Tool boosts iOS, Android app security testing

By

Security profiling for blackbox tests.

Researchers have developed a tool to help penetration testers better understand iOS and Android application vulnerabilities by analysing how programs act at runtime.

Tool boosts iOS, Android app security testing

The Introspy open-source security profiler tool helped to simplify and streamline the security assessment of iOS and Android applications which was a manual and time-consuming process.

It could be installed on jailbroken iOS and rooted Android devices and worked by using a tracer designed for each along with an analyser.

The tracers hooked and recorded security-sensitive application program interfaces that were called by a given application at run-time.

Function calls related to cryptography, IPCs, data storage or data protection, networking, and user privacy were recorded in a SQLite database on the devices.

The database would then be fed into the analyser which would generate a HTML report that would display all recorded calls along with a list of potential vulnerabilities affecting the application.

Reviewing applications without access to source code required in-depth knowledge of APIs and skills to use complex and generic tools like Cycript and Cydia Substrate. 

Speaking at the Ruxcon 2013 conference in Melbourne, iSEC researchers Alban Diquet and Marc Blanchou guided delegates through the concepts and methodologies for mobile black box testing, a cursory review of classic iOS and Android application vulnerabilities and a demonstration of Introspy.


Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?