Tools that Ensure Web and Smartphone Apps are Safe and Secure

0
3419

Penetration testing is used to determine the vulnerabilities of Web and smartphone apps. It is also called pen testing or ethical hacking, and can be carried out manually or automatically.

With the increasing dependence on online platforms, the issues and concerns of security and privacy merit attention. A number of cases associated with data breaches, hacking, data leakages, server cracking get reported every day in the global news. This creates a sense of distrust among the public towards the use of online platforms, whether via Web applications or smartphone apps. There is a need to create awareness about the diverse aspects of security and privacy, while using online platforms.

These hacking and data breach attempts actually cost organisations a lot of money, as can be seen in Figure 1 from the reports of the global data platform, Statista.

Figure 1: The cost implications of stolen data (US$) (Statista: https://www.statista.com)
Figure 2: Scan alert summary in Vega

 

Free and open source tools for security

There is a need to secure Web and smartphone applications against malicious hackers and data breach attempts. There are a number of tools and frameworks that are widely used for penetration testing and digital forensics. These tools, when used by application developers, prevent data theft.

Vega (https://subgraph.com/vega/) is one of the powerful free and open source tools for penetration testing. It is used as a Web security scanner and is an effective platform for Cross Site Scripting (XSS) implementations. In addition, the test associated with SQL injection and information disclosure can be evaluated. Vega is a GUI based tool written in Java and is cross-platform. It is developed by Subgraph and is available for cyber forensic and Web penetration analytics.

The Vega scanner presents the vulnerabilities, with the associated impact classified as either High, Medium or Low. This predicts the performance of the Web application and indicates possible security breach points.

Penetration testing and auditing Android based smartphone apps

Today, most of the Web services and applications are deployed on smartphone platforms including Android, iPhone, Blackberry, KaiOS, Symbian, Java and many others. The software applications launched for mobile platforms need to be tested rigorously against assorted assaults and vulnerability points.

Nowadays, most of the smartphone apps are available on Android operating systems. They are widely adopted by mobile phone users because of their popularity and availability as open source distributions. Installation of Android apps in the Android Application Package (APK) format  requires specific permissions, which are generally ignored by Android users.

With the increasing number of smartphones and mobile applications, there is a need to check the vulnerabilities of these devices to avoid misuse and exploitation.

There are a number of cloud repositories, from where the Android APK files are downloaded:

https://apkpure.com/

https://www.apkmirror.com/

https://www.androiddrawer.com/

https://apk-dl.com/

https://en.aptoide.com/

https://androidapksfree.com/

https://www.appsapk.com/

https://apk4all.com/

…and many others.

Figure 3: Deep analysis in the Vega scanner

Using the Android Asset Packaging Tool (AAPT), the permissions associated with the APK can be analysed critically so that data breach attempts and the anonymous copying of information can be avoided. In some cases, smartphone users do not download the Android app from the Google Play Store but directly download the APK from different portals. This practice can be quite dangerous; so users are advised to use advanced tools and analyse the inherent permissions before installing the app on the mobile phone.

Figure 4: Official portal of Android Asset Packaging Tool (AAPT)
Figure 5: Fetching APK permissions using AAPT

In addition, research scholars and practitioners can work on this domain of smartphone malware analysis by collecting the permissions from assorted APK files, and then training the data sets using machine learning. This will help to predict the security, privacy and data breach issues of upcoming smartphone apps.

Table 1: Popular tools for Web application testing

Tool URL
Vega https://subgraph.com/vega/
Canoo Web Test http://webtest.canoo.com/
Webrat https://github.com/brynary/webrat
Watir http://watir.com/
SoapUI https://www.soapui.org/
Cucumber https://cucumber.io/z
Selendroid http://selendroid.io/
Selenium https://www.seleniumhq.org/
Pylot https://code.google.com/archive/p/pylt/downloads
OpenSTA http://opensta.org/
Grinder http://grinder.sourceforge.net/
Gatling https://gatling.io/
Multi-Mechanize https://multi-mechanize.readthedocs.io/en/latest/
Tsung http://tsung.erlang-projects.org/
WebLoad https://www.radview.com/webload-download/
TestNG https://testng.org
Locust https://locust.io/
Capybara https://github.com/teamcapybara/capybara
Apache JMeter https://jmeter.apache.org/
Appium http://appium.io/
FitNesse http://fitnesse.org/

Table 2: Penetration testing and audit tools

Tool URL
AAPT https://androidaapt.com/
OWASP Zed Attack Proxy https://www.owasp.org
QARK

(Quick Android Review Kit)

https://github.com/linkedin/qark
Devknox https://devknox.io/
Drozer https://labs.mwrinfosecurity.com/tools/drozer
MobSF

(Mobile Security Framework)

https://github.com/MobSF/Mobile-Security-Framework-MobSF
Mitmproxy https://mitmproxy.org/
iMAS https://github.com/project-imas/about

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here