Applications (Android or otherwise) are susceptible to security vulnerabilities. Hence it is important to stay on top of the latest security updates and configure apps for the same. The usual approach for scanning mobile applications and finding security reports involves a series of painstaking steps from the development of the application, scanning, and static analysis of the code, to remediation and rescan.

*The traditional methods of scanning mobile applications and finding security report*

‍

BeVigil's Jenkins plugin simplifies this task by identifying security vulnerabilities during the application development phase itself. By utilizing this plugin, developers and security teams can easily detect and address any issues that arise during development and streamline the remediation process.

‍

What Mistakes are Made by the Developer?

One of the biggest mistakes made by a Developer is that they usually hardcode the API keys, secrets, and assets in the source code while pushing the build APK to the PlayStore. As shown in the image below, the developer has hard-coded the Razorapay key and secret in the application. Hardcoding these keys can lead to the leak of user’s PII.

Types of Keys/URLs Leaked by the Developers & Their Impact

‍

Exposed Key/URL	Description	Developer Mistake	BeVigil Finding
Firebase Database	Developers use the firebase for storing some data but forget about the security concerns related to the database.	Not restricting permission of the database.	Almost 18K Firebase databases were readable and had over 10M downloads on the PlayStore, thus leaking a lot of PII.
Razorpay Keys	Hardcoded Razorpay keys and secrets can compromise sensitive financial data, including payment card information and transaction details. The leaked keys can be used to authenticate requests to the Razorpay API and make unauthorized transactions, manipulate payment data, or even access other sensitive information stored on the payment gateway's systems.	Hardcoding Razorpay ID is okay but hardcoding secrets or keys in the source code with excessive permissions can lead to compromising details.	Almost 1.6M user data was compromised via hard-coded Razorpay keys.
AWS Access Key & Secret	These are used to authenticate and authorize access to AWS resources, such as EC2 instances, S3 buckets, and other cloud services. If compromised, they can potentially provide an attacker with access to an organization's entire cloud infrastructure and the data stored within it.	Permissions of AWS access key and secret must be restricted.	Around 100GB of leaked data was obtained due to misconfigured AWS Access Key and Secret.
GitHub Personal Access Token (PAT)	A PAT is a string of characters that provides access to perform actions on behalf of a user's GitHub account, such as creating, deleting, or modifying repositories, accessing private repositories, or posting comments. It can be used to authenticate API requests and is generated by GitHub. Hardcoding PATs can lead to accessing GitHub private repositories.	GitHub tokens are not usually used in mobile apps for anything but often times developers hardcoded this by mistake.	Over 159 private repositories can be accessed from the compromised tokens discovered in BeVigil.
Twitter API Keys	These API keys if hardcoded can lead to the full takeover of a user’s Twitter account(s) and perform sensitive actions such as reading direct messages, retweeting, removing followers, following strangers, etc.	Hardcoding Twitter consumer key, consumer secret as well as the Twitter access token and secret, thus providing an opportunity for complete account takeover.	3,207 apps were found leaking valid Consumer Key and Consumer Secret. Around 230 apps (including some unicorns) were leaking all 4 authorization credentials.
Hubspot API Keys	These keys are generally not used in mobile apps but if compromised these keys can leak the users’ PII.	Hardcoding the API key which is generally not used by mobile app developers.	1.6M users’ data can be compromised with the help of just one API key.
Shopify API Keys	If compromised these API keys can lead to reading and writing customers' data as well as the order information.	Hardcoding the API key with excessive permission.	21 apps were identified to have 22 hardcoded Shopify API keys/tokens. These apps put close to 4M users at risk.
MailChimp API Keys	Mailchimp is a popular email marketing and automation platform that allows businesses and individuals to create, send, and manage email campaigns to their subscribers. An exposed Mailchimp API key can be used to access the Mailchimp account and send unauthorized emails, steal contact lists, view campaign analytics, etc. The compromised account can also be used to create and launch phishing campaigns, distribute malware, or commit fraud.	Hardcoding the API key which can be generally sent from the backend.	Out of the total 319 identified API keys, 90 API keys (i.e. 28%) were found to be valid. 12 keys were found to allow read-email access.
SendGrid API Keys	SendGrid is a communication platform intended for transactional and marketing emails. Exposed SendGrid API keys allow attackers to send unauthorized emails from the affected account. They can also gain access to sensitive information such as email addresses, subject lines, and message contents.	Hardcoding the API key with excessive permission.	Out of 319 identified API keys, 128 keys were found to be valid. 121 keys allowed actors to send emails, 65 keys allowed actors to delete API keys, and 42 keys allowed actors to modify 2FA.
Mailgun API Keys	Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale. If exposed, these keys can be used to send unauthorized emails from the affected account, gain access to sensitive information, and monitor/analyze email traffic, which could reveal business-critical information.	Hardcoding the API key with excessive permission.	35% of the analyzed apps allowed anyone to send and read emails.

