NHS Covid 19 app analyzed using MobSF

Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]

NHS Covid 19 app analyzed using MobSF

Mobile technology has been more pervasive in every sphere of society over the previous decade. Cell phones and tablets are widely used to access the web, run apps, receive email, post to social media, make financial and banking activities, and so on so forth.The use of mobile devices for both personal and corporate purposes has increased dramatically. Mobility and flexibility have been greatly facilitated by the introduction of mobile devices and the proliferation of mobile applications. As a result, there have been concerns expressed regarding maintaining security when traveling across the digital environment.

Mobile device security is becoming increasingly important as a main source of concern for users’ privacy. Despite the fact that mobile device companies are concerned about a user’s security and data privacy, the use of internet-based applications poses significant challenges in terms of resolving threats and vulnerabilities while maintaining a user’s data privacy. The majority of software programs are designed to do a specific task and are optimized for a specific set of devices, such as smartphones and tablets. Due to many risks, weaknesses, and vulnerabilities, protecting data on mobile devices is a very risky endeavor.

Security Challenges Faced with Mobile Devices

The use of wireless technology and mobile devices is increasing every day, resulting in a exponentially growing mobile market. The rise in the construction and maintenance of secure identities for mobile devices has posed a significant issue for individuals, society, and organizations, especially in mobile added value services such as mobile banking, mobile ticketing, and a variety of other services.Cyber criminals are increasingly targeting mobile devices as a source of threats and vulnerabilities. Many vulnerable programs/applications for mobile devices are available on the internet, making them a prime target for attackers looking to disrupt security systems, create hazards, and spread malwares. The capacity of a hacker and the security of a firm are becoming increasingly disparate. Mobile device security solutions and regulations must be made more flexible and tightly regulated to resist this kind of trend.

Mobile Security Risks

Threats and assaults that were previously successful on desktop computers are now being tested on mobile devices. As the level of defense rises, so does the quantity of simple targets. Hackers and attackers are focusing on the weakest link in the chain, resulting in a slew of successful fradulent activities.

Application-based Threats:

Internet users have access to a vast number of downloadable apps, many of which have multiple security flaws. Malicious programs can be found on websites, with fraud or scams posing as the greatest threat.

Network-based Threats:

Mobile devices offer the best support for cellular networks and wireless LAN, both of which are prone to different types of risks to users.

Web based Threats:

Mobile devices use web-based applications almost all of the time due to the nature of these activities, web-based attacks pose a substantial hazard to mobile devices.

Highlighting the importance of mobile security.

Staying secure these days is extremely challenging, and our significant reliance on mobile technology makes it even more difficult. Personal social media accounts, emails, sensitive texts, and even bank account information are all stored on our cellphones. Despite the fact that these data are often highly sensitive and may include valuable information, we continue to keep them insdie our mobile devices.Furthermore, smartphones are used for the majority of business-to-business transactions. Social media usage is also largely confined to cellphones as a result of which, a business without mobile or smartphone apps is ineffective.

It’s no secret that mobile technology is rapidly evolving. There are literally millions and billions of individuals on the internet, many of whom use their smartphones. This enormous user base raises a slew of new security and risk concerns. It is critical to understand the mobile security framework and defend yourself from potential security threats in order to optimize revenue while avoiding high risks and dangers.

Cybercriminals and hackers are simply following the crowd and exploiting security holes and backdoors to gain an advantage over their rivals. Because there are more Windows PCs than Macs in the globe, hackers choose to target them.Not only that, there are so many Windows-based computers to steal from, cybercriminals and hackers are more likely to devote more time to honing and polishing their skills on making malware/virus and attacking Windows-based devices.

When it comes to Android vs. iOS, the same is true. Android users are more vulnerable to security risks and attacks than their iOS counterparts due to Android’s large user base and open-source nature. Apple’s iOS, on the other hand, is a closed-source software platform. Developers must confirm their credentials and go through a rigorous application procedure in order to publish even a simple app on the iOS platform. As a result, iOS apps are less vulnerable to security issues than those on other mobile platforms. P.S iOS has its own set of security risks and weaknesses. It’s also not completely safe from security risks and flaws.

Mobile Security Frameworks.

The importance of mobile security is growing. As a result, developers have created mobile security frameworks and even published them to the broader public as fully open-source software. Regardless of whether you’re using Android, iOS, or another mobile OS, this software is meant to mark and test the efficiency of the mobile app. Appmon, Runtime Mobile Security (RMS), OWASP MSTG, and MobSF are just a few of the technologies and tools on the market. MobSF is without a doubt one of the most user-friendly options accessible. It’s a completely free and open-source tool for evaluating the security of mobile/smartphone applications.

What’s the deal with MobSF?

MobSF (Mobile Security Framework) is an all-in-one automated security assessment framework. It can do automated static analysis of Android, iOS, and Windows binaries and source codes, however only Java and Objective C source codes are currently supported. MobSF can also be used to record web traffic from an application, which can then be sent to different security tools such as Burp suite and Owasp zap for web-application or API fuzzing. MobSF is a security tool that is fully free and completely open-source. In December of 2014, the project began. MobSF now features developers from a variety of countries working on variety of features and is actively being developed.

