools
- Open vulnerability webview remote code execution – financial management
- Obfuscated code – financial management
- Open vulnerability Https weak check – financial management
- Data transfer middleman hijacking – financial management
Testin mobile security experts have smoothed out specific explanations for the above five high-risk categories, their potential risks, and recommendations to fix them. The following recommendations are for reference only:
|High-risk – Code Security: Decompilation
Decompilation refers to the implementation of “reversed analysis and research” on the targeted software (such as executable programs) with an aim to derive the ideas, principles, structures, algorithms, processes, methods of operation, and other design elements used in the software. In some cases, the source code can be directly derived through Java-developed Andrew APK programs.
- The leaked software core code processes may be directly stolen by competitors.
- Hackers can implement malicious code and then create a second package to serve as the imposter of the original program for malicious actions.
- The exposure of the source code is more vulnerable to the exploitation of software vulnerabilities, thus being more vulnerable to attacks.
- Convert the entire dex into another file by encrypting or compressing the target DEX file and then save the file in the assets folder or elsewhere, and then use the class loader technology to decrypt the memory and load for operation.
- Extract the bytecode commands of DexCode and replace them with zeros, or modify the method properties. Make corrections and repairs in memory during operation.
- Make reinforcements through a third-party reinforcement program.
|High-risk – Code Security: Code Obfuscation
Code obfuscation rewrites various elements of the code, such as variables, functions, and class names, into meaningless names. For example, the rewritten single letter, or a brief combination of meaningless letters, or even symbols like “__” will prevent people from guessing their purposes according to their names. Rewriting some of the logic in the code and turning it into a functionally equivalent are more difficult to understand. For example, the for loop is rewritten into a while loop and the while loop is rewritten into recursive with streamlined intermediate variables. Disrupting the code format, such as deleting spaces and pushing multiple lines of code into one line, or breaking a line of code into multiple lines will also increase the difficulty for hackers to directly analyze the code.
- The original code of the program without code obfuscation will be completely exposed to hackers, thus reducing the hacker’s invasion costs.
- The function code is easier to be analyzed, copied, and stolen.
- Obfuscate code through ProGuard
- Create a reinforcement through a third-party paid reinforcement programs.
|High-risk – Open vulnerability: webview remote code execution
- Attackers can build malicious WEB pages to induce user to parse and then use the context of the application to execute any commands.
- Attackers can use the vulnerability to remotely control the victim’s mobile phone and implant Trojans.
- When the bridge of js2java is being used, every parameter input needs to be authenticated so as to block attack code.
- Control related permissions or avoid the bridge of js2java as much as possible
|High-risk – Open vulnerability – Https Weak Check
In the customized subclasses of X509TrustManager, the lack of authentication on the server certificate with default acceptance of any server certificates will pose security risks, making it likely for malicious programs to use middleman attacks to bypass the certificate verification.
- Risk of the Man-in-the-middle (MitM) attacks with all traffic being read directly by hackers.
- Hackers may tamper access or return data.
Use checkServerTrusted function in the subclass of X509TrustManager to check the legitimacy of server-side certificates.
|High-risk – Data Transfer: Man-in-the-Middle Hijacking
Since the client fails to verify the server’s certificate, attackers can create separate contacts with the two ends of the telecommunication and exchange the data they receive, thus tricking the two ends into thinking they are communicating directly through private connections. However, the whole communication is completely controlled by attackers. In a middleman attack, attackers can intercept communications of both parties and insert new content.
Through middleman hijacking, attackers can steal the plain text of accounts and passwords, chat content, mailing addresses, phone numbers, and credit card payment information and other sensitive information. They can even replace the original information with a malicious link or malicious code program for remote control, malicious charge, and other offensive intentions.
It is recommended to verify the SSL certificate (whether the signature CA is valid, whether the certificate is self-signed, whether the host domain name matches, whether the certificate is out of date, etc.).
Testin is a leading provider in “one-stop mobile application cloud testing services“, offering one-stop application testing services and quality assurance for developers of mobile applications, games, VR/AR, wearable devices, Internet of Things, and Artificial Intelligence. Testin’s cloud testing is able to check function, compatibility, regression, automated testing on security, real machine debugging, and A / B test and bug management in real machines deployed in the cloud through the deep machine learning AI automated script. Testin’s distributed testing, supported by sharing experts around the world, targets functionality, user experience, scenario and usability. Testin Pro tests private cloud compatibility, real machine debugging, functionality, performance provisioning, and application in an easy, automated way and makes dedicated deployment for test management. Testin has served more than 800,000 developers, and conducted over 150 million times of tests for more than 2 million applications. It has undergone three rounds of financing with over 80 million US dollars in total, and established a good relationship of cooperation and communication with ARM, Intel, Google, IBM, Microsoft, Alibaba, Tencent, 360 , Xiaomi, and many other enterprises in the mobile internet ecosystem. It was listed on the TOP50 Investment Enterprises by Zero2IPO in 2014 and 2015, the TOP50 High-tech High-growth Enterprises by Deloitte in 2015 and 2016, and the TOP Asia 100 and the TOP Global 100 by Red Herring in 2014 and 2015, respectively. For more information on security information and services, please keep an eye out for Testin Security, a security test and authentication service embedded with AI learning technology for developers and QA teams.