One of the most important elements of software quality is security. In the case of mobile applications, we should take special attention in this aspect because they have an impact on many aspects of our lives, especially high-risk areas such as healthcare, banking, personal data, credentials, etc. To ensure a proper level of a product’s security, we need to perform checks and verifications. It is particularly important for Android applications because of the system’s open nature (unlike iOS). To handle testing properly, we need to have tools that can make our work much easier and faster, here is where OWASP (The Open Web Application Security Project) comes to the rescue. As part of the Mobile Project, OWASP prepared guidelines for the security testing methodology. The guidelines, called Mobile Security Testing Guide (MSTG), suggest a few tools that can be useful in testing the security of Android applications. We decided to review four of them in a series of blog posts. This post is the first part in the series.

The problem

Security testing is a very complex and time consuming task because we need to test different aspects and different levels. In mobile applications, we need to test many aspects such as SDK misuse, flow control, communication, UI configuration, local database security, proper cryptography handling, etc. On Android, we also need to remember about all the different API levels and issues related to the fragmentation problem. To provide adequate security in mobile products, security testing should be a continuous process. The best way to enforce continuous testing with an appropriate frequency is to integrate it with existing processes such as Continuous Delivery/Continuous Integration. To make this possible, we need automation. Automation is very important in security testing because it reduces the time required to perform very complex analyses. To automate the process, we need tools that will perform static analysis of our products. To make this more accurate, we need tools that work on ready-to-use applications – not on source code (some issues are valid only for release/production builds). We can use OWASP MSTG as a source of knowledge about the best available tools. The guide suggests tools that can be used for static analysis. We selected some of them:

JAADAS,

AndroBugs,

DROZER

QARK

MobSF

We reviewed the tools to collect all necessary information in one place. This should make the decision about which tool you should choose much easier.

JAADAS

The first of the analysed tools is JAADAS. JAADAS (Joint Advanced Application Defect Assessment for Android Application) is a tool designed for carrying out complex analyses of Android applications. Its API includes several areas of analysis:

SDK misuse analysis,

intent crash,

inter-procedure flow control (from Intent to sensitive Android API).

and more.

JAADAS is a JAVA/SCALA application packed into a single JAR archive, written in 2014. It is based on the Scoot framework used for the analysis of Java byte code.

JAADAS requires three kinds of assets to successfully perform the analysis:

JDK >= 1.8

Scala >= 2.11

Android platform tools

The platform tools version should be equal to the API version defined in the analysed Android application. This is just a recommendation, because you can also manually specify which version of platform tools should be used. The most important thing that you need to remember is that you need to download platform tools manually before the analysis. The starting command requires setting the platform tools directory. Also, if the required API version isn’t in the directory, the analysis will fail.

JAADAS can run in two modes:

Fast analysis

Full analysis

The fast mode is designed for batch analysis. To ensure maximum flexibility and reduce the time consumption in this mode, the inter-procedure analysis is disabled. Nevertheless, this mode should be enough for performing a basic security audit. Below you can see an example of the command you need to execute to run a fast analysis:

java -jar /jaadas/jade-0.1.jar vulnanalysis

-f /example_app.apk -p ./Android/Sdk/platforms

-c /home/santoku/jaadas/config/ --fastanalysis

The Full Analysis is the default mode of JAADAs. As the name suggests, it runs a full analysis of the application including a full data flow and procedure analysis. This mode is very resource-intensive, so you need to be careful when performing a large batch operation to not exceed your processing resources. This may break the process, and the operation will never finish. Here you can find execution command for Full Analysis:

java -jar /jaadas/jade-0.1.jar vulnanalysis -f /example_app.apk

-p ./Android/Sdk/platforms -c /jaadas/config/

Output

JAADAS generates results as an output file with a JSON structure. The structure contains a list of vulnerabilities with a description and the source. The result file also contains some brief info about the app and the app’s overall score. The score can be really useful for defining the internal rules for classification. Below you can see an example of the output JSON structure.

