Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Proposal] DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) for android applicaftions #80

Open
AYAN-AMBESH opened this issue Feb 17, 2024 · 5 comments
Open

[Proposal] DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) for android applicaftions #80

AYAN-AMBESH opened this issue Feb 17, 2024 · 5 comments
Assignees
@chanu4321 @bloodyvoid13 @diyabhandari
Labels
type/proposal

Comments

@AYAN-AMBESH
Copy link

Type

Talk

Location

Campus: Noida

About

Android Testing

Static and Dynamic testing on android Apk with hands on demonstration via test application
will also go through SMALI but not in depth as its a topic big in itself

Will go from Beginner to Advance

Pre-requisites

Basic knowledge of linux , programming (any langauge)

Duration

2 hours

Level

Beginner

Resources

Currently working on the presentation will share it as soon as possible

Speakers

Ayan Ambesh
Linkedin
Github
@bloodyvoid13
Copy link

Hey, looks good
does mid march work for you? (7 or 14)

@AYAN-AMBESH
Copy link
Author

yes it works for me

@AYAN-AMBESH
Copy link
Author

7 march will be nice

@AYAN-AMBESH AYAN-AMBESH mentioned this issue Feb 23, 2024
Open
3 tasks
@chanu4321
Copy link
Member

Hey, what's the update on presentation?

@AYAN-AMBESH
Copy link
Author

Hey i have crafted the presentation in markdown format and im sending that below down i will be presenting it through slides (a program written in go to showcase presentation in terminal)

What is Static Analysis? Examining code without execution

  • Identifies potential vulnerabilities like insecure coding practices (e.g., SQL injection), resource leaks (e.g., memory leaks), and unused resources.
  • Detects hardcoded credentials (e.g., passwords embedded in the code) and insecure storage of sensitive data.
  • Efficient and fast, ideal for large codebases.
    Limitations:
  • Can be limited by obfuscation techniques and dynamic code loading.
  • May not detect vulnerabilities that only manifest at runtime.

  • Identify coding practices that can lead to vulnerabilities specific to the Android platform, such as SQL injection attacks.
  • Detect resource-related issues that can impact app performance and stability.
  • Uncover instances of hardcoded credentials or insecure data storage, which are major security concerns in Android apps.

Static Analysis in context of Android

Scenario: A developer accidentally leaves their API key hardcoded within the Android application's code.
Static analysis: Identifies the presence of the hardcoded API key and flags it as a potential security vulnerability.
Benefit: This early detection allows the developer to address the issue before the app is released, preventing potential misuse of the API key.

What is Dynamic Analysis? Analyzing code while it's running

Benefits in Android Development:
Detects vulnerabilities that only manifest at runtime, such as unauthorized network access, attempts to tamper with device settings, and malware injection.
Provides a more comprehensive security assessment compared to static analysis.
Limitations:
Can be time-consuming and resource-intensive.
May require additional setup and configuration.

Exploits we are gonna cover

  • REST API VULNERABILITIES
  • SENSITIVE INFORMATION Disclosure
  • EXPORTED ACTIVITIES
  • WEBVIEW VIA DEEPLINK

LIST OF API VULNERABILITIES ACCORDING TO OWASP

  • Broken Object Level Authorization
  • Broken Authentication
  • Broken Object Property Level Authorization
  • Unrestricted Resource Consumption
  • Broken Function Level Authorization
  • Unrestricted Access to Sensitive Business Flows
  • Server Side Request Forgery
  • Security Misconfiguration
  • Improper Inventory Management
  • Unsafe Consumption of APIs

Avoiding Sensitive Information Leaks in Android Apps

  1. Introduction

Problem: Mobile apps are increasingly vulnerable to leaks of sensitive information like passwords, API keys, and user data.
Impact: These leaks can compromise user privacy, financial information, and internal systems.
2. Common Vulnerabilities

Hardcoded Secrets: Embedding sensitive data directly in the app's code.
Example: A hardcoded secret key allowed decryption of encrypted data.
Insecure Logging: Inadvertently logging sensitive information through debugging tools like "adb logcat."
Example: Debuggers can reveal sensitive data logged during development or testing.
3. Demonstration

Finding the Process ID (PID):
Use adb shell ps -ef | grep <app_name> to identify the target app's PID.
Filtering Logs with PID:
Use adb logcat | grep to filter logs specific to the target app.
4. Prevention Strategies

Secure Coding Practices:
Avoid Hardcoding: Use environment variables or secure key storage mechanisms for sensitive data.
Log Management:
Filter Logs: Capture only essential information.
Centralized Logging: Use a system with access controls for sensitive logs.
5. Conclusion

Secure coding, responsible log management, and regular security assessments are crucial to protect user data.
By adopting these practices, we can build a more secure mobile app ecosystem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chanu4321 chanu4321

@bloodyvoid13 bloodyvoid13

@diyabhandari diyabhandari

Labels
type/proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@AYAN-AMBESH @jailbreakerVC @Vyogami @chanu4321 @bloodyvoid13 @diyabhandari