Dynamic Analysis

Android Dynamic Analysis

Android Dynamic analysis is the testing and evaluation of an Android application by executing data in real-time. The objective is to find errors in the application while it is running, rather than by repeatedly examining the code offline.

Dynamic Analysis results are displayed in json objects with the following names:

  • kind“: Type of analysis test (static or dynamic)
  • key“: Contains the value of the static analysis test title used for testing purposes
  • title“: Title of the specific static analysis test
  • category“: Category of the specific static analysis test
  • summary“: Summary of the specific static analysis test
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • regulatory“: Security and compliance regulations

If a specific dynamic analysis test is found vulnerable, a json array with the following names under the regulatory category:

  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.

  • owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.

Example:

{
    "kind": "dynamic",
    "key": "ipa_sensitive_data_no_encryption",
    "title": "Sensitive Data in Transit (no Encryption)",
    "category": "network",
    "summary": "\n    Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption (i.e. HTTP).\n    Sensitive data that is searched currently includes Username, Password, GPS Coordinates,\n    Wifi Mac Address, IMEI, Device Serial Number, and Phone number.\n  ",
    "cvss": 8.2,
    "regulatory": {}

If an application was not found to be vulnerable or affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • severity“: If the application is not vulnerable to a specific static analysis test, the severity value will display “pass”
  • description“: Description of the static analysis test result

Example:

"affected": false,
    "severity": "pass",
    "description": "\n    None of the sensitive values that were searched were recovered from unencrypted application traffic.\n  "
  }

If an application was found to be vulnerable and affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • category“: Category of the specific static analysis test
  • severity“: If the application is vulnerable to a specific static analysis test, the severity values range from “high”, “medium”, and “low”
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • title“: Title of the specific static analysis test
  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
  • description“: Description of the static analysis test result
  • recommendation“: Recommendation on how to fix the issue or vulnerability

Example:

{
    "affected": true,
    "issue": {
      "category": "network",
      "severity": "high",
      "cvss": 8.2,
      "title": "Sensitive data intercepted in transit without encryption",
      "description": "\n    One or more sensitive values were intercepted in transit. This is a high risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.\n    It is encouraged to review the table below, which displays the type of data that was intercepted, whether it is sent in plain text or a special encoding, the actual value that was recovered, and the URL related to this violation.\n  ",
      "pass": "\n    None of the sensitive values that were searched were recovered from unencrypted application traffic.\n  ",
      "recommendation": "\n    Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service. \n    Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.\n    An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate.\n    For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping.\n  "
    },
    "severity": "high",
    "description": "\n    One or more sensitive values were intercepted in transit. This is a high risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.\n    It is encouraged to review the table below, which displays the type of data that was intercepted, whether it is sent in plain text or a special encoding, the actual value that was recovered, and the URL related to this violation.\n  ",
    "recommendation": "\n    Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service. \n    Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.\n    An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate.\n    For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping.\n  ",
    "context": {
      "rows": [
        {
          "issue": "sensitive_data_leak",
          "full_url": "http://ad.spcleaner.info/v3/config?pubid=514&android_id=47edfe1b30cd46d7&pkg_name=mobi.supo.cleaner&pkg_ver=28&sdk_version=2&first_time=1483454380&update_time=1483454380&new_user=1&lc=en_US&config=conf&func=import&bid=96",
          "searched_data": "/v3/config?pubid=514&android_id=47edfe1b30cd46d7&pkg_name=mobi.supo.cleaner&pkg_ver=28&sdk_version=2&first_time=1483454380&update_time=1483454380&new_user=1&lc=en_US&config=conf&func=import&bid=96",
          "encoded_format": "original",
          "data_value_type": "android_id",
          "additional_context": [
            "Contained in HTTP URL path"
          ],
          "sensitive_data_value": "47edfe1b30cd46d7"
        }