AndroBugs Audit Results so far…
IN the previous post yesterday I talked about AndroBugs as a preliminary way of checking apps and then using results for Pen Testing and code verification. I have now tested the better part of over 50+ mainstream apps that most people have on their tablets and phones. These apps range from the well known ones:
- Banking and Finance Apps
- Critical Infrastructure Apps (Energy, Transport, Defense)
- Defense/DoD (Test Prep, PIM, etc.)
- Social Media (Twitter, Facebook, Instagram, Vine, etc.)
- Anti Virus / Personal Firewall / Mobile Suites
- MDM (Mobile Device Management)
- Password Token Apps
I will be publishing the results by the end of this week for the critical areas that I have found so far (I want to give some folks a chance to plan ahead and protect you all (but I also need to inform everyone about my findings before these are used as the next 0Days (in some cases).
As always I don’t do this for offensive purposes but to educate and help you protect yourself. I also want to thank the folks that created such an awesome tool like AndroBugs which you can find on Github for free!
One thing is for sure though these are some of the lessons learned so far:
- If you use sqlite as a DB remember that there are crypto functions you can use to encrypt data!
- If you use SSL or certificates in general make sure you have the right types of checks and verification routines so that the certificate is actually the certificate you need and are expecting
- If you use libraries or functions, limit the exposure to other data outside the app.
- Pay attention to access rights!
- Think 5 times before just “including” a library that you may not need. Sometimes “Xamarin” and other app dev platforms will give you every library you “may” need. This by NO MEANS implies you may actually need them all. Every additional resource and library you have needs to be questioned.If you don’t need it, take it out! Every additional service and library is an additional attack surface or potential vulnerability.
Thats it for now, hope you enjoyed the show thus far, if you like it, buy a course on udemy or book me for your next sec conference.
Your 1D1oT (Security Noob)