Mobile Application Analysis: Android

Determines whether the “allowBackup” flag within the Android Manifest is set to “false.” Having this flag enabled allows easier access to the application files stored on the device.

The activities called for by an app are an important part of understanding the application's life cycle from the initial main activity launch to the final activity shutdown. The main activity is the main entry point into the application's user interface.

Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps.

Checks for arbitrary code execution. When executable code is world-writable, another app could swap the file and gain code execution capabilities in other apps.

Details of the automated interaction.

Programmatic interactions are logged during dynamic analysis. Results are shown in the forensic data.

Checks to see if the certificate used for this application compilation is valid to determine whether the certificate is expired or is set to expire within 30 days.

Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the TLS/SSL handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the “CCS Injection” vulnerability. For additional details, refer to CVE-2014-0224.

Analyzes the attributes set within the cookies used by the app to determine if the “httponly” flag is set. When a cookie is set with the “httponly” flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies and can prevent attacks, like cross-site scripting (XSS), as the cookie cannot be accessed via client-side (e.g., using a JavaScript code snippet).

Analyzes the attributes set within the cookies used by the app to determine if the “secure” flag is set. When set to “true,” the “secure” flag tells the browser to only send the cookie if the request is sent using a secure channel. This ensures the cookie is not transmitted over unencrypted requests.

Determines whether the application was compiled with the “debuggable” flag enabled in the Android manifest. If enabled, it’s possible to attach a debugger to the application’s process and execute arbitrary code. The default value is “true” if the “debuggable” flag is not set. Debugging should be disabled before compiling an app for production.

Determines if the application can be decoded and if its resources can be extracted for further analysis.

Determines if the application can be decompiled and if its source code can be extracted for further analysis.

This check looks for code reflection within the application and returns where reflection is used. Reflection grants developers the ability and flexibility to view and determine API characteristics at runtime, as opposed to compilation time. At runtime, reflection techniques can be used to determine if a specific class or method is available before trying to use it. Developers can dynamically construct objects, access fields, and invoke methods. It enables the developer to leverage newer APIs while still supporting older versions, all from within the same app. Reflection APIs are part of the Android SDK and can be beneficial when targeting a variety of versions/devices.

Determines if the application attempts to use escalated privileges through the “su” command. This is commonly used by malware to exploit rooted devices.

Checks to see if the key used to sign the application is larger than 1024 bits. Anything smaller leaves applications vulnerable to forged digital signatures.

Local application files and external storage locations are inspected for Android ID exposure.

Local application files and external storage locations are inspected for Bluetooth MAC address exposure.

Local application files and external storage locations are inspected for build fingerprint exposure.

Using specified custom search terms, local application files and external storage locations are inspected for sensitive user or application data.

Local application files and external storage locations are inspected for Domain Name System (DNS) exposure.

Local application files and external storage locations are inspected for Domain Name System (DNS) exposure.

Local application files and external storage locations are inspected for user email address exposure.

Local application files and external storage locations are inspected for user first name exposure.

Local application files and external storage locations are inspected for exposed GPS latitude coordinates.

Local application files and external storage locations are inspected for exposed GPS longitude coordinates.

Local application files and external storage locations are inspected for International Mobile Equipment Identity (IMEI) exposure.

Local application files and external storage locations are inspected for user last name exposure.

Local application files and external storage locations are inspected for local wi-fi MAC address exposure.

Local application files and external storage locations are inspected for MAC address exposure.

Local application files and external storage locations are inspected for exposure of the user’s full name.

Local application files and external storage locations are inspected for exposed passwords.

Local application files and external storage locations are inspected for exposed phone numbers.

Local application files and external storage locations are inspected for provision revision exposure.

Local application files and external storage locations are inspected for serial exposure.

Local application files and external storage locations are inspected for surrounding wi-fi MAC address exposure.

Local application files and external storage locations are inspected for exposure of the surrounding wi-fi network basic service set identifier (BSSID).

Local application files and external storage locations are inspected for surrounding wi-fi network SSID exposure.

Local application files and external storage locations are inspected for exposed usernames.

Local application files and external storage locations are inspected for exposed wi-fi IP addresses.

Local application files and external storage locations are inspected for exposed wi-fi MAC addresses.

Local application files and external storage locations are inspected for exposed ZIP codes.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for DNS1 exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for DNS2 exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for International Mobile Equipment Identity (IMEI) exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the user’s last name. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the local wi-fi MAC address. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the user’s name. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might allow an attacker to carry out a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the user’s phone number. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for provision revision exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the device’s serial. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for surrounding wi-fi MAC address exposure. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the surrounding wi-fi network basic service set identifier (BSSID). Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct flaws in an application, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of any sensitive user or application data.Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for the existence of any sensitive user or application data. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

System log files are analyzed for exposure of the user’s ZIP code. Debug logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Any application on that device with the READ_LOGS permission can interrogate the logs. The log files of more recent Android versions are carefully isolated and do not require system-level permissions to be requested.

