Papers no image

Published on August 18th, 2011 | by NJ Ouchn


Securityninja’s life & times : Agnitio and Mobile Apps



Hi everyone,

I’m finally back in the office after my annual trip to Las Vegas, still not fully over the jet lag but caffeine and a weekend that included lots of sleep are helping!

I released Agnitio v2.0 whilst I was in Las Vegas and talked about it at SecurityBSides, BlackHat and DEF CON in three different ways. I did a “normal” talk at SecurityBSides, an Arsenal talk at BlackHat and a SkyTalk at DEF CON. This allowed me to get user and audience feedback in three different ways as well from those had no app sec program and wanted something to base their program around through to those who do security code reviews as part of their day job.

The Arsenal talk allowed me to put Agnitio out in front of people who may not have used or heard about the tool before. It turned into something more like a workshop than a demo session, it was great to brainstorm with users of Agnitio in person about the features they would like to see changed/added and of course the problems they have had with the tool. I came back from Las Vegas with a very long list of ideas for features and an offer of developer’s time from a very large US financial services company. That is an offer I will be accepting so watch this space for really exciting new features in future versions of Agnitio!

That leads me nicely into the thing I really wanted to talk about in this blog post. I delivered a class at SecurityBSides Las Vegas with Daniel Cornell which looked at common mobile application security issues and how to use Agnitio v2.0 to find them in your source code. I was very happy to be delivering this class with Dan but I was even happier about Dan contributing mobile specific rules to Agnitio v2.0 and open sourcing his purposely vulnerable mobile applications!

Dan has given several mobile application security presentations over the past couple years and you can find some of his past presentations here. You can see the slides Dan used in our class here.

In his past presentations Dan has used the Pandemobium stock trader applications which was developed in a purposely insecure way. You can download the application (Android and iOS) from here. These applications have quite a few different vulnerabilities in them to help developers and security analysts explore mobile application security topics.


We used these applications in our class along with the mobile application security rules Dan contributed to Agnitio v2.0. I wanted to show you today how we used the Pandemobium apps and the mobile application security rules. If you want to analyse the source code yourself you can, all you need to do is download the applications and the latest version of Agnitio!

Mobile app review rules

As I mentioned above we have rules for analysing Android and iOS applications in Agnitio v2.0, a few of the rules are shown below:


“Context.openFileOutput() creates a local file on the device.

Android allows storage resources to be constructed with the following permissions:


Context.MODE_PRIVATE – This is the most secure setting because the resource will only be readable by the application that created it

Context.MODE_WORLD_READABLE – This allows other applications who know the name and location of the resource to read it


Context.MODE_WORLD_WRITEABLE – This allows other applications who know the name and location of the resource to write to it.


NOTE: Regardless of the resource exposure based on the arguments to the creation function, malicious applications or malicious users that have root access to the device will be able to read or write to anything on the device. Truly sensitive data should never be stored on the device itself.


More info:




This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”


“Mobile devices communicate across a variety of networks – both trusted and untrusted.  Therefore it is important that communications be encrypted – typically using HTTPS.  It is also important that HTTPS communications be configured to force proper server authentication.


In addition, many mobile applications communicate with 3rd party services and data returned from these services should be considered untrusted and positively validates for length, data type as well as any other business rules prior to use.


More info:



This work by Denim Group is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License <http://creativecommons.org/licenses/by-sa/3.0/>”



Get the Full Story

Tags: , , , ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