Testin, the global leader in QA for its one-stop testing services, released its Mobile Security Monitoring Report Q1 2017, which highlighted five high-risk mobile security categories among the overall 18 categories.
The five high-risk categories are:
- Code security: decompilation
- Code security: code obfuscation
- Open vulnerability webview remote code execution
- Open vulnerability Https weak check
- Data transfer middleman hijacking
Of the high-risk categories, financial management tops the list, accounting for 17.32% of the overall data. The other 4 categories that round out the top five are: travel, life service, shopping, and social.
High-risk categories and sub-categories ranked from highest frequency to lowest:
- Code decompilation – common tools
- Open vulnerability webview remote code execution – financial management
- Obfuscated code – financial management
- Open vulnerability Https weak check – financial management
- Data transfer middleman hijacking – financial management
Testin mobile security experts have smoothed out specific explanations for the above five high-risk categories, their potential risks, and recommendations to fix them. The following recommendations are for reference only:
1. High-risk – Code Security: Decompilation
Decompilation refers to the implementation of “reversed analysis and research” on the targeted software (such as executable programs) with an aim to derive the ideas, principles, structures, algorithms, processes, methods of operation, and other design elements used in the software. In some cases, the source code can be directly derived through Java-developed Andrew APK programs.
- The leaked software core code processes may be directly stolen by competitors.
- Hackers can implement malicious code and then create a second package to serve as the imposter of the original program for malicious actions.
- The exposure of the source code is more vulnerable to the exploitation of software vulnerabilities, thus being more vulnerable to attacks.
- Convert the entire dex into another file by encrypting or compressing the target DEX file and then save the file in the assets folder or elsewhere, and then use the class loader technology to decrypt the memory and load for operation.
- Extract the bytecode commands of DexCode and replace them with zeros, or modify the method properties. Make corrections and repairs in memory during operation.
- Make reinforcements through a third-party reinforcement program.
2. High-risk – Code Security: Code Obfuscation
Code obfuscation rewrites various elements of the code, such as variables, functions, and class names, into meaningless names. For example, the rewritten single letter, or a brief combination of meaningless letters, or even symbols like “__” will prevent people from guessing their purposes according to their names. Rewriting some of the logic in the code and turning it into a functionally equivalent are more difficult to understand. For example, the for loop is rewritten into a while loop and the while loop is rewritten into recursive with streamlined intermediate variables. Disrupting the code format, such as deleting spaces and pushing multiple lines of code into one line, or breaking a line of code into multiple lines will also increase the difficulty for hackers to directly analyze the code.
- The original code of the program without code obfuscation will be completely exposed to hackers, thus reducing the hacker’s invasion costs.
- The function code is easier to be analyzed, copied, and stolen.
- Obfuscate code through ProGuard
- Create a reinforcement through a third-party paid reinforcement programs.
3. High-risk – Open vulnerability: webview remote code execution
- Attackers can build malicious WEB pages to induce user to parse and then use the context of the application to execute any commands.
- Attackers can use the vulnerability to remotely control the victim’s mobile phone and implant Trojans.
- When the bridge of js2java is being used, every parameter input needs to be authenticated so as to block attack code.
- Control related permissions or avoid the bridge of js2java as much as possible
4. High-risk – Open vulnerability – Https Weak Check
In the customized subclasses of X509TrustManager, the lack of authentication on the server certificate with default acceptance of any server certificates will pose security risks, making it likely for malicious programs to use middleman attacks to bypass the certificate verification.
- Risk of the Man-in-the-middle (MitM) attacks with all traffic being read directly by hackers.
- Hackers may tamper access or return data.
Use checkServerTrusted function in the subclass of X509TrustManager to check the legitimacy of server-side certificates.
5. High-risk – Data Transfer: Man-in-the-Middle Hijacking
Since the client fails to verify the server’s certificate, attackers can create separate contacts with the two ends of the telecommunication and exchange the data they receive, thus tricking the two ends into thinking they are communicating directly through private connections. However, the whole communication is completely controlled by attackers. In a middleman attack, attackers can intercept communications of both parties and insert new content.
Through middleman hijacking, attackers can steal the plain text of accounts and passwords, chat content, mailing addresses, phone numbers, and credit card payment information and other sensitive information. They can even replace the original information with a malicious link or malicious code program for remote control, malicious charge, and other offensive intentions.
It is recommended to verify the SSL certificate (whether the signature CA is valid, whether the certificate is self-signed, whether the host domain name matches, whether the certificate is out of date, etc.).
Testin is a leading provider in “one-stop mobile application cloud testing service” in the world, offering one-stop application testing service and quality assurance for developers of mobile application, games, VR/AR, wearable deices, Internet of Things, and Artificial Intelligence. Testin’s cloud testing is able to check function, compatibility, regression, automated testing on security, real machine debugging and A/B test and bug management in real machines deployed in the cloud through the deep machine learning AI automated script. Testin’s distributed testing, supported by sharing experts around the world, targets functionality, user experience, scenario and usability. Testin Pro tests private cloud compatibility, real machine debugging, functionality, performance provisioning, and application in an automated way and make dedicated deployment for test management. After 150+ million iteration tests of 2+ million Apps in past 5+ years, Testin has grown from a groundbreaking idea to the leader in #1 Mobile App Quality Assurance platform, secured US$84.9 million in 3 Rounds from IDG, Banyan, Haiyin and CEL and succeeded in not only capturing the domestic market in China, but also setting its foot into the global arena. Testin has been recognized as 2014 and 2015 Zero2IPO v50 China, 2014 Red Herring 100 Asia and 2015 Red Herring 100 Global, 2015 and 2016 Deloitte High-Tech & Growth Top 50 China. By address mobile and OS fragmentations, App’s compatibility, functionality, user experience, performance, security and analytics, Testin builds thousands of developers’ – including McDonald’s, Nestle, Starbucks, Benz, Philips, Kabam, JD – confidence to ensure great experiences for their users. For more information on security information and services, please keep an eye on http://www.Testin.net, security test and authentication service embedded with AI learning technology for developers and QA teams.