🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Adversary Intelligence
9
mins read

Mobile App Security: The Ultimate Guide to Building Safer Mobile Apps with BeVigil Jenkins Extension

Learn how to improve the security of your mobile apps using BeVigil Jenkins Extension. This comprehensive guide will help you create secure mobile apps that protect user data and prevent unauthorized access. Discover how to use Jenkins integration to automate security testing and ensure your app is secure before release.

Arshit Jain
April 21, 2023
Green Alert
Last Update posted on
February 3, 2024
Ensure your mobile applications are safe and sound.

Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Hansika Saxena

Applications (Android or otherwise) are susceptible to security vulnerabilities. Hence it is important to stay on top of the latest security updates and configure apps for the same. The usual approach for scanning mobile applications and finding security reports involves a series of painstaking steps from the development of the application, scanning, and static analysis of the code, to remediation and rescan. 

The traditional methods of scanning mobile applications and finding security report

BeVigil's Jenkins plugin simplifies this task by identifying security vulnerabilities during the application development phase itself. By utilizing this plugin, developers and security teams can easily detect and address any issues that arise during development and streamline the remediation process.

What Mistakes are Made by the Developer? 

One of the biggest mistakes made by a Developer is that they usually hardcode the API keys, secrets, and assets in the source code while pushing the build APK to the PlayStore. As shown in the image below, the developer has hard-coded the Razorapay key and secret in the application. Hardcoding these keys can lead to the leak of user’s PII.

Types of Keys/URLs Leaked by the Developers & Their Impact

Exposed Key/URL

Description

Developer Mistake

BeVigil Finding



Firebase Database

Developers use the firebase for storing some data but forget about the security concerns related to the database.

Not restricting permission of the database.

Almost 18K Firebase databases were readable and had over 10M downloads on the PlayStore, thus leaking a lot of PII.








Razorpay Keys 

Hardcoded Razorpay keys and secrets can compromise sensitive financial data, including payment card information and transaction details. The leaked keys can be used to authenticate requests to the Razorpay API and make unauthorized transactions, manipulate payment data, or even access other sensitive information stored on the payment gateway's systems.

Hardcoding Razorpay ID is okay but hardcoding secrets or keys in the source code with excessive permissions can lead to compromising details.

Almost 1.6M user data was compromised via hard-coded Razorpay keys.





AWS  Access Key & Secret

These are used to authenticate and authorize access to AWS resources, such as EC2 instances, S3 buckets, and other cloud services. If compromised, they can potentially provide an attacker with access to an organization's entire cloud infrastructure and the data stored within it.

Permissions of AWS access key and secret must be restricted.

Around 100GB of leaked data was obtained due to misconfigured AWS Access Key and Secret.






GitHub Personal Access Token (PAT)

A PAT is a string of characters that provides access to perform actions on behalf of a user's GitHub account, such as creating, deleting, or modifying repositories, accessing private repositories, or posting comments. It can be used to authenticate API requests and is generated by GitHub. Hardcoding PATs can lead to accessing GitHub private repositories.

GitHub tokens are not usually used in mobile apps for anything but often times developers hardcoded this by mistake.

Over 159 private repositories can be accessed from the compromised tokens discovered in BeVigil.




Twitter API Keys

These API keys if hardcoded can lead to the full takeover of a user’s Twitter account(s) and perform sensitive actions such as reading direct messages, retweeting, removing followers, following strangers, etc.

Hardcoding Twitter consumer key, consumer secret as well as the Twitter access token and secret, thus providing an opportunity for complete account takeover.

3,207 apps were found leaking valid Consumer Key and Consumer Secret. Around 230 apps (including some unicorns) were leaking all 4 authorization credentials.


Hubspot API Keys

These keys are generally not used in mobile apps but if compromised these keys can leak the users’ PII.

Hardcoding the API key which is generally not used by mobile app developers.

1.6M users’ data can be compromised with the help of just one API key.


Shopify API Keys

If compromised these API keys can lead to reading and writing customers' data as well as the order information.

Hardcoding the API key  with excessive permission.

21 apps were identified to have 22 hardcoded Shopify API keys/tokens. These apps put close to 4M users at risk.









MailChimp API Keys

Mailchimp is a popular email marketing and automation platform that allows businesses and individuals to create, send, and manage email campaigns to their subscribers. An exposed Mailchimp API key can be used to access the Mailchimp account and send unauthorized emails, steal contact lists, view campaign analytics, etc. The compromised account can also be used to create and launch phishing campaigns, distribute malware, or commit fraud.

Hardcoding the API key  which can be generally sent from the backend.

Out of the total 319 identified API keys, 90 API keys (i.e. 28%) were found to be valid. 12 keys were found to allow read-email access.







SendGrid API Keys

SendGrid is a communication platform intended for transactional and marketing emails. Exposed SendGrid API keys allow attackers to send unauthorized emails from the affected account. They can also gain access to sensitive information such as email addresses, subject lines, and message contents.

Hardcoding the API key  with excessive permission.

Out of 319 identified API keys, 128 keys were found to be valid. 121 keys allowed actors to send emails, 65 keys allowed actors to delete API keys, and 42 keys allowed actors to modify 2FA.






