Android Dynamic analysis is the testing and evaluation of an Android application by executing data in real-time. The objective is to find errors in the application while it is running, rather than by repeatedly examining the code offline.
Dynamic Analysis results are displayed in json objects with the following names:
If a specific dynamic analysis test is found vulnerable, a json array with the following names under the regulatory category:
“cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
“owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.
Example:
{
"kind": "dynamic",
"key": "ipa_sensitive_data_no_encryption",
"title": "Sensitive Data in Transit (no Encryption)",
"category": "network",
"summary": "\n Traffic is analyzed to determine if any sensitive data is transmitted insecurely over the network without encryption (i.e. HTTP).\n Sensitive data that is searched currently includes Username, Password, GPS Coordinates,\n Wifi Mac Address, IMEI, Device Serial Number, and Phone number.\n ",
"cvss": 8.2,
"regulatory": {}
If an application was not found to be vulnerable or affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:
Example:
"affected": false,
"severity": "pass",
"description": "\n None of the sensitive values that were searched were recovered from unencrypted application traffic.\n "
}
If an application was found to be vulnerable and affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:
Example:
{
"affected": true,
"issue": {
"category": "network",
"severity": "high",
"cvss": 8.2,
"title": "Sensitive data intercepted in transit without encryption",
"description": "\n One or more sensitive values were intercepted in transit. This is a high risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.\n It is encouraged to review the table below, which displays the type of data that was intercepted, whether it is sent in plain text or a special encoding, the actual value that was recovered, and the URL related to this violation.\n ",
"pass": "\n None of the sensitive values that were searched were recovered from unencrypted application traffic.\n ",
"recommendation": "\n Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service. \n Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.\n An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate.\n For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping.\n "
},
"severity": "high",
"description": "\n One or more sensitive values were intercepted in transit. This is a high risk vulnerability as it is possible for an attacker on the same network to easily retrieve this information.\n It is encouraged to review the table below, which displays the type of data that was intercepted, whether it is sent in plain text or a special encoding, the actual value that was recovered, and the URL related to this violation.\n ",
"recommendation": "\n Enforce the use of SSL/TLS for all transport channels in which sensitive information, session tokens, or other sensitive data is going to be communicated to a backend API or web service. \n Properly validate the SSL/TLS certificate to ensure it is signed by a trusted certificate authority (CA) as well as contains the correct hostname.\n An even more secure approach is to use Certificate Pinning to mitigate the possibility of SSL/TLS weaknesses. Certificate Pinning is making sure the client checks the server's certificate against a known copy of that certificate. Simply bundle your server's certificate inside your application, and make sure any SSL/TLS request first validates that the server's certificate exactly matches the bundle's certificate.\n For some apps, Certificate Pinning may be impossible to do. If your app allows users to enter in their own domain names to connect to services, then you have no opportunity to embed that certificate. However, if your app is intended to connect to a known server, or set of servers, you have all the information you need to guarantee that client is indeed talking directly to the server and without a man in the middle eavesdropping.\n ",
"context": {
"rows": [
{
"issue": "sensitive_data_leak",
"full_url": "http://ad.spcleaner.info/v3/config?pubid=514&android_id=47edfe1b30cd46d7&pkg_name=mobi.supo.cleaner&pkg_ver=28&sdk_version=2&first_time=1483454380&update_time=1483454380&new_user=1&lc=en_US&config=conf&func=import&bid=96",
"searched_data": "/v3/config?pubid=514&android_id=47edfe1b30cd46d7&pkg_name=mobi.supo.cleaner&pkg_ver=28&sdk_version=2&first_time=1483454380&update_time=1483454380&new_user=1&lc=en_US&config=conf&func=import&bid=96",
"encoded_format": "original",
"data_value_type": "android_id",
"additional_context": [
"Contained in HTTP URL path"
],
"sensitive_data_value": "47edfe1b30cd46d7"
}