Bluemix Hands-On Workshop Lab F – Demonstrating : AppScan Mobile Analyzer Service Version : Last modification date : Owner : Ziv Dai Billy Weber 1.00 21 July 2014 IBM Ecosystem Development GTU, [email protected] AppScan, [email protected] Table of Contents Lab F: Demonstrating : AppScan Mobile Analyzer Service ........................................................................ 5 1. Overview...................................................................................................................................... 5 2. Scan Mobile application With AppScan Mobile Analyzer ............................................................... 7 2. Fixing high risk recommendations .............................................................................................. 12 3. Rescan and Analyze fixed Mobile application ............................................................................. 12 Copyright IBM Corporation 2013-2014. All rights reserved. 3 Lab F – Demonstrating : AppScan Mobile Analyzer Service Lab F: Demonstrating : AppScan Mobile Analyzer Service Lab Objectives: This lab demonstrate AppScan Mobile Analyzer service capabilities of doing a security analysis of Android Mobile application. Three steps are demonstrated : i) Upload a mobile application (APK) and analyze it using AppScan Mobile Analyzer service ii) Fix mobile code and create a new APK file. iii) Rescan your mobile application, and verify that less security issues are found. Note: Mobile Analyzer is not bound to a Bluemix application. You can scan with it any APK file either created from a Bluemix mobile application, or from a non-Bluemix app. Lab Duration : 20 minutes 1. Overview Buffer Overflow Introduction: A Buffer overflow, is a vulnerability which is encountered when a program writing data to a buffer, exceeds the bounds of the buffer, causing the excess data to overflow into adjacent memory. A Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer boundary and Overwrites adjacent memory. This is a special case violation of memory safety. Buffer overflows can be triggered by inputs that are designed To execute code, or alter the way the program operates. This may result in erratic program behavior, including memory Access errors, incorrect results, a crash, or a breach of system Security. They are thus the basis of many software vulnerabilities and can be maliciously exploited. SQL Injection Introduction: SQL injection is a code injection technique that exploits a security vulnerability within the database layer of an application. This vulnerability can be found when user input is incorrectly filtered for string literal escape characters embedded in SQL statements. Copyright IBM Corporation 2013-2014. All rights reserved. 5 Lab F – Demonstrating : AppScan Mobile Analyzer Service XSS Injection Introduction: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Man in the middle A popular method is Man-in-the-middle attack. It is also known as a bucket brigade attack, or sometimes Janus attack in cryptography. As its name suggests, the attacker keeps himself / herself between two parties, making them believe that they are talking directly to each other over a private connection, when actually the entire conversation is being controlled by the attacker. Copyright IBM Corporation 2013-2014. All rights reserved. 6 Lab F – Demonstrating : AppScan Mobile Analyzer Service 2. Scan Mobile application With AppScan Mobile Analyzer In this section you’ll use the AppScan Mobile Analyzer service to scan an Android APK file.Start your browser and go to the url https://ace.ng.bluemix.net Step 1 Click on LOG IN Figure 1 Bluemix Login page Step 2 After logging in click on CATALOG Step 3 Browse to the Security Services. Copyright IBM Corporation 2013-2014. All rights reserved. 7 Lab F – Demonstrating : AppScan Mobile Analyzer Service Step 4 In this demo we are about to analyze DoNothingApplication.apk mobile application. Copyright IBM Corporation 2013-2014. All rights reserved. 8 Lab F – Demonstrating : AppScan Mobile Analyzer Service Step 5 Select AppScan Mobile Analyzer, from App drop down list select Leave unbound and create AppScan service Step 6 Select created AppScan Mobile Analyzer service on Dashboard screen. Step 7 Choose Browse to upload DoNothingApplication.apk Step 8 AppScan is processing DoNothingApplication.apk Copyright IBM Corporation 2013-2014. All rights reserved. 9 Lab F – Demonstrating : AppScan Mobile Analyzer Service Step 9 AppScan has successfully processed DoNothingApplication.apk , results show High severity, click Download to view AppScan recommendations Step 10 View AppScan report, you should get the following recommendations to solve existing risks: Copyright IBM Corporation 2013-2014. All rights reserved. 10 Lab F – Demonstrating : AppScan Mobile Analyzer Service Copyright IBM Corporation 2013-2014. All rights reserved. 11 Lab F – Demonstrating : AppScan Mobile Analyzer Service 2. Step 11 3. Step 12 Fixing high risk recommendations Fix the code and create new apk – use fixed apk : DoNothingApplication-LessIssues.apk Rescan and Analyze fixed Mobile application Repeat steps 6-9 , choose browse and upload the fixed apk. For the demo we will use DoNothingApplication-LessIssues.apk Step 13 Step 14 AppScan is processing DoNothingApplication-LessIssues.apk Copyright IBM Corporation 2013-2014. All rights reserved. 12 Lab F – Demonstrating : AppScan Mobile Analyzer Service Step 15 AppScan has successfully processed DoNothingApplication-LessIssues.apk , the results indicate for High severity, click Download to view AppScan recommendations Step 16 Comparing the new report with previous report. Verify that less issues are found now. Copyright IBM Corporation 2013-2014. All rights reserved. 13 Lab F – Demonstrating : AppScan Mobile Analyzer Service Step 17 When comparing reports you can see that Buffer Overflow and the SQL Injections risks were fixed Copyright IBM Corporation 2013-2014. All rights reserved. 14
© Copyright 2024 ExpyDoc
