Mobile apps have grown to be one of the most significant parts of our daily life. Smartphones are one of the prime ways of accessing the internet in most of the leading and developing countries. Therefore, enterprises possess a lot of their user’s private data that they owe to keep in private.

Considering how deeply IoT devices are integrated into our daily lives (and lots of these devices run on the Android OS), the danger of losing access to our data is only growing. Take for example this massive mobile app data breach in 2018. As a result of the attack, Air Canada claimed that hackers gained access to their database containing passport numbers, expiration dates, frequent traveler NEXUS numbers, and birth dates of up to 20,000 users. Most of these are sold on the Dark Web, creating a significant risk of identity theft. Cyber-attacks can significantly damage an organization which further affects the entire working process.

Two principles we highlight at ByteSnipers is safety and convenience. Usually, tech companies want to offer the best UI and customer experience, but at ByteSnipers we think it is equally important to build a robust and secure application.

An efficient way to enhance app protection is to identify all the vulnerabilities and fix them regularly. Today, we look at the importance of regular updates and releases. This guide offers a repeatable procedure for organizations to follow that is key to avoid being the victim of a cyberattack.

Android security threats

According to Verizon's 2019 Data Breach Investigations Report, malware consistently ranks as the least common method to attempt a data breach, falling behind even physical assaults. This is due to both the existence of mobile malware and the security built into current mobile operating systems.

Let’s take a look at the easily ignored threats when it comes to security.

Data leakage

As sad as it sounds, data leakage is widely seen as among the most troubling corporate safety threats in 2019. Remember the almost non-existent risks of contamination with malware? According to the latest study by Ponemon, when a data breach occurs, businesses have approximately a 28% probability of experiencing at least one breach over the next two years. In other words, one breach will occur in four chances.

What keeps the problem particularly vexing is that, by default, it is often not on purpose, it’s mostly a matter of users unintentionally making ill-advised choices on which apps can see and move their data.

Wi-Fi interference

Mobile devices that connect to unsecured Wi-Fi can be easily exploited. A wireless access point (WAP) or wireless network connection is not necessarily unsafe. But without any form of encryption or security protection, anyone can see the flow of data and it becomes insecure. Most of us are guilty of using public Wi-Fi without knowing whether it can be trusted. That suggests that our information is sometimes not as secure as we would assume.

How critical is this? Accordingly to Wandera’s research, nearly a quarter of devices have connected to open (and possibly dangerous) Wi-Fi networks, while 4% of these devices have encountered a man-in-the-middle assault over the last month.
 

Out-of-date devices

Smartphones, tablets, and smaller connected devices, often referred to as the Internet of Things (IoT), created a new challenge to corporate security. There are some groups of devices that typically do not come with promises of timely and continuous software updates, unlike conventional work devices. This is especially true on the Android front, where a large percentage of producers are embarrassingly unsuccessful in maintaining their products up-to-date. This applies to both modifications to the operating system (OS) and to the reduced monthly security fixes between them. Even worse are the many IoT devices that are not even built to get updates in the first place.

A powerful strategy goes a long way. There are Android devices that obtain continuous updates that are timely and accurate. It falls in the hands of an organization to build its own security network around them and maintain a safe digital environment.

Mobile ad fraud

Ad fraud may take many shapes, but malware is most widely used to produce clicks on advertisements that typically come from a real app or website user. A consumer could, for instance, download an app that provides a legal service, such as a weather forecast or an online chat. However, the app produces malicious clicks on legitimate advertisements that display on the app in the background. By far, the most popular platform for mobile ad fraud is Android. 

Mobile advertisers and ad-supported publishers are the primary victims, but ad fraud still causes damage to phone users. Usually, publishers are compensated by the number of ad clicks they produce, so mobile ad fraud steals from the marketing budgets of businesses and can deprive publishers of income.

An efficient way to enhance app protection is to reveal all the vulnerabilities and fix them regularly. Today, we look at a penetration testing technique behind Android. The list below includes a repeatable procedure for organizations to implement.

Android App Penetration Testing Methodology

Part 1: Reconnaissance

The early phase sets the stage for the greatest areas of risk that must be checked. The pen-testing team, therefore, needs to define the primary uses of the application in question. It is necessary to identify the data flow for possibly vulnerable areas as well as undefined libraries or functions, in addition to learning the complete spectrum of app functionalities.

Part 2: Static Analysis

In static analysis, the raw source code needs to be pushed down. This is in order for the team to consider whether any static data held in the APK can be used to crack the network security mechanism or extend the attack vector. This is achieved by decompiling the binary and the APK from the raw source code and disassembling them. Static analysis tests for, but is not limited to: Code Obfuscation, Identification and Prevention Mechanism for JailBreak, SSL Pinning Mechanism, Access Levels to Other Applications, System Secrets for Sensitive and Cleartext Application Storage.

Part 3: Dynamic Analysis

This type of analysis allows bugs to be discovered at a particular time when the software is running. This usually entails connection to the functions that intercept the traffic in real-time through proxies. Popular application bugs to monitor are authentication and authorization defects, content spoofing, memory leaks, insufficient transport layer protection, application logic flaws, and cross-site scripting.

Part 4: Findings Report

Treats should be risk-qualified via CVSS v3 and listed in a report as soon as all the flaws are identified, which will come with mitigation recommendations and specific objectives.

Seeing the business consequences and risk level of each vulnerability includes specifying the areas to be tackled first by the internal team.

Part 5: Remediation

Remediation can be done by the internal team or the security provider and will be in line with the results report's suggestions. To guarantee that vulnerabilities are fixed. An effective follow-up on these problems is required.

Not all bugs can be solved for the sake of time. Before making a decision to continue with a significant app upgrade, the company needs to consider the existing risks.

Is Android pen-testing worth the effort?

Supposedly, the safety attitude of an Android app is not focused on the modules within the app, but rather on the APIs and servers. External penetration testing with insecure direct object references and unsafe communications can help to uncover bugs that can and will be exploited by malicious hackers.

Manual penetration tests can be mixed with automated vulnerability scannings, which should take place more frequently. Since they don't take a long time, developers can integrate them into their workflow.

At ByteSnipers, we recommend businesses to follow both types of solutions so that they keep resilient and proactive about their apps' security. Contact our team to access additional info on Android pen-testing.