Security audits in mobile devices (III)

Security audits in mobile devices (III)

Reading Time: 2 minutes

Ok, ok, I know. It has passed almost a month since the last post. But you know, holidays, new year, a cold winter… but I’m here again to conclude this serie about the security audits in mobile devices. In part 1 we saw what were the requirements that we need before start with the audit. In part 2 we actually started with the audit and saw some of the phases of an audit. In this last part we will see the last phases of an audit.

App file analysis

As an auditor it’s also important to know how to do a static analysis.

Making a static analysis the auditor can identify from the file of an application when it is a malicious app.

But, before, how can we suspect of an app?

This is not an exact science and the experience give to the security professional a 6th sense to discover that something is smelling bad in an app. Some of these signs could be that the app has an unknown origin, or when it is used, it doesn’t make what it should, or it ask for more permissions that it should need. These are some symptoms that must make anyone suspect at least a little bit. Then there are also tools that works like anti-virus to identify possible danger in an app. This is the case of Virus Total, for example.

Let’s say that in an audit the auditor finds a suspicious app, and he/she gets the apk or aip file of this app. Then, using some tools he/she can make reverse engineering to see some of the code or at least the structure of the app. Then is there where they see that something doesn’t smell good.

For example, here it can be seen that this app has this structure. The name seems suspicious, so an auditor will check every class.

Suspicious app

After check the app, there is something like this in one of the classes.

Inside the class we see a Ip addess, probably used to send data through the indicated port

There is an ip address and a port. So, the app is sending information to this address through that port. Now the auditor should investigate both port and ip address and check if it is the normal port to send information, or whether this is any kind of malware.

In this exact case it is malware.


As a conclusion to the audit the auditor should present the final report with all detailed steps, giving information about what have been found in the device, possible risks and some advices to prevent attacks. For the client it’s also nice and easier to understand if the auditor evaluate the security of the device with a number. 8 over 10, for example, could be a good rating for the security of a device.