‍

How Does BeVigil’s Jenkins Plugin Help?

*Image depicting how the BeVigil plugin can help find security issues in mobile apps*

‍

Let's understand what Jenkins is. Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) of software projects. Jenkins provides many plugins to extend its functionality and supports various types of build, deployment, and testing tasks.

‍

Jenkins works by triggering automated builds and tests whenever changes are made to the source code repository. It integrates with version control systems such as Git, SVN, and Mercurial, and can be configured to run automated tests, code analysis, and packaging of the application.

‍

Jenkins is a powerful automation tool that helps software teams to improve their software development processes by automating repetitive tasks and enabling faster feedback cycles. Its popularity is due to its flexibility, scalability, and ease of use, making it a preferred choice for many development teams around the world.

‍

Working of BeVigil’s Jenkins Plugin

BeVigil Jenkins plugin will help app developers remediate issues at the time of development. As soon as a developer commits a code, they will receive a detailed security report from the BeVigil Jenkins plugin for APK or IPA files. This report would include information such as:

What is the issue?
What is the impact?
What are the remediation steps?
Which file issue was found?
What was the exact match in the source code which led to our scanner detecting it as a threat?

*Screenshot of the security report generated by BeVigil’s Jenkins Plugin*

‍

How can a Developer Use the BeVigil Plugin?

In order for a developer to utilize the Jenkins plugin (offered by BeVigil), they must have the following installed in their system:

Java
Android SDK tools
Jenkins

Steps for Installing the Plugin

BeVigil’s Jenkins plugin can be installed in any system by following the series of steps stated below:

Open Jenkins and click on Manage Jenkins.

Now, select Manage Plugins.

‍

Navigate to the Available plugins tab, and search for the "BeVigil VI" plugin. Click the checkbox next to the plugin, and then click on "Install without restart" to install the plugin.

‍

The plugin installation is successful, as seen in the Download progress tab.

‍

Setting up Environment Variables for Jenkins

To set environment variables for Jenkins, open the Jenkins dashboard and navigate to Manage Jenkins -> Configure System. Find the Global Settings section and tick the Environment variables checkbox to enable it.

After JDK is installed, we need to set environment variables for JAVA_HOME in Jenkins which would be the JDK path.
Once the Android SDK Tools is installed, we need to set the environment variable ANDROID_HOME pointing to our Android SDK location.
After putting both values, users need to click on the Save button to apply changes.

‍

Configure Pipeline Settings

Go to the Jenkins dashboard, click on the new item, select freestyle project, add the item name, and click on OK to set up the project.

After the project setup is done, go to source code management, select GIT, add the repo URL, and select the branch which you want Jenkins to run.

Select Add to build steps and select Invoke Gradle Script. Select the Use Gradle Wrapper, check the Make gradlew executable checkbox, and add the wrapper location. Now add assembleDebug in the tasks to be invoked box. When you run the assembleDebug task, Gradle compiles the source code of your application, processes resources, and generates an APK.

Click on the build button and select Scan your app with BeVigil CI option. Now add the following details in the form:

API KEY: Your BeVigil API Key
App Type: Select Android/ioS
App Path: This is the path to your built app relative to the root of your Jenkins workspace. This path would be generated using the assembleDebug task command.
Package Name: Enter the package name for your application
Scan Timeout: This is the time (in minutes) after which the scan will timeout on the plugin.
Severity Threshold: This tells BeVigil to set a threshold for the vulnerabilities:

Low: The security report will include low, medium, and high vulnerabilities
Medium: The security report will include includes medium and high vulnerabilities
High: The security report will include includes only high vulnerabilities

After everything is done, click on the Save button.

We need to click on Build Now to build the project.

‍

You can now go to the console output to see the security report of the app, if a successful build has happened.
The report can be downloaded to see the security issues present in the mobile application and resolve them proactively.

‍

What’s coming next?

In the next phase, developers will be able to add one more step to the build steps, i.e., if at the time of build if some high-security issues are found in the mobile application then the build will fail at this stage. It cannot go to the next stage of the pipeline. The image below shows the working of the CI/CD pipeline in a software development life cycle.

Configuration changes can be made in the build steps, at the third step of the pipeline, which will make sure that if any high-security issues arise in the build stage, then it would not proceed to the further stages. Our plan is to incorporate the BeVigil plugin into various CI tools, such as Travis, Circle CI, Bamboo, GitLab CI/CD, Azure Pipelines, and CodeShip. If you're utilizing a different CI tool to test your app builds apart from Jenkins, kindly click on this link to make your selection.

‍

Video Demonstration of the Plugin Setup

‍

Attributions

‍

Mobile App Security: The Ultimate Guide to Building Safer Mobile Apps with BeVigil Jenkins Extension