Page 11 - FIGI: Security audit of various DFS applications
P. 11
f) M6 Insecure Authorization scan QR codes for making payments will need
g) M7 Client Code Quality the permission to use the camera.
h) M8 Code Tampering Note that permissions regarding storage of data
i) M9 Reverse Engineering are considered in the next section.
j) M10 Extraneous Functionality An app that requires dangerous permissions
could abuse the permissions to attack the user.
Categories M6, M7 and M10 are out of the scope of For example, it could dial premium rated phone
our tests as they would require access to the source numbers if dialling permission were granted.
code of the application or reverse engineering the
logic of the application.
The following set of 18 tests has been selected based 2�2 M2 Insecure Data Storage
on their pertinence and of the feasibility of the test: These tests are also done by analysing the manifest
of the application and by running app on a phone.
2�1 M1 Improper Platform Usage Following issues are verified:
These tests are done by analysing the manifest of the
application. The following issues are verified: a) T2�1 Android�permission� WRITE_EXTERNAL_
STORAGE:
a) T1�1 Android: allowBackup : The app should not require this permission with-
3
This setting should be set to false, which is not out a valid reason.
the default value. This permission allows the app to read and write
If this attribute is set to false, no backup or data on a memory card inserted in the phone.
restore of the application will ever be performed, If the application needs to store substantial
even by a full-system backup that would other- amounts of non-sensitive information, this would
wise cause all application data to be saved justify writing to external storage.
b) T1�2 Android: debuggable : By gaining access to the memory card, an attack-
4
This setting should be set to false, which is the er could be able to tamper with the application
default value. or to extract sensitive information.
If an application is flagged as debuggable, intrud- Note that even if the application fails this test, it
ers can inject their own code to execute it in the does not necessarily mean that the application
context of the vulnerable application process. will write sensitive data to external storage.
c) T1�3 Android: installLocation : b) T2�2 Disabling screenshots:
5
This should be set to internalOnly or unset, which The app should disable screenshots while it is
is the default value. running and only show a blank image when in the
If this parameter is set to auto or preferExternal, task switcher.
the application may be installed on a removable This is a standard behaviour for secure applica-
memory card. tions and can be achieved with an application
By gaining access to the memory card, an attack- parameter called FLAG_SECURE . This can be
6
er could be able to tamper with the application tested by running the application and a) trying to
or to extract sensitive information. make a screenshot, b) switching between apps
Note that even if the application fails this test, it and observer the thumbnail of the application.
does not necessarily mean that the application Without this setting, a malicious application
will be installed on the removable card. could potentially steal sensitive information from
d) T1�4 Dangerous permissions: the screen of an application.
The application should not require dangerous
permissions without a valid reason.
Android apps must explicitly ask for permissions 2�3 M3 Insecure Communication
for many types of operations. Some of these per-
missions are labelled ''dangerous'' by Android. a) T3�1 Application should only use HTTPS con-
The app must explicitly ask the user to grant nections:
dangerous permissions with a dialog (e.g., Allow When running the traffic of the app through an
App to make phone calls?). There may be valid audit machine and observing the packets, only
reasons for requesting dangerous permissions. HTTPS traffic should be observed for the appli-
For example, a DFS application that needs to cation.
Security audit of various DFS applications 9