1、 A brief history of Android App vulnerability detection in China
1.1 key words of stone age (2007-2011): reverse compilation, manual audit
In November 2007, Google officially released Android operating system. In December 2011, Google released Android version 2.3. The number of apps in Android application market exceeded 100000. With the improvement of Android system and the increase of Android devices, Android surpassed Symbian and became the mainstream smart hand operating system. At the same time, some security researchers have sensed that Android client security may become one of the future security hot spots. Many traditional binary security researchers began to fight mobile security. In this period of time, the domestic attention to Android security mainly focuses on malicious app analysis and detection, APP reverse and cracking, and Android system root. For Android client security issues, they just focus on information disclosure and sensitive permission use, usually use the decompilation tool to analyze the APK source code, and then conduct manual audit.
Figure 1 use jd-gui to analyze the Java code after APK Decompilation
1.2 key words of agricultural era (2012-2014): automatic audit, static analysis, dynamic analysis
Figure 2 main interface of King Kong audit system
1.3 key words of industrial era (2015 to now): fuzzy test, stain analysis, general shelling, UI automatic traversal
Since 2015, the emergence of 360 Bug Hunters (now renamed 360 microscope), aliju security and other open online Android App vulnerability detection platforms has made it easier for developers and security researchers to conduct vulnerability audit. The emergence of some open-source online detection platforms (such as mobsf) has also lowered the development threshold of customized app vulnerability audit system. At the same time, fuzzy testing, stain analysis, general shelling, UI automatic traversal and other academic and industrial technologies have also been applied to mobile app vulnerability audit. Let's briefly talk about the application of several technologies in the field of Android App vulnerability detection. If any readers are interested, we will share them in detail later.
Figure 3 the combined fuzzy framework proposed by security researchers in kcon2016
Figure 4 flow of flow droid
1.3.3 Android App general shelling
The proliferation of problems such as app secondary packaging and cracking has given birth to the development of APP reinforcement industry. The two technologies are also developing and evolving in attack and defense. At present, the mainstream reinforcement schemes in China include Bangbang, aicheng, baidu reinforcement, 360 reinforcement, aliju security, Tencent security / Lego, Tongfu Dun, Naga, etc. for online vulnerability detection platform, if there is no general automation The shelling scheme means that many app codes in the application market cannot be analyzed statically, and even the application cannot run in the simulator or specific test equipment because it is reinforced, which affects the dynamic analysis results.
Figure 5 reinforcement plan of some domestic app sorted out by the author
Figure 6 app test report generated by appcrawler
2、 Android App vulnerability detection
2.1 domestic android app online vulnerability detection platform
Note: no order
2.2 open source Android App vulnerability detection tool
Figure 7 inspection report generated by mobsf
2. Drozerdrozer is an open-source Android security testing framework developed by MWR labs, which supports writing custom modules. At present, there are many articles about drozer, not much here.
Figure 8 drozer operation interface
Figure 9 Marvin main interface
Figure 10 inspection main interface
3、 IOS app vulnerability detection
3.1 common IOS app vulnerability testing tools
Testing IOS app security is inseparable from a jailbroken IOS device and some testing tools. Here is a brief introduction to two IOS app security testing tools: 1. IDB
Figure 11 main interface of IDC
2.Needle
Figure 12 needle main interface
3.2 IOS app automated vulnerability detection
Figure 13 part of audit report on vulnerability of TSRC IOS app
4、 Build mobile app vulnerability detection platform
At present, both 3bat and mobile security companies in China have provided mobile app vulnerability detection products, and the author usually has some in-depth experience with these platforms. Generally speaking, with the development of technology, the threshold of building an app vulnerability detection platform has been very low and the technology is very mature.
In the era of mobile Internet, different enterprises have different requirements for the security of mobile app products, such as finance, payment, communication, Game App products, which put forward high requirements for the security of APP clients, business security, and back-end server. It is necessary to customize their own mobile app vulnerability detection platform. The author only talks about how to build a mobile app vulnerability detection platform from a personal point of view: (1) at the beginning of the platform construction, you can refer to the industry's excellent similar products and open source solutions. At present, most of the basic functions of the mobile app vulnerability detection platform back-end are developed using Python / Java, which is convenient for rapid development and iteration. (2) The security threat of mobile app is constantly changing, and the vulnerability audit rules should also support rapid update. At the same time, the enterprise mobile app vulnerability detection platform should meet the two basic needs of pre launch audit and daily troubleshooting of mobile app products. (3) Many developers and security engineers have different understanding of vulnerability. After outputting vulnerability detection report, they need to provide detailed explanation of vulnerability utilization scenario and repair guidance. (4) Pay more attention to the new research results of academia and industry. If we can add optimization and utilization, we can promote the progress of the whole technological capability of the platform. (5) The main builders of the platform should be proficient in mobile app vulnerability mining, and be able to provide professional solutions for key product features (such as dynamic loading, hot patch and other technologies) of the enterprise. At the same time, the author proposes a general mobile app vulnerability detection platform architecture for Party A / Party B enterprises. On this basis, enterprises can directly access the web vulnerability scanning system to scan the back-end web vulnerabilities of the app, and can also collect URL test business security vulnerabilities.
Figure 14 mobile app automatic vulnerability detection platform architecture
5、 Future development direction of mobile app vulnerability detection platform
In the latest Android 7.0 system released by Google, unsafe features are added. For example, app developers can use the interface provided by the system to independently configure trusted certificates, and by default, they no longer trust the third-party CA certificates installed by users, which can improve the security of Android App network communication. It can be seen that the security problems of mobile app will continue to change in the future. At present, the final detection results of most mobile app vulnerability detection platforms also need professional security researchers to assess the actual risks. In history, many serious vulnerabilities of mobile terminals also need to be combined with business scenarios, so the mobile app vulnerability detection platform is only a part of the enterprise's mobile app security construction, in addition to promoting the migration It is also important to train dynamic security personnel, standardize the development of mobile app security, strengthen the application, and monitor piracy. In my opinion, there are several development directions for mobile app vulnerability detection platform in the future:
2. How to mine data from mobile app, analyze, integrate and then use it in vulnerability detection and threat perception is also one of the development directions of vulnerability detection in mobile app in the future. At present, some vulnerability detection platforms have started to support the collection of all mobile app source codes in the application market and the network communication data (such as domain name, IP, URL, etc.) generated during the operation process, for aggregation analysis and web interface vulnerability detection. At the same time, security companies such as 4D Zhichuang and Bangbang began to promote mobile application threat perception products. Such products collect application behavior and network data through SDK, which are used to detect apt attacks, anti brushing and other scenarios.