Examensarbeten och uppsatser / Final Theses
Framläggningar på IDA / Presentations at IDA
If nothing is stated about the presentation language then the presentation is in Swedish.
Due to current distance mode thesis presentations during spring of 2020 will take place online. See more information on the page for online presentations (also link in the menu). If password is required to access the online presentation, please contact the examiner (type in the examiner's name in the search bar in the top right, and choose "Sök IDA-anställda" in the menu).
- 2020-12-01 kl 10:15 i https://liu-se.zoom.us/j/64056863240
Security Auditing and Testing of two Android Client-Server Applications
Författare: Matilda Engström Ericsson
Opponent: Joakim Östman
Handledare: Simin Nadjm-Tehrani
Examinator: Marcus Bendtsen
Nivå: Grundnivå (16hp)
The study aims to assess two proof of concept Android client-server applications partly based on the Open Web Application Security Project (OWASP) Top 10 Mobile Risks from 2016 and partly based on a vulnerability assessment that focuses on the architecture and design of the applications.
It is concluded that the applications encompass multiple of the OWASP Top 10 Mobile Risks and that automated tools find those vulnerabilities. However, the study shows that it is not sufficient to satisfy lists like these as the architecture of the application has big implications on its security. The list may give developers a false sense of security. For instance, components are often dependent upon one another and suffer if other components are not up to standard, since they either need to adapt to legacy code or bad implementations.
Another important finding was that the third party software Sinch, which was used to make voice and video calls in one of the applications, left IP addresses of the user visible during the binding request when the Session Traversal Utilities for NAT (STUN) protocol was used. The Android community has a responsibility to let users of the platform know when insecure connections are made by applications. At the moment there is no way for a regular user to know if their data is being sufficiently protected or not. This problem is reflected upon and a potential way forward is discussed in the thesis.
Page responsible: Ola Leifler
Last updated: 2020-06-11