NowSecure Lab cloud: Mobile app assessment environment

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

NowSecure was one of the companies that caught my attention at this year’s RSA Conference in San Francisco. While it initially seemed like a new player in the field, the company was actually started back in 2009 under the name viaForensics (here’s our interview with ViaForensics CEO).

Last December, they decided to ditch the forensics-focused name and rebrand themselves as NowSecure. Around the same time, the company raised $12.5 million in a Series A round and started working heavily on their line of security assessment products.

NowSecure Lab is mobile app security assessment environment that comes in two versions – as a standalone, on-premise solution, and a “lighter” cloud offering. The on-premise solution runs as a VM instance of Santoku Linux and requires an Apple Macbook Pro. This workstation version of NowSecure Lab includes both static and dynamic analysis, as well as the ability to customize the testing environment for specific applications that need to be assessed.

The cloud version I’ve been using for a couple of months is now in open beta and you can see that the team behind it is actively upgrading functionalities. It is important to note that the cloud offering currently supports only static analysis, but in a discussions with NowSecure representatives I was assured that the addition of dynamic analysis is in the pipeline for H2 2015.

Assessing mobile applications seems like a complex task, but NowSecure Lab definitely disproves this notion: it mostly requires you (the user) to point and click, and occasionally to interact with the service a bit more. You upload the .apk or .ipa file to the system, select the tests you want to run and, in a couple of minutes, you get a detailed report. It is as easy as that.

The user interface is simple but very smooth. The Apps screen lists all the applications you’ve tested, together with the information on the times when tests were done, number of different builds assessed, and the number of discovered security threats. Reports are available in an online, browsable version, or in the form of a downloadable PDF file.

Every security issue found in the mobile application you’ve tested is labeled as low (blue), medium (orange) or high (red) risk. You get a short description of the problem, a set of contextual findings (identifying the actual “offending” lines of code), downloadable artifacts (decompiled app code), as well as very informative recommendations on what you should do to fix them.

Here is an actual example of a recommendation for an issue related to the SecureRandom implementation in an Android app: “Developers who use JCA for key generation, signing or random number generation should explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random. Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”

I really liked the level of additional context NowSecure Lab reporting provides. For instance, I got one issue qualified as medium risk, but it was noted that if the app in question is an electronic wallet or is being used for processing monetary or Bitcoin transactions, its risk status should be elevated to high.

Also, in one of the screens it was noted that if the application uses reflection or a shared-id, static analysis may result in false positive results. I presume they are actively working on minimizing false positives, as the same app I’ve assessed two months ago, now shows one less security issue.

From the user perspective, testing applications within the NowSecure Lab environment is rather straightforward, so it is important to see what type of tests are currently enabled. New tests are being added to the web app – for instance, between my first post RSA Conference usage of NowSecure Lab and the assessment I did a week ago, there were several new tests added for Android alone. Here is what is checked when you feed the system an .apk file:

  • APK Files Check: Shows the files contained in the APK package.
  • APK Signing Key Check: Checks if the key used to sign the application has a size superior to 1024 bits.
  • AllowBackup Flag: Checks if the application allows for saving of potential sensitive information during backups.
  • App Assembler Decompilation: Determines if an application can be decoded and if its resources can be extracted for further analysis.
  • App Certificate Validity: Checks if the certificate used during the application compilation is valid.
  • App Debug Flag: Checks if the application was compiled with the debug flag set.
  • App Source Decompilation: Source code is decompiled and made available to the analyst in several formats (Java/Smali).
  • App Source Obfuscation: Checks if the source code has been obfuscated either by Proguard or Dexguard in order to make class identification less obvious.
  • Application Overprivileged: Checks if the application is declaring permissions that are actually never used or called in the code.
  • Dynamic Code Loading: Allows advanced users to dynamically hook up and manipulate classes during a dynamic-analysis of the application.
  • Hardcoded URLs: Checks for embedded URLs in the source code, which can point to sensitive company servers or assets and provide valuable information to potential attackers.
  • Javascript Interface: Checks if WebView elements are potentially vulnerable to Remote Code Execution.
  • Master Key: Checks if the application is protected against the Master Key vulnerability
  • Native Methods Check: Shows the method calls in the APK that call native code.
  • Reflection Code Check: Shows the method calls in the APK that leverage reflection.
  • Secure Random Check: Ensures that the binary was compiled with the ASLR (Address Space Layout Randomization) flag.

Compared to the checks for Android, there are significantly less tests available for iOS applications:

  • Address Space Layout Randomization Check: Ensures that the binary was compiled with the ASLR (Address space layout randomization) flag.
  • Automatic Reference Counting: Checks if the application was compiled with flags, improving its performance and preventing some stack overflow vulnerabilities.
  • Heartbleed Check: I assume this doesn’t need a description
  • Local Authentication: Checks if your application uses an insecure implementation of the Local Authentication framework.
  • OpenSSL: Checks whether the app is bundled with a vulnerable version of OpenSSL
  • Stack Smashing Protection: Checks if the application was compiled with flags preventing some stack overflow vulnerabilities.

Over the past couple of years, there were numerous reports of malicious applications found in the Google Play store. When I got the first media release on NowSecure Lab, I was intrigued to see that one of the specified features was “checking for issues in apps already publicly available in the app stores”. When creating a new assessment, you can skip uploading the file and choose to test a public application.

For obvious reasons, only Android apps from the Play Store are supported, but unfortunately this feature didn’t work for me. I tried all the possible inputs, from specific app names and full package names to random words, but the search always resulted in the message saying the requested app doesn’t exist. This functionality seems interesting, but I would definitely spin it in a separate project, as the target audience for it is much broader than just mobile app developers with security on their mind.

One of the upcoming additions to NowSecure Lab is the possibility of continuous integration. First it was planned to support Jenkins CI (application that monitors executions of repeated jobs, in this case building a software project), but now I see that they are mentioning support for multiple CI platforms. The script will automatically detect new builds, send them to the service for testing and provide the reports.

NowSecure Lab cloud, the online version of NowSecure Lab is currently in free public beta. Have in mind that some tests are only available for premium subscriptions. Pricing details are not public, so you should contact the company directly if you are interested in leveraging the whole arsenal of security tests.

Whether it’s used by developers to test some security aspects of the applications they’ve built, or is integrated into a Secure Software Development life cycle, NowSecure Lab cloud is a much needed security solution. I hope that by the end of the year we will see it maturing from its beta phase, together with the addition of dynamic analysis testing capabilities and continuous integration.