Proj 3x: Security Audit of An Android App (40 pts)
What You Need for This Project
- The Android security auditing environment you prepared in previous projects,
including Genymotion, Burp, adb, and the
Google Play Store, and possibly other tools such as Drozer and qark.
Purpose
Choose any App you like to test, but not one
that I've used in homework projects.
Test for security flaws in these areas:
- Network communications
- File storage
- Logging
- Any other areas of interest
Security Audit Report
Write a report explaining your methods and
results. Here's an example I did, covering
only one topic (code modification) for the
Bank of America.
Notifying Vendors
Before disclosing a vulnerability publicly,
it is traditional to privately notify vendors,
supposedly giving them time to fix the problem.
In my experience, the chance of an actual fix is
negligible, but privately notifying vendors is
a wise political move to avoid criticism from
other members of the security community.
I recommend these practices:
- Notification should be short and simple. Mine have probably
been too long. Less is more.
- KEEP A RECORD of your notification. This is the most important thing, because most of the time you will be ignored, and they will probably try to say later that you never warned them.
- Be very polite: stick to the facts.
- Wait at least 30 days after private notification before public disclosure.
- Expect abuse rather than thanks. No one wants to hear about their flaws.
I recommend that you let me verify your
findings before notifying vendors.
Here is
another example of a vendor notification.
Turning in your Project
Email the Report, as a PDF or Office document,
or a link to a web page. Send it
to cnit.128sam@gmail.com with the subject line:
Proj 3x from YOUR NAME
Vendor notification section added 2-15-19