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, and not only that it also can perform static analysis directly on the source code of those applications. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications. It’s also possible to perform real-time sandbox dynamic runtime analysis to see how malware behaves.MobSF is a web application that is self-hosted. It’s cross-platform, which means it can run on Linux, Mac OS X, and Windows computers. The static analysis component of the MobSF can be executed on a virtual machine or in a Docker container. In order to do dynamic analysis, MobSF must be installed on the host operating system. If it’s installed in a dockerized environment or a virtualized environment, it won’t be able to perform dynamic analysis. To learn more about MobSF in-depth click here: What is MobSF?

Getting started with MobSF

Setting up MobSF

MobSF is an open-source project which is being actively developed. So, the documentation is subject to change.As a result, always go to MobSF’s official documentation page for the most up-to-date information. MobSF can be installed and executed in a variety of ways:

_ The first method (which is highly recommended) is to: _ The first method of installing MobSF is to manually install all of the required and then run the setup script for your Host Operating System.

Prerequisites requirements

Mac

• Install Git
• Install Python 3.8-3.9
• After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
• Install JDK 8+
• Install command line tools xcode-select –install
• Download & Install wkhtmltopdf as per the wiki instructions
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

Ubuntu/Debian based Linux:

• Install Git sudo apt-get install git
• Install Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

Windows

• Install Git
• Install Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download & Install wkhtmltopdf .
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

Installation Steps

For Linux and mac.

Copy and paste the script below onto the command line .

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh

Windows.

Copy and paste the script below onto the command line .

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
setup.bat

After you’ve finished the setup, you may use the following instructions to execute the tool:

For Linux / mac:

./run.sh 127.0.0.1:8000

For Windows:

run.bat 127.0.0.1:8000

Check that you’ve installed all of the prerequisites before running the setup script. MobSF offers a variety of assistance options if you run into any problems during the setup process. To learn more about MobSF click here: Installation Guide MobSF

Second method of installing MobSF:

You may always use prebuilt MobSF docker images if you simply need to perform static analysis and don’t want to perform dynamic analysis. Copy and paste the following commands into the command line to pull and launch prebuilt MobSF docker images:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Static Analysis using MobSF

What is a static analysis?

Static analysis, often known as static code analysis, is the process of inspecting a computer program without running it in order to find flaws. Static analysis is most typically performed on a program’s source code using tools that transform the code to an abstract syntax tree (AST) in order to fully comprehend the code’s structure and, as a result, find flaws. A tree representation of a computer program’s source code, known as an Abstract Syntax Tree (AST), which depicts the source code’s structure.

Let’s get started and run MobSF static analysis.

• First, make sure your host PC has all of the necessary requirements loaded.
• Clone the repository in the second step.

Note: In this tutorial, we will be using “Windows” as host operating system and NHS covid 19 “Android” apk binaries for performing static/dynamic analysis

• Installing all the dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

• Now, Initialize Run command

For Linux / mac:

./run.sh 127.0.0.1:8000

For Windows:

./run.bat 127.0.0.1:8000

MobSF can now be accessed simply from the browser.

Static analysis of NHS Covid 19 apk binary:

Upload the apk file and start the analysis.

After analysis, the report of the NHS covid 19 apk file will be generated.

Note: If the binaries of apk are big, it will take a bit longer to perform analysis.

Features provided by MobSF for static analysis

Information Section:

APP scores

The app’s different scores are displayed, including the average CVSS, security score, and number of trackers recognized.

MobSF scorecard

It shows a detailed visual representation of the scores for various discoveries.

The Average CVSS and Security score is actually calculated from code analysis findings. The average CVSS score is determined by calculating the average score of CVSS ,whereas the Security score is determined by its severity.

To begin, each app receives a perfect 100 score. MobSF deducts 15 points from the score for each finding with a high severity. For each finding with a severity warning, MobSF subtracts ten points and adds five to the score for each finding with a good severity. The app security score is deemed 100 as long as the calculated score is more than 100. If the estimated value is less than 0, the app security score is assigned a value of 10.

File information

The file’s name, size, and basic hashes are displayed in the File information section, which is positioned next to the App score.

App score

The App Information part, which appears next to the File Information section, offers numerous characteristics about the app, such as the package name, main activity, and current version.

Playstore description

This section will just list the application’s description as it appears on the Google Play Store.

Component section

This section section displays the number of fundamental components used in android application such as, Activities (single screen in your app with an interface the user can interact with), Services (part of application which runs in the background), Receivers (allows users to register for system or application events) and Providers (provides its own UI for working with the data).

Scan Option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

Signer Certificate

The Signer Certificate section contains basic information about a code signing certificate, such as the signature version, hash techniques used, fingerprints, and issuer identifications, among other things. If anything, good or bad, is found, it will be displayed alongside a brief description in the certificate status area.

