At GitLab, everyone can contribute! GitLab 13.5 included an integration for Mobile Static Application Security Testing (SAST) from one of our customers. For their contribution, the H-E-B Digital team were October 2020's MVP.
Their contribution enables SAST for mobile applications. This includes iOS apps written in Objective-C and Swift as well as Android apps written in Java and Kotlin.
This blog post will go over how Mobile SAST works on Android.
Static Application Security Testing
Static Application Security Testing analyzes source code for known vulnerabilities. SAST is used to detect potentially dangerous attributes in a class, or unsafe code that can lead to unintended code execution, as well as other issues such as SQL Injection. More information on SAST can be seen in the OWASP Documentation.
Here is a video which goes over setting up SAST for Mobile, as well as a sample application you can use to get started:
In a nutshell, after the scanner has been configured, whenever an MR is created the scanner runs on the application source code and looks for patterns to determine if that code is vulnerable. This is covered below.
Initially this analyzer supports source code analysis but we intend to expand support for binary scanning of .ipa and .apk files in the near future.
Understanding security rules
SAST for mobile applications uses the Mobile Security Framework (MobSF) to scan source code. MobSF uses certain rules in order to determine if an application is vulnerable. The rules used to scan mobile applications can be seen in their rules file. These rules use regex in order to find vulnerabilities in the static code.
You can also contribute your own rules if you have thoghts on enhancements. I made a small change to enable a regex to work on Kotlin. Not only can everyone contribute at GitLab, we encourage team members to contribute to other open source projects.
Note: You will have to test your changes before they can be approved. In order to do this, you must install your branch as seen here.
Adding your own scanners
GitLab allows for lots of extensibility. Using our integration guidance, you can bring your own scanners into the merge request pipeline and the security dashboards. This was done for MobSF SAST, as well as the WhiteSource Dependency Scanner.
I hope you enjoyed this blog post. Now you can start making your Android applications more secure. You can reach out on Twitter and share your thoughts with us @GitLab!