Following is a list of
mobile application security tools for the Android OS. All of these
tools were authored by Jesse Burns and can be found here at http://www.isecpartners.com/mobile_application_tools.html.
Android distributions, and every application installed on them must
have an AndroidManifest.xml policy file, which Manifest Explorer helps
the user find and view. The AndroidManifest.xml sets critical
application policy which is explained at http://developer.android.com/guide/topics/manifest/manifest-intro.html.
The file is of great interesting when analyzing system security because
it defines the permissions the system and applications enforce and many
of the particular protections being enforced. The Manifest Explorer
tool can be used to review the AndroidManifest.xml file, the security
policies and permissions of applications and the system, as well as
many of the IPC channels that applications define and which end up
defining the attack surface of applications. This attack surface
outline is a common starting point for understanding the security of
application and Android distributions.
The tool is simple to use. As shown in Figure 1,
the tool lists all the system’s applications, allows the user to select
one, and then displays the contents of the AndroidManifest.xml file
that pertain to the selected application. The Android system policy can
be found under the special case package name “Android”. A menu option
enables saving the extracted manifest, so the testers can read it more
comfortably on a PC for manual inspection.
Figure 1. Manifest Explorer main screen
Play shows the user all installed packages on the mobile device, and
some of the interesting features those packages install. This helps the
user in the following ways:
Provides an easy way to start and explore exported Activities
Shows defined and used permissions
Shows activities, services, receivers, providers, and instrumentation as well as their export and permission status
Switches to Manifest Explorer or the Setting’s applications view of the application
shows a screenshot of Package Play. The first step with Package Play is
to select the package to examine. By reviewing the list, the user may
see software they did not originally install (such as software
preloaded by the hardware manufacturer) that is not included in the
open-source Android OS.
Figure 2. Package Play
Android, an Intents are one of the most common ways applications
communicate with each other. The Intent Sniffer tool performs
monitoring of runtime routed broadcasts Intents, sent between
applications on the system. It does not see explicit broadcast Intents,
but defaults to (mostly) unprivileged broadcasts. There is an option to
see recent tasks’ Intents (GET_TASKS), as the Intent’s used to start
Activities are accessible to applications with GET_TASKS permission
like Intent Sniffer. The tool can also dynamically update the Actions
and Categories it scans for Intents based on using reflection and
dynamic inspection of the installed applications. Figure 3 shows a screenshot of Intent Sniffer.
Figure 3. Intent Sniffer
A fuzzer is a testing
tool that sends unexpected or incorrect input to an application in an
attempt to cause it to fail. Intent Fuzzer is exactly what is seems—it
is a fuzzer for Intents. It often finds bugs that cause the system to
crash as well as performance issues on devices, applications or custom
platform distributions. The tool can fuzz either a single component or
all installed components. It works well on BroadcastReceivers but
offers less coverage for Services, which often use Binder interfaces
more intensively than Intents for IPC. Only single Activities can be
fuzzed, not all them at once.
can also be started using this interface, and although ContentProviders
are listed, they are not an Intent-based IPC mechanism and so cannot be
fuzzed with this tool. Developers ma want to adapt Intent Fuzzer so
that it can provide Intents more appropriate for their application. Figure 4 shows a screenshot of Intent Fuzzer.
Figure 4. Intent Fuzzer