Checks if the application is attempting to exploit the Master Key vulnerability. Android OS versions 1.6 through 4.2 do not properly check cryptographic signatures, which could lead to non-approved code being run. For more information see CVE-2013-4787. The purpose of this check is to flag potentially malicious behavior within the application.

Checks if the source code has been obfuscated, either by Proguard or Dexguard, in order to make class identification less obvious. The intellectual property is at risk because the application can be easily reverse-engineered.

Versions before 2.7.4 and 3.x before 3.1.2 of OkHttp allows man-in-the-middle attackers to bypass certificate pinning. During static analysis, the binary is searched for vulnerable versions of this library.

OSLog is a unified logging system that stores messages in memory and in a data store, rather than writing to text-based log files. These logs, which are designed to detect and correct application flaws, can leak sensitive information that might help an attacker craft a more powerful attack. Forensic data provides any detected OSLog messages.

Path traversal (a.k.a. directory traversal) allows attackers to perpetrate a “dot–dot–slash” (../) attack to read/write files in internal storage. Any vulnerable content providers will be listed in the forensic data.

Checks for writable executable file permissions and for in-transit ZIP files sent over the network. The combination of these two instances more than likely indicates a remote code execution vulnerability.

Determines if the application attempts to use escalated privileges through the “su” command. This is commonly used by malware to exploit rooted devices, gaining control of all functionalities of the application.

External storage locations are monitored as the application runs to determine if data is being stored in the application.

Applications that use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices. This is due to improper initialization of the pseudo-random number generator (PRNG). Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Please note that for “electronic wallet” applications or applications that process sensitive and/or monetary transactions (including bitcoin transactions), the risk associated with this finding should carefully be considered and should potentially be classified using a finding with severity “High.”

Determines whether the application is performing proper certificate validation or hostname verification. Lack of proper validation could result in sensitive data being intercepted by a man-in-the-middle attack. If the application's traffic can be decrypted, it is searched for sensitive data, including username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), device serial number, and phone number.

All TLS/SSL communications sent by the application are proxied and traffic is searched for sensitive values, including the user’s username, password, GPS coordinates, wi-fi MAC address, International Mobile Equipment Identity (IMEI), serial number, and phone number.

Using custom search terms, traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the Android ID is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the Bluetooth MAC address is insecurely transmitted over the network without encryption.

Traffic is analyzed to determine if the user’s build fingerprint is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if any DNS data is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if any DNS data is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s email address is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s first name is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s GPS latitude location is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if any sensitive data is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s International Mobile Equipment Identity (IMEI) is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s last name is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the local wi-fi MAC address is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the device’s MAC address is insecurely transmitted over the network without encryption.

Traffic is analyzed to determine if the user’s full name is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s password is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s phone number is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the provision revision is insecurely transmitted over the network without encryption.

Traffic is analyzed to determine if the device’s serial is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the surrounding wi-fi MAC address is insecurely transmitted over the network without encryption.

Traffic is analyzed to determine if the surrounding wi-fi network basic service set identifiers (BSSID) is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the surrounding wi-fi network service set Identifier (SSID) is insecurely transmitted over the network without encryption.

Traffic is analyzed to determine if the user’s username is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the wi-fi IP address is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the w-fi MAC address is exposed from insecure transmission over the network without encryption.

Traffic is analyzed to determine if the user’s ZIP code is exposed from insecure transmission over the network without encryption.

SMS communications are monitored during dynamic analysis. Forensic data provides context on what was found to be sent over SMS.

Network communications are monitored while the application is running to locate the destination of the application’s sent data.

Android applications might use untrusted and exploitable input to construct SQL queries. The most common case is when applications do not sanitize input for a SQL query and do not limit access to content providers. Any vulnerable content providers are available in the forensic data.

Calls within the application are checked for the use of world-writable permissions. Forensic details show any detections.

Checks for writable executable file permissions in shared storage locations. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks.

Checks for writable executable file permissions in the application’s data directory. If the application has a “writable_executable” and is combined with another bug, such as a network ZIP download, the app could be vulnerable to remote code execution attacks.

Detects when ZIP files are being sent by the application over HTTPS. ZIP files can contain arbitrary code written in the file, which could allow an attacker to carry out a remote code execution attack.