Mailgun API Keys

Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale. If exposed, these keys can be used to send unauthorized emails from the affected account, gain access to sensitive information, and monitor/analyze email traffic, which could reveal business-critical information.

Hardcoding the API key  with excessive permission.

35% of the analyzed apps allowed anyone to send and read emails.

How Does BeVigil’s Jenkins Plugin Help?

Image depicting how the BeVigil plugin can help find security issues in mobile apps

Let's understand what Jenkins is. Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) of software projects. Jenkins provides many plugins to extend its functionality and supports various types of build, deployment, and testing tasks. 

Jenkins works by triggering automated builds and tests whenever changes are made to the source code repository. It integrates with version control systems such as Git, SVN, and Mercurial, and can be configured to run automated tests, code analysis, and packaging of the application.

Jenkins is a powerful automation tool that helps software teams to improve their software development processes by automating repetitive tasks and enabling faster feedback cycles. Its popularity is due to its flexibility, scalability, and ease of use, making it a preferred choice for many development teams around the world.

Working of BeVigil’s Jenkins Plugin

BeVigil Jenkins plugin will help app developers remediate issues at the time of development. As soon as a developer commits a code, they will receive a detailed security report from the BeVigil Jenkins plugin for APK or IPA files. This report would include information such as:

  • What is the issue?
  • What is the impact?
  • What are the remediation steps?
  • Which file issue was found?
  • What was the exact match in the source code which led to our scanner detecting it as a threat?
Screenshot of the security report generated by BeVigil’s Jenkins Plugin

How can a Developer Use the BeVigil Plugin?

In order for a developer to utilize the Jenkins plugin (offered by BeVigil), they must have the following installed in their system:

  • Java
  • Android SDK tools 
  • Jenkins

Steps for Installing the Plugin

BeVigil’s Jenkins plugin can be installed in any system by following the series of steps stated below:

  1. Open Jenkins and click on Manage Jenkins.
  1. Now, select Manage Plugins.

  1. Navigate to the Available plugins tab, and search for the "BeVigil VI" plugin. Click the checkbox next to the plugin, and then click on "Install without restart" to install the plugin.

  1. The plugin installation is successful, as seen in the Download progress tab.

Setting up Environment Variables for Jenkins

  1. To set environment variables for Jenkins, open the Jenkins dashboard and navigate to Manage Jenkins -> Configure System. Find the Global Settings section and tick the Environment variables checkbox to enable it.
  1. After JDK is installed, we need to set environment variables for JAVA_HOME  in Jenkins which would be the JDK path.
  2. Once the Android SDK Tools is installed, we need to set the environment variable ANDROID_HOME pointing to our Android SDK location.
  3. After putting both values, users need to click on the Save button to apply changes.

Configure Pipeline Settings

  1. Go to the Jenkins dashboard, click on the new item, select freestyle project, add the item name, and click on OK to set up the project.
  1. After the project setup is done, go to source code management, select GIT, add the repo URL, and select the branch which you want Jenkins to run.
  1. Select Add to build steps and select Invoke Gradle Script. Select the Use Gradle Wrapper, check the Make gradlew executable checkbox, and add the wrapper location. Now add assembleDebug in the tasks to be invoked box. When you run the assembleDebug task, Gradle compiles the source code of your application, processes resources, and generates an APK. 
  1. Click on the build button and select Scan your app with BeVigil CI option. Now add the following details in the form:
  • API KEY: Your BeVigil API Key
  • App Type: Select Android/ioS
  • App Path: This is the path to your built app relative to the root of your Jenkins workspace. This path would be generated using the assembleDebug task command.
  • Package Name: Enter the package name for your application
  • Scan Timeout: This is the time (in minutes) after which the scan will timeout on the plugin.
  • Severity Threshold: This tells BeVigil to set a threshold for the vulnerabilities:
  • Low: The security report will include low, medium, and high vulnerabilities
  • Medium: The security report will include includes medium and high vulnerabilities
  • High: The security report will include includes only high vulnerabilities
  1. After everything is done, click on the Save button.
  1. We need to click on Build Now to build the project.

  1. You can now go to the console output to see the security report of the app, if a successful build has happened. 
  2. The report can be downloaded to see the security issues present in the mobile application and resolve them proactively.

What’s coming next?

In the next phase, developers will be able to add one more step to the build steps, i.e., if at the time of build if some high-security issues are found in the mobile application then the build will fail at this stage. It cannot go to the next stage of the pipeline. The image below shows the working of the CI/CD pipeline in a software development life cycle.

Configuration changes can be made in the build steps, at the third step of the pipeline, which will make sure that if any high-security issues arise in the build stage, then it would not proceed to the further stages. Our plan is to incorporate the BeVigil plugin into various CI tools, such as Travis, Circle CI, Bamboo, GitLab CI/CD, Azure Pipelines, and CodeShip. If you're utilizing a different CI tool to test your app builds apart from Jenkins, kindly click on this link to make your selection. 

