Driving SSDLC by adopting Mobile Security Analysis using MobSF
Being the #1 Healthcare application in Indonesia, we always strive hard to safe guard our user’s data and privacy. Though we are constantly on the vigil to watch out for addressing security vulnerabilities, it is imperative to make continuous investments and improvements in making our apps/services secure for our partners and customers. In this journey, we have some significant advances towards Secure Software Development LifeCycle (SSDLC) for our mobile apps, by adopting Mobile Security Testing tools as an integral part of our development process.
About Static Analysis
Static code analysis is a fundamental and elemental steps in SSDLC to catch potential security vulnerabilities in the development cycle itself. In static analysis, application is tested from the inside out. It analyses the source code or binary without executing the application. It can be used to test code during development and catch vulnerabilities early on. Static analysis security testing tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or a code release.
Introduction to MobSF
Another critical tool in our SSDLC arsenal for Mobile apps is MobSF. MobSF(Mobile Security Framework) is an automated, open source, pen-testing framework capable of performing static, dynamic(Android only) and malware analysis for iOS & Android. It support both binaries (APK, IPA) and zipped source code. It has a graphic UI in the form of web service that consist of a dashboard that presents the results of the analysis, its own documentation site, an integrated emulator & an API that allows users to trigger the analysis automatically.
Note: For illustration purposes here, we've called out how to host MobSF in a local environment.
Setup MobSF (Static Analysis)
- Install GIT, Python, JDK & Xcode command line tool
- Clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git and navigate into the Mobile-Security-Framework-MobSF directory
- Run ./setup.sh command in the terminal
Run ./run.sh command in the terminal
MobSF Web Interface
- After running MobSF, navigate to http://localhost:8000/ in any browser to access the MobSF Web interface. Drag and drop IPA/APK or zipped source code.
- Once the uploading is done, browser will be redirected to the report with detailed information about the issues in different categories such as Permissions, Transport Security, Binary, File, Malware etc.
Jenkins pipeline & Alerting system
- To identify issues during the development phase, Static analysis must be done on the application on a regular basis.
- We have setup a downstream pipeline each for development and release binaries. It will be triggered for each successful development / release build generation.
- MobSF provides APIs to do everything that MobSF Web interface does such as upload, scan, generate pdf etc.
- We made use of following APIs to generate pdf reports for development & release binaries, api/v1/upload , api/v1/scan , api/v1/download_pdf.
- Our alerting system notifies us via Slack. We used api/v1/report_json, to generate json representation of the report , parsed and sent the required info such as App name, version, build, MD5, CVSS score, Security score, count of critical issues with high severity, link to the pdf report.
About Average CVSS & Security score
- Each identified issue will have CVSS v2.0 score based on CWE, OWASP standards. Average of these score is shown in the report. As show in below picture, risk level is high when the average CSVV score is above 7.0.
App Security score calculation
- Every app is given an ideal score of 100 to begin with.
- For every finding with
severity high we reduce 15 from the score.
severity warning we reduce 10 from the score.
severity good we add 5 to the score.
- If the calculated score is greater than 100, then the app security score is considered as 100.
- And if the calculated score is less than 0, then the app security score is considered as 10, and is categorized as "Critical" (in terms of risk) as outlined below.
How does it help us?
We have a streamlined process where we check for the security vulnerabilities during the development phase. This helps us in identify and fix existing security issues and also new issues that pops up due to code changes. We have setup an alerting system which notify us of critical risks upfront, well in the development cycle itself. MobSF helps us with running against the CWE, OWASP standards and find if any known vulnerability exists.
As highlighted on this blog, MobSF is our first step towards achieving our goal towards Secure Software Development Cycle(SSDLC), by identifying issues, weed out false positives and critical security vulnerabilities well ahead in the development cycle itself, thereby making our apps secure-by-design from start till finish. Though MobiSF has come limitations, such as lack of support DAST for iOS, etc, one of our critical tools in our SSDLC arsenal for mobile apps and are already reaping in the benefits in has to offer. At the same time, we are continuing our pursuit with exploring other tools that offer more capabilities (such as supporting SAST & DAST for both iOS, Android) and more accurate results and may be able to adopt one or more such tools in near future to make our mobile apps more secure for our stakeholders.
We are always looking out for top engineering talent across all roles for our tech team. If challenging problems that drive big impact enthral you, do reach out to us at email@example.com
Halodoc is the number 1 all around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 3500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek and many more. We recently closed our Series B round and In total have raised USD$100million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalised for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.