Over the last few decades, a prompt increase has been seen in the use of smart phones. This is because smart phones have made the life of an individual easier and comfortable to manage. With smart phones, one can not only communicate effectively with other people, rather one can pay utility bills, buy online, perform bank transactions, learn online, attend meetings, and much more. To enhance the functionalities of smart phones, millions of Android applications have been developed which offer various useful features. One of the biggest platforms for offering Android applications, Google Play Store, contains 3.3 million applications as reported by Business of Applications.
Increase in reliance of users on the smart phones has increased the temptation of hackers too in discovering vulnerabilities of Android phones and applications. It is because the successful exploitation of the vulnerabilities can let them gain unlimited access to the users’ phones and as a result, they can fulfill their malicious purposes, may they be related to finance, privacy breach, data theft, or anything else.
Securing the Android application involves rigorous vulnerability assessment. But vulnerability assessment is not an easy process rather it requires a lot of resources in terms of time, people, and finance. However, the basic analysis of Android application can aid in finding information which can later help in the in-depth assessment.
This article is focused on the analysis of Android application which does not require any sophisticated coding mechanisms. Rather simple-to-use tools can perform such analysis with basic technical knowledge. For such an analysis, following list of tools is required:
• Progress Telerik Fiddler Web Debugger
• Android Studio
Now coming over to the analysis, first of all we need to check whether the permission taken by an Android application at the time of installation differ from those which are present in its .apk file. For that purpose, one should have already installed the Android Studio software and should look for the AndroidManifest.xml file. Locating this file and going through it will reveal all the permissions which are actually stored in the .apk file. From this, one can compare the permissions shown and permissions actually taken.
To check the IP address of the webserver, one needs to install the Fiddler software and should examine the communication of an application with its webserver. Through this, the IP address can be found with the name “Host” in left window pane. The prerequisite for using Fiddler is that, its certificate should be installed on the Android phone. Moreover, the Android phone and the computer at which Fiddler is being operated should be on the same network. With Fiddler, one can sniff and intercept the traffic communication between the application and webserver, if http protocol is being used. To view the libraries used by an application, one can install the application named “Appchecker” from the Google Play Store, and can view the libraries used by it. Zenmap is another tool which can help in viewing the services, protocols, and ports being used by an application.
For vulnerability assessment, two free tools named; Quixxi and Yaazhini can be used. To use quixxi, one needs an .apk file as an input, and as a result report can be generated for all the found vulnerabilities. The report also depicts the severity level of the found vulnerabilities. As far as Yaazhini is concerned, the generated report not only reflects the severity level of vulnerabilities but also shows the details which include, the explanation of the vulnerability, associated risk and severity level, CVSS score, and the recommendations to remove that vulnerability. By using all the mentioned tools and applications, one can analyze the Android application at the initial level as this analysis does not require any advanced level expertise.