Smartphones have become part of our daily lives, but also more importantly, their storage capabilities and sensors have increased beyond our imagination. This could be due to the constant war between Apple and Android; but, when it comes down to it, Android has the largest OS market share despite Apple’s dominance in the smartphone market as a single software-hardware combination platform.  This gets me thinking about Android application security testing, since any of the apps can potentially access whatever data is on the phone.

Android Application Security Information Leakage

Android Application Security Information Leakage Will Increase – Be Cautious

Data potentially accessed includes:

  1. System information, including mobile ID, phone number, personal ID, applications installed
  2. Application-related stored information, including personal information of the user and data used by the application
  3. Other application information, including data stored and information about use by other applications

To test information leakage of an application, we want to examine if there are any malicious behaviors to access or obtain these data items. Generally, there are two types of information leakage in which information is sent out:

  1. The application sends information (including all three kinds mentioned above) out on purpose to third-party services but is hacked by a malicious application between sending out the information and the third-party service receiving it
  2. The application is hijacked by a malicious application to send out all information

The four basic steps of sending information out from an app, the risks and potential leakage, and how to test for security are shown in the table below.

StepRisksLeakageHow to Test
Application is authenticated to access the dataThe application is authenticated for data which it does not need

The application exploit its authentication to other applications

Malicious behavior can use the application to access the dataWe have to test what data the application has to use and how it uses it:

  1. Review the requirements and scan the codes to see what to use
  2. Monitor the data flow to see how the data is stored and used
Application is authorized to use the interface of sendingThe application has more authorizations than it needsMalicious behavior can use the authorization to send the information in different waysWe have to know why and how the application uses this authorization by reviewing the application configuration file.

Also, we need to try to use developed codes to use the authorizations of the application to see if it can be used in other ways

Application prepares the data and sendsThe data of the application sent is not well encryptedMalicious behavior can hack the information and apply man-in-the-middle attackTry to un-encrypt the data sent.
A server receives the dataThe server and/or its data is not secureMalicious behavior can require/request information on serverDetermine whether the third server is secure from unauthorized outside access.
 Android application security testing is and will be more and more important as the amount of data collected continues to increase. With smartwatches now added to the list of devices collecting personal health data, safeguarding and protecting data becomes even more important. The next step is to determine which tools to use and which tools are best for different vulnerabilities.