Security Assessment Methodology for Mobile Applications

Any type of software, from desktop to mobile applications, is prone to contain defects that can lead to vulnerabilities. These vulnerabilities, when exploited, may put in risk the integrity, confidentiality and availability of the software. Security auditing methodologies help to reduce at some level of confidence these risks. With the explosion of mobile applications for daily activities like checking email, news, social networks, or even managing bank accounts, guaranteeing an acceptable level of application security becomes critical for the usage and trust of mobile services. In this paper, we review and classify OWASP 2014 Top Ten mobile risks in analysis blocks. Based on the blocks classification, we propose a methodology to security audit mobile software applications. We demonstrate the effectiveness of the proposed methodology by auditing the same mobile application in Google’s Android and Apple’s iOS platforms surfacing multiple vulnerabilities.

[1]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[2]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[3]  Ahmad-Reza Sadeghi,et al.  PSiOS: bring your own privacy & security to iOS devices , 2013, ASIA CCS '13.

[4]  Kweku Ewusi-Mensah,et al.  Software Development Failures , 2003 .

[5]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[6]  Ji-Hyeon Lee,et al.  Development Process of Mobile Application SW Based on Agile Methodology , 2008, 2008 10th International Conference on Advanced Communication Technology.

[7]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[8]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[9]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[10]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[11]  Raman Ramsin,et al.  Designing an agile methodology for mobile software development: A hybrid method engineering approach , 2008, 2008 Second International Conference on Research Challenges in Information Science.

[12]  Willy Jimenez,et al.  Software Vulnerabilities , Prevention and Detection Methods : A Review 1 , 2009 .

[13]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[14]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[15]  R.N. Charette,et al.  Why software fails [software failure] , 2005, IEEE Spectrum.

[16]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[17]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[18]  Yashwant K. Malaiya,et al.  Security vulnerability categories in major software systems , 2006, Communication, Network, and Information Security.

[19]  Francesco Marcelloni,et al.  An efficient model-based methodology for developing device-independent mobile applications , 2012, J. Syst. Archit..