Application Vetting

Application vetting services may look for indications that the application’s update includes malicious code at runtime.

Application vetting services could detect usage of standard clipboard APIs.

Application vetting services could detect the invocations of methods that could be used to execute shell commands.^[1]

Application vetting services could detect applications trying to modify files in protected parts of the operating system.

Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.

Application vetting services may detect API calls for deleting files.

Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.

Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.

Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of DexClassLoader, System.load, or the WebView JavaScriptInterface capability; on iOS, use of JSPatch or similar capabilities).

Application vetting services can detect unnecessary and potentially abused API calls.

Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.

Applications could be vetted for their use of the startForeground() API, and could be further scrutinized if usage is found.

Application vetting services could potentially detect the usage of APIs intended for artifact hiding.

Application vetting can detect many techniques associated with impairing device defenses.^[1]

Application vetting services may potentially determine if an application contains suspicious code and/or metadata.

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

Application vetting services could look for misuse of dynamic libraries.

Application vetting services can look for the use of the Android MediaProjectionManager class, applying extra scrutiny to applications that use the class.

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.^[2][3]

Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.

Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.

Application vetting services could look for applications attempting to get android.os.SystemProperties or getprop with the runtime exec() commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Application vetting services may be able to list domains and/or IP addresses that applications communicate with.

Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.^[4] Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.^[5] Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.

Network traffic analysis may reveal processes communicating with malicious domains.

Application vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network.

Application vetting services could look for connections to unknown domains or IP addresses.

Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection.

Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.

Application vetting services can detect when an application requests administrator permission.

Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration.

Application vetting services could closely scrutinize applications that request Device Administrator permissions.

Application vetting services may detect when an application requests permissions after an application update.

Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.

Application vetting services can detect which broadcast intents an application registers for and which permissions it requests.

Application vetting services can detect unnecessary and potentially abused permissions.

Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.

Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.

Application vetting services may indicate precisely what content was requested during application execution.

Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.

Android applications requesting the ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, or ACCESS_BACKGROUND_LOCATION permissions and iOS applications including the NSLocationWhenInUseUsageDescription, NSLocationAlwaysAndWhenInUseUsageDescription, and/or NSLocationAlwaysUsageDescription keys in their Info.plist file could be scrutinized during the application vetting process.

Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as RECEIVE_SMS, could receive additional scrutiny.

Application vetting services could look for usage of the READ_PRIVILEGED_PHONE_STATE Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.

During the vetting process, applications using the Android permission android.permission.CAMERA, or the iOS NSCameraUsageDescription plist entry could be given closer scrutiny.

Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common.