Framework for App Security Tests
In addition to the numerous report formats available in the download area, the results of an app analysis can also be printed using the browser.
The presentation for the app test detail pages has been improved so that e.g. all result lists are always unfolded and that only elements which hold relevant information for printing are shown.
Top App List can be Integrated
All customers with Appicaptor SmartWeb or Appicaptor Corporate subscriptions can retrieve additional access to the results of the current Top2000 app list for iOS and Android. The results are directly available for a reduced additional fee. Contact the Appicaptor support for a Top App subscription. The Top App results can be individually evaluated or combined with the results of the ordered app tests.
Extension in Appicaptor Web Interface
Within the overview page of the test results, all entries can now be sorted by all columns. By clicking on the column name, the respective column is used for sorting (or the sorting sequence is reversed). This makes it easy to sort all result lists by app type, number of risks, or violation of blacklist rules.
Test Cases
Among other things, the vulnerability patterns for communication protection were expanded. In addition, the security quality of iOS Apps is now evaluated by using the “App Transport Security” configuration. A deviation from the secure default setting, for example to enable unencrypted HTTP connections, is now included in the automatic risk assessment. In addition, the configuration details are listed in the report.
it-sa 2016
We show the risks of poor security quality for apps as al demonstration live on the it-sa from 18th to 20th October 2016 in Nuremberg (in Hall 12 at booth 430). We will show the example of a trustworthy TV-program app for iOS. When using the app in public WiFi, attackers can misuse the included Cordova calendar plugin to read or delete any appointments on the iPhone, which can result on any modification or deletion of the appointments on all synchronized devices.
Analysis Enhancement for Web Apps
The current version of Appicaptor extends the analysis of apps developed using the Apache Cordova framework. This framework allows access to smartphone features through JavaScript code. Due to recent weaknesses discovered in the framework, Appicaptor also lists the Cordova platform version used within the evaluated app and points out the appropriate CVE numbers for the vulnerabilities known for the detected Cordova platform versions.
In order to protect Cordova apps, the access of the app should be restricted to trustworthy domains in the Cordova whitelist. Appicaptor therefore shows the defined whitelist and evaluates it. Unfortunately the default whitelist configuration is not secure and an adjustment is often forgotten during deployment.
Furthermore, the automated assessment of Cordova plugins for attacks via unprotected HTTP connections was extended. There is a considerable risk for user data in many popular apps based on Cordova, which is already taken into account in all Appicaptor policy rule sets. Adaptation of the individual rule sets is therefore not necessary. In general, users of Cordova apps should better disable the permissions. Permissions like calendar and address book access should be deactivated, because they usually have only a small (sometimes even unknown) benefit (reminder functions), but the risk of unauthorized access is quite high.
Advanced Export Function
Appicaptor now supports the new app list import format of Sophos Mobile Control. Appicaptor can create white- and blacklists in this format for each Appicaptor policy set at each Appicaptor run. The lists can then be imported directly into Sophos Mobile Control. Interested customers can activate the Sophos import format for their Appicaptor subscription by contacting the Appicaptor Support.
Analysis of Cryptographic Weaknesses
Due to the critical findings in numerous manual app analyzes, we have included additional test cases for cryptographic weaknesses in Appicaptor. Appicaptor now detects the usage of static values that should not be integrated into an app. This includes static cryptographic keys as well as cryptographic random generators with fixed seed values, which makes it very easy for attackers to break the encryption. In addition, static initialization vectors are detected in block ciphering, as this allows the attacker to draw conclusions about segments of encrypted messages.
App Classification
The classification of apps with their described main function enables the security-relevant evaluation of the detected app properties. In the current Appicaptor version, we have further optimized the classification using the app description text. In addition, two new app types were added to the classification of apps. The new app type ImageCreator combines apps to create and edit images in a function model, and the type AudioProcessing allows you to specifically evaluate apps that process audio data.
In addition, the Appicaptor Web Interface now allows you to set an app type when uploading app binaries. Thus also for these apps the possibility of a specific evaluation of the app properties by the set app type exists. Existing, already uploaded app binaries are still evaluated with the type Generic and can be re-uploaded with the desired specific app type.
Analysis of App Developments
It is possible to analyze apps that are not (yet) available in the App markets. All Appicaptor users with with an Appicaptor Corporate subscription can use the updated Appicaptor Web Interface functionality found at the menu item “Orders” and the new menu item “Upload binary App”. For more details refer to the updated Appicaptor Quick Start Guide.
Enhanced Analysis Scope
Additional security-relevant app properties are now detected and evaluated. For iOS apps, for example, the different extensions are displayed (app extensions e.g.: Document Picker, Watch App, etc.). Those functions can be used by other apps without the execution source app that the extension makes available. An extension can gain access to user-related data, in the name of other app as well as through shared resources in the name of the source app. As a result, confidential corporate data may be passed to untrustworthy apps.
Changes to Appicaptor Subscriptions
All companies with (existing) Appicaptor Top Free subscriptions receive an additional user account per app platform, in order to make it easier to create deputy processes. In addition, there is now the possibility of a weekly test cycle of 25 apps with the Appicaptor Starter Corporate Weekly subscription as an alternative to the monthly test cycle.