GETTING STARTED WITH ANDROID MOBILE APPLICATIONS SECURITY TESTING
Authors: P. Raghu Vamsi, Agrah Jain
Affiliation: Assistant Professor, Department of Computer Science and Engineering, Jaypee Institute of Information Technology, Noida, India., Solution Advisor, Delloitte USI, Gurugram, India.
ABSTRACT. The availability of the Internet, cheaper data tariffs, and easy way of using the mobile phones made the effective use of Android mobile phones for availing Electronic Commerce (e-commerce) mobile Applications (Apps) by the people for purchasing the daily needs and regular household items. The success of the e-commerce platforms is based on their availability to public as web and Android mobile Apps. Further, their success is based on the trust and security that they maintain regarding users personal and payment data. But the poor design and development, unnoticed mistakes in coding of the e-commerce Android mobile Apps lead to many vulnerabilities and thereby becomes the simple target for the hackers. Along with conventional security testing methods, application dependent methods need to be applied on the e-commerce android Apps. To this end, this paper presents various possible practical security methods followed by penetration testers along with countermeasures that can be applicable for avoiding vulnerabilities in e-commerce Android Apps.
1. Mahmood, Riyadh, Naeem Esfahani, Thabet Kacem, Nariman Mirzaei, Sam Malek, and Angelos Stavrou. "A whitebox approach for automated security testing of Android applications on the cloud." In 2012 7th International Workshop on Automation of Software Test (AST), pp. 22-28. IEEE, 2012.
2. Rai, Pragati Ogal. Android Application Security Essentials. Packt Publishing Ltd, 2013.
3. Avancini, Andrea, and Mariano Ceccato. "Security testing of the communication among Android applications." In 2013 8th International Workshop on Automation of Software Test (AST), pp. 57-63. IEEE, 2013.
4. Salva, Sébastien, and Stassia R. Zafimiharisoa. "APSET, an Android aPplication SEcurity Testing tool for detecting intent-based vulnerabilities." International Journal on Software Tools for Technology Transfer 17, no. 2 (2015): 201-221.
5. Mente, Rajivkumar, and Asha Bagadi. "Android application security." Advances in Computational Sciences and Technology 10, no. 5 (2017): 1207-1210.
6. Fischer, Felix, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. "Stack overflow considered harmful? the impact of copy&paste on android application security." In 2017 IEEE Symposium on Security and Privacy (SP), pp. 121-136. IEEE, 2017.
7. Acar, Yasemin, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. "Developers need support, too: A survey of security advice for software developers." In 2017 IEEE Cybersecurity Development (SecDev), pp. 22-26. IEEE, 2017.
8. Dashevskyi, Stanislav, Olga Gadyatskaya, Aleksandr Pilgun, and Yury Zhauniarovich. "The influence of code coverage metrics on automated testing efficiency in android." In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2216-2218. 2018.
9. Sinaga, Arnaldo Marulitua, P. Adi Wibowo, Ariestoni Silalahi, and Nita Yolanda. "Performance of automation testing tools for android applications." In 2018 10th International Conference on Information Technology and Electrical Engineering (ICITEE), pp. 534-539. IEEE, 2018.
10. Kulkarni, Keyur, and Ahmad Y. Javaid. "Open source android vulnerability detection tools: a survey." arXiv preprint arXiv:1807.11840 (2018).
11. Montealegre, C., Njuguna, C.R., Malik, M.I., Hannay, P., & McAteer, I.N. (2018). "Security vulnerabilities in android applications", In proceedings of the 16th Australian Information Security Management Conference (pp. 14-28). Perth, Australia: Edith Cowan University.
12. Pan, Yuanyuan. "Interactive application security testing." In 2019 International Conference on Smart Grid and Electrical Automation (ICSGEA), pp. 558-561. IEEE, 2019.
13. Morgado, Inês Coimbra, and Ana CR Paiva. "The iMPAcT tool for Android testing." Proceedings of the ACM on Human-Computer Interaction 3, no. EICS (2019): 1-23.
14. Alkindi, Zainab R., Sultan Qaboos Unviresity, Oman Muscat, Mohamed Sarrab, and Nasser Alzidi. "Android Application Permission Model." In 4th FREE & OPEN SOURCE SOFTWARE CONFERENCE (FOSSC’2019-OMAN). 2019.
15. Almeida, Diego R., Patrícia DL Machado, and Wilkerson L. Andrade. "Testing tools for Android context-aware applications: a systematic mapping." Journal of the Brazilian Computer Society 25, no. 1 (2019): 1-22.
16. Lai, Duling, and Julia Rubin. "Goal-driven exploration for android applications." In 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 115-127. IEEE, 2019.
17. He, Yongzhong, Xuejun Yang, Binghui Hu, and Wei Wang. "Dynamic privacy leakage analysis of Android third-party libraries." Journal of Information Security and Applications 46 (2019): 259-270.
18. Alanda, Aide, Deni Satria, H. A. Mooduto, and Bobby Kurniawan. "Mobile Application Security Penetration Testing Based on OWASP." In IOP Conference Series: Materials Science and Engineering, vol. 846, no. 1, p. 012036. IOP Publishing, 2020.
19. Li, Jinfeng. "Vulnerabilities mapping based on OWASP-SANS: a survey for static application security testing (SAST)." Annals of Emerging Technologies in Computing (AETiC), Print ISSN (2020): 2516-0281.
20. Xiao, Jianmao, Shizhan Chen, Qiang He, Zhiyong Feng, and Xiao Xue. "An Android application risk evaluation framework based on minimum permission set identification." Journal of Systems and Software 163 (2020): 110533.
21. Savola, Reijo M., Markku Kylänpää, and Habtamu Abie. "Risk-driven security metrics for an Android smartphone application." International Journal of Electronic Business 15, no. 4 (2020): 297-324.
22. Yasin, Husam N., Siti Hafizah Ab Hamid, Raja Jamilah Raja Yusof, and Muzaffar Hamzah. "An empirical analysis of test input generation tools for android apps through a sequence of events." Symmetry 12, no. 11 (2020): 1894.
23. Pecorelli, Fabiano, Gemma Catolino, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba. "Testing of mobile applications in the wild: A large-scale empirical study on android apps." In Proceedings of the 28th International Conference on Program Comprehension, pp. 296-307. 2020.
24. Rani, Sangeeta, and Kanwalvir Singh Dhindsa. "Android application security: detecting Android malware and evaluating anti-malware software." International Journal of Internet Technology and Secured Transactions 10, no. 4 (2020): 491-506.
25. Dawoud, Abdallah, and Sven Bugiel. "Bringing balance to the force: Dynamic analysis of the android application framework." Bringing Balance to the Force: Dynamic Analysis of the Android Application Framework (2021).
26. Κούκουνας, Άγγελος Παναγιώτης. "Malware analysis, security evaluation for Android application." Master's thesis, Πανεπιστήμιο Πειραιώς, 2021.
27. News Article: https://timesofindia.indiatimes.com/business/india-business/emails-hashed-passwords-of-18m-ixigo-users-stolen/articleshow/68016866.cms (Last accessed 15-08-2021)