This chapter gives an overview of attack surface of Android. We will discuss the possible attacks on Android apps, devices, and other components in application architecture. Essentially, we will build a simple threat model for a traditional application that communicates with databases over the network. It is essential to understand the possible threats that an application may come across, in order to understand what to test during a penetration test. This chapter is a high level overview and contains lesser technical details.
This chapter covers the following topics:
- Introduction to Android apps
- Threat modeling for mobile apps
- Overview of OWASP mobile top 10 vulnerabilities
- Introduction to automated tools for Android app assessments
Attacks on mobiles can be categorized into various categories such as exploiting vulnerabilities in the Kernel, attacking vulnerable apps, tricking the users to download and run malwares thus stealing personal data from the device, running misconfigured services on the device, and so on. Though we have multiple categories of attacks on Android, this chapter focuses mainly on attacks at application level. We will discuss various standards and guidelines to test and secure mobile apps. This chapter acts as a baseline for the upcoming chapters in this book.
Android apps are broadly divided into three types based on how they are developed:
- Web-based apps
- Native apps
- Hybrid apps
A mobile web app, is exactly what it says it is, an app developed with web technologies like JavaScript or HTML5 to provide interaction, navigation, or customization capabilities. They run within a mobile device's web browser and are rendered by requesting web pages from the backend server. It is not uncommon to see the same application used as a usual browser rendered application and as an app, as it provides benefits of not duplicating the development efforts.
Unlike web-based apps, Native mobile apps provide fast performance and a high degree of reliability. They provide fast response time as the entire application is not fetched from the server and it can leverage the fastness of the native support provided by Android. In addition, users can use some apps without an Internet connection. However, apps developed using native technologies are not platform independent and are tied to one particular mobile platform, so organizations are looking for solutions which avoid duplication of efforts across mobile platforms.
Hybrid apps try to take the best of both worlds, that is, Native apps and Web apps, and are run on the device like a native app and are written with web technologies (HTML5, CSS, and JavaScript). Hybrid apps run inside a native container, and leverage the device's browser engine (but not the browser) to render the HTML and process the JavaScript locally. A web-to-native abstraction layer enables access to device capabilities that are not accessible in mobile-web applications, such as the accelerometer, camera, and local storage. Usually, these types of apps are developed using frameworks such as PhoneGap, React Native, and so on, however, it's not uncommon to see organizations creating their own containers as well.