{

"score":30.100000381469727,

"md5hash":"82ab8b2193b3cfb1c737e3a786be363a",

"results":[

{

"desc":"Check webview save password disabled or not",

"sourceStmt":"",

"custom":"",

"vulnKind":0,

"destMethod":"",

"paths":[



],

"destStmt":"",

"sourceMethod":"<jakhar.aseem.diva.InputValidation2URISchemeActivity: void onCreate(android.os.Bundle)>"

},

{

"desc":"application is debuggable",

"sourceStmt":"",

"custom":"",

"vulnKind":3,

"destMethod":"",

"paths":[



],

"destStmt":"",

"sourceMethod":""

},

{

"desc":"application doesn't disable backup",

"sourceStmt":"",

"custom":"",

"vulnKind":3,

"destMethod":"",

"paths":[



],

"destStmt":"",

"sourceMethod":""

},

{

"desc":"implicit intent or receiver",

"sourceStmt":"virtualinvoke $r0.<jakhar.aseem.diva.AccessControl2Activity: void startActivity(android.content.Intent)>($r2)",

"custom":"",

"vulnKind":0,

"destMethod":"",

"paths":[



],

"destStmt":"",

"sourceMethod":"<jakhar.aseem.diva.AccessControl2Activity: void viewAPICredentials(android.view.View)>"

},

{

"desc":"implicit intent or receiver",

"sourceStmt":"virtualinvoke $r0.<jakhar.aseem.diva.AccessControl1Activity: void startActivity(android.content.Intent)>($r2)",

"custom":"",

"vulnKind":0,

"destMethod":"",

"paths":[



],

"destStmt":"",

"sourceMethod":"<jakhar.aseem.diva.AccessControl1Activity: void viewAPICredentials(android.view.View)>"

}

]

}

PROS

The result is saved as JSON

It can be easily integrated into your CI stack or with other tools

It generates a Risk Score for each app

for each app You can define your own thresholds for builds on CI

You can expand the tool’s capabilities

JAADAS has a Groovy file with the configuration, which can be easily extended or modified

CONS

Not maintained

The last commit in the repository was published over 2 years ago



The repo contains the following disclaimer:

"This is just a research prototype, use at your own risk. The results may contain false positives and false negatives due to the nature of static analysis. Feel free to fork and pull it."

"This is just a research prototype, use at your own risk. The results may contain false positives and false negatives due to the nature of static analysis. Feel free to fork and pull it." Obfuscated code makes the analysis more complex

The result shows code that is obfuscated



Problems with analysis – obfuscation may cause JAADAS to crash

JAADAS requires preparing SDK platform tools

If the app is targeting API 21, the platform tools for API 21 need to be manually downloaded to the local drive first

The result of the analysis is too verbose

It is hard to read so much data and extract the most relevant information

The result is not user-friendly

The JSON file is not clear, and it’s hard to visualize the scale of potential problems

Summary

As we can see, JAADAS is a very powerful tool that was built on proven and developed solutions. It is easy to use and flexible, because it offers different modes and works directly on APK files. The tool also can be easily expanded thanks to its JSON-based result files and Groovy-based configuration. This may be particularly useful when it comes to the necessity of adapt this tool for your own needs.

particularly useful when it comes to adapting the tool to your own needs.

Unfortunately, in my opinion, JAADAS won't be very useful in the day-to-day work. The most important drawback I found is that the tool has not been maintained for a while. For two years, no new commits have been added to the repository. Although it is theoretically easy to expand the tool, it seems that nobody took advantage of that possibility. Additionally, despite the fact that the result file is defined in JSON and can be easily adapted, it won’t be very useful in the process. The structure is hard to read for humans. Moreover, the need of the additional parser/interpreter will probably force you to look at other tools that are ready to use.

Continue reading:

Android Security Analysis Tools, part two - DIVA app and AndroBugs

Android Security Analysis Tools, part three - Drozer and QARK

Android Security Analysis Tools, part four - MobSF



Photo by NICK SELIVERSTOV on Unsplash