9. Static Analysis VS Dynamic Analysis

Static Analysis:

  • Purpose: Focuses on reviewing the source code or APK of an app without executing it.

  • How It Works: Involves extracting and analysing code, manifest files, and resources for patterns, vulnerabilities, or insecure configurations. It can be done using tools that decompile the app's APK or inspect its bytecode.

  • Pros:

    • Can identify issues early in development.

    • No need to run the application, so it's useful for identifying issues in closed-source or third-party apps.

  • Cons:

    • Cannot find runtime issues, such as data leakage or runtime permission abuses.

    • Requires access to the source code or APK.

  • Example: Searching for hardcoded credentials or insecure permissions in an APK.

Tools:

  • APKTool:

    • Purpose: Decompiles APK files into their original resources and manifest files to analyse code structure, app configurations, and potential vulnerabilities.

    • Use Case: Examining the structure of the APK, extracting resources, and understanding permissions.

  • JD-GUI:

    • Purpose: Decompiles .dex files (Dalvik Executable) from APK files into readable Java code.

    • Use Case: Inspecting the logic of an application to identify issues like hardcoded credentials or insecure API calls.

  • FindBugs:

    • Purpose: Analysis Java bytecode to detect bugs, potential security vulnerabilities, and unsafe coding practices.

    • Use Case: Automated detection of code issues like null pointer exceptions or improper data handling.

  • SonarQube:

    • Purpose: A continuous inspection tool that tracks code quality and security vulnerabilities, providing detailed reports.

    • Use Case: Analysing source code for vulnerabilities like SQL injection or cross-site scripting (XSS) before runtime.

  • MobSF (Mobile Security Framework):

    • Purpose: An automated tool for static analysis of Android and iOS apps.

    • Use Case: Scanning APK files for issues like hardcoded secrets, insecure permissions, and potential malware.

Dynamic Analysis:

  • Purpose: Involves analysing the application during its runtime to observe its behaviour and identify vulnerabilities in real time.

  • How It Works: Running the app on a real or virtual device and monitoring its behaviour, such as network requests, API interactions, memory usage, and system logs. Tools like Frida or Burp Suite help in manipulating the app or inspecting traffic to understand its behaviour in various scenarios.

  • Pros:

    • Identifies issues that appear during runtime, such as data exfiltration or unexpected behaviour.

    • Can be used to examine how the app interacts with external components, APIs, and services.

  • Cons:

    • Might not catch certain vulnerabilities like code-level flaws or misconfigurations.

    • Requires running the application, which can be time-consuming or risky for closed-source apps.

  • Example: Analysing network traffic for unencrypted data transmission.

Tools:

  • Burp Suite:

    • Purpose: A comprehensive suite for testing web application security, including interception of HTTP/S traffic.

    • Use Case: Monitoring and manipulating HTTP requests and responses between the Android app and the server to find vulnerabilities like improper input validation.

  • Frida:

    • Purpose: A dynamic instrumentation toolkit that helps analyse, modify, and interact with live applications by injecting scripts into running processes.

    • Use Case: Reversing app behaviour, bypassing checks, or analysing memory leaks and resource usage.

  • Wireshark:

    • Purpose: A network protocol analyser that captures network packets to examine traffic between the app and external services.

    • Use Case: Capturing and inspecting network communication to detect insecure data transmission, such as passwords or tokens sent over HTTP instead of HTTPS.

  • Drozer:

    • Purpose: A penetration testing framework for Android that allows security researchers to explore vulnerabilities in Android apps and their components.

    • Use Case: Exploiting vulnerabilities in app components like content providers, services, and activities to understand how they can be attacked.

  • Xposed Framework:

    • Purpose: A framework for Android that allows you to change system and app behavior at runtime without modifying the APKs.

    • Use Case: Modifying app behaviors dynamically, bypassing app protections, or modifying app logic to discover flaws.

Conclusion:

  • Static Analysis: Best used for finding vulnerabilities early in development by analyzing source code or APK files. It's helpful for ensuring code is secure before being executed but cannot detect runtime behaviors.

  • Dynamic Analysis: Best for testing the actual behavior of an app in real time to detect runtime issues that static analysis cannot find, such as how an app handles network traffic or interacts with the system.

PreviousWhat is ADB (Android Debug Bridge)?NextNetwork

Last updated