Application permission

All of the permissions used by the application (NHS Covid-19) are listed in the Permissions section, along with their status, information, and descriptions.

Android API

Android API section provides the information about all the api which is being used inside this particular application.

Browsable activities

This “Browsable activities” section will simply lists out all the browsable activities, such as all the activities which can be browsed by a particular scheme.

Security Analysis:

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

Network Security

Manifest Analysis

MobSF performs static analysis on Android Manifest files to identify any vulnerabilities. It lists out all of the concerns/issues, as well as their severity with detailed description inside this particular section.

Code analysis

MobSF runs static analysis on every decompiled java source code and then generates a report with all errors discovered, along with their severity, standard, and file location and displays inside this section.

Binary Analysis

MobSF lists out all of the issues that have been detected on the shared objects and displays it inside this particular section.

NIAP Analysis

File analysis

Currently it is absolutely blank but inside this section MobSF lists out all of the sensitive files, such as certificates, that are hard coded within the application.

Malware analysis

APKiD analysis

This part provides a solid understanding/picture of the application’s behavior from a code perspective.

Server location

This is MobSF’s finest feature because it includes a gorgeous World Map UI that plots the whole server locations of the evaluated app in exact detail.

Domain malware check

MobSF extracts domains from binaries and compares them to domains recorded in its database that aren’t malicious. As a consequence, it assesses if a domain is excellent or harmful based on such information.

Reconnassance

URLs

MobSf will list and display all of the URLs found in the various source code files for that application and displays it inside this particular section.

Firebase DB

MobSF is capable of extracting all of the Firebase database URLs from the app, as well as doing a secondary check to determine if the database is publicly accessible.

Emails

All of the emails contained in the source code can be extracted by MobSF and displays it inside this particular section.

Trackers

MobSF is capable of extracting out all the possible trackers that are currently being used inside the application and display it inside this particular section.

Trackers are possibly development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource .

Possible hardcoded secrets

Components

The various sections of the application are referred to as components. This section contains a list of all the activities, services, receivers, providers, and libraries used by this application. It also includes all of the files that are included in the application’s binaries.

Activities

Activities are simly a single screen in your app with an interface the user can interact with

Services

Services are part of application which runs in the background

Receviers

Receviers allows users to register for system or application events

Providers

Providers provides its own UI for working with the data

PDF report

The PDF report section allows you to create a professional-looking PDF report that contains high-level information about the various findings of that particular analyzed application.

Visit this link to see the full report on this specific application.

Dynamic Analysis of NHS Covid 19 .

What is Dynamic analysis ?

Dynamic analysis is the process of testing and assessing a program while it is executing. Dynamic analysis, also known as dynamic code scanning, aids in the detection and correction of errors, memory issues, and other issues that arise during program execution. Before moving on to dynamic analysis, static analysis is required.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it.Xposed and Frida are used for instrumentation; Frida is used for Android 5.0 and up, and Xposed is used for Android 5.0 and below. There are some agents deployed in the genymotion VM as well. The agents will start capturing and gathering data relevant to the app once it has been instrumented. The collected data will be emailed back to MobSF after the report is completed, and the app’s full data will be dumped into the device for additional study.

Make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

If everything went well, you should be able to see the dashboard.

MobSF Dynamic analysis features:

Show/Stop Screen:

This feature displays the screen of the emulated device on the web interface. Some fundamental functions, including as touches and clicks, can be performed straight from the web interface.

Remove Root Certificate(CA):

This feature is in charge of intercepting the device’s traffic.

TLS/ SSL test:

TLS/SSL Security test helps you to evaluate the security of your application’s network connections. These tests are applicable only for applications that performs network connections over HTTP protocol.

Exported Activity Tester:

This tests allows you to dynamically test for exported actions, which is useful for creating dynamic proof of concepts and verifying static analysis results.

Activity Tester:

You can use this test to forcefully test all non-exported actions.

Get Dependencies:

This feature helps to collect all the info about runtime dependencies of the application.

Take Screenshots:

It allows you to take a screenshot of theIt enables you to snap a screenshot of a device that is running in a virtual machine device running on a Virtual Machine.

Logcat Stream:

The Logcat stream displays all of the device’s real-time logs.

A new window will be opened

MobSF currently lacks a capability that enables automatic dynamic analysis. It merely provides a simple user interface for semi-automated dynamic analysis. This is because MobSF has no understanding what your application’s business logic is, how to fill in the login and password fields, or what data it should provide. You must manually walk through the application’s numerous business logic and issues to get the most out of MobSF dynamic analysis, while MobSF does security analysis on these issues in the background.

Starting the Dynamic Analysis Process and :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

The application will be spawned and a few Frida scripts will be loaded after it is started.

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

MobSF dynamic analyzer also provides access to the Frida code editor where custom or pre-built Frida scripts can be loaded.

Generate Report:

MobSF is advised to stop all analysis and generate a report when the Generate Report option is selected.After the dynamic analysis is completed, the final report should look somewhat like this.

Visit this link to see the full dynamic analysis report on this specific application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!