Video Demonstration of the Plugin Setup

Attributions

Author

Arshit Jain

Collecting data for world's first security search engine bevigil.com | Web Scraping | Data Mining |

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
May 22, 2024

Behind the Advisory: Decoding Apple’s Alert and Spyware Dilemma

Apple warns of state-sponsored mercenary spyware attacks targeting iPhones in 92 countries. The tech giant links the sophisticated, costly attacks to private spyware firms like NSO Group's Pegasus, often working for governments.

Blog Image
Vulnerability Intelligence
April 28, 2023

Users of Popular Android Applications Risk Getting Compromised Via Highly Privileged Device Migration Tools

CloudSEK’s researchers identified that multiple applications do not invalidate or revalidate session cookies if app data is transferred from one device to another.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil

Mobile App Security: The Ultimate Guide to Building Safer Mobile Apps with BeVigil Jenkins Extension

Learn how to improve the security of your mobile apps using BeVigil Jenkins Extension. This comprehensive guide will help you create secure mobile apps that protect user data and prevent unauthorized access. Discover how to use Jenkins integration to automate security testing and ensure your app is secure before release.
April 21, 2023
9
min
Table of Content
Example H2

Applications (Android or otherwise) are susceptible to security vulnerabilities. Hence it is important to stay on top of the latest security updates and configure apps for the same. The usual approach for scanning mobile applications and finding security reports involves a series of painstaking steps from the development of the application, scanning, and static analysis of the code, to remediation and rescan. 

The traditional methods of scanning mobile applications and finding security report

BeVigil's Jenkins plugin simplifies this task by identifying security vulnerabilities during the application development phase itself. By utilizing this plugin, developers and security teams can easily detect and address any issues that arise during development and streamline the remediation process.

What Mistakes are Made by the Developer? 

One of the biggest mistakes made by a Developer is that they usually hardcode the API keys, secrets, and assets in the source code while pushing the build APK to the PlayStore. As shown in the image below, the developer has hard-coded the Razorapay key and secret in the application. Hardcoding these keys can lead to the leak of user’s PII.

Types of Keys/URLs Leaked by the Developers & Their Impact

Exposed Key/URL

Description

Developer Mistake

BeVigil Finding



Firebase Database

Developers use the firebase for storing some data but forget about the security concerns related to the database.

Not restricting permission of the database.

Almost 18K Firebase databases were readable and had over 10M downloads on the PlayStore, thus leaking a lot of PII.








Razorpay Keys 

Hardcoded Razorpay keys and secrets can compromise sensitive financial data, including payment card information and transaction details. The leaked keys can be used to authenticate requests to the Razorpay API and make unauthorized transactions, manipulate payment data, or even access other sensitive information stored on the payment gateway's systems.

Hardcoding Razorpay ID is okay but hardcoding secrets or keys in the source code with excessive permissions can lead to compromising details.

Almost 1.6M user data was compromised via hard-coded Razorpay keys.





AWS  Access Key & Secret

These are used to authenticate and authorize access to AWS resources, such as EC2 instances, S3 buckets, and other cloud services. If compromised, they can potentially provide an attacker with access to an organization's entire cloud infrastructure and the data stored within it.

Permissions of AWS access key and secret must be restricted.

Around 100GB of leaked data was obtained due to misconfigured AWS Access Key and Secret.






GitHub Personal Access Token (PAT)

A PAT is a string of characters that provides access to perform actions on behalf of a user's GitHub account, such as creating, deleting, or modifying repositories, accessing private repositories, or posting comments. It can be used to authenticate API requests and is generated by GitHub. Hardcoding PATs can lead to accessing GitHub private repositories.

GitHub tokens are not usually used in mobile apps for anything but often times developers hardcoded this by mistake.

Over 159 private repositories can be accessed from the compromised tokens discovered in BeVigil.




Twitter API Keys

These API keys if hardcoded can lead to the full takeover of a user’s Twitter account(s) and perform sensitive actions such as reading direct messages, retweeting, removing followers, following strangers, etc.

Hardcoding Twitter consumer key, consumer secret as well as the Twitter access token and secret, thus providing an opportunity for complete account takeover.

3,207 apps were found leaking valid Consumer Key and Consumer Secret. Around 230 apps (including some unicorns) were leaking all 4 authorization credentials.


Hubspot API Keys

These keys are generally not used in mobile apps but if compromised these keys can leak the users’ PII.

Hardcoding the API key which is generally not used by mobile app developers.

1.6M users’ data can be compromised with the help of just one API key.


Shopify API Keys

If compromised these API keys can lead to reading and writing customers' data as well as the order information.

Hardcoding the API key  with excessive permission.

21 apps were identified to have 22 hardcoded Shopify API keys/tokens. These apps put close to 4M users at risk.









MailChimp API Keys

Mailchimp is a popular email marketing and automation platform that allows businesses and individuals to create, send, and manage email campaigns to their subscribers. An exposed Mailchimp API key can be used to access the Mailchimp account and send unauthorized emails, steal contact lists, view campaign analytics, etc. The compromised account can also be used to create and launch phishing campaigns, distribute malware, or commit fraud.

Hardcoding the API key  which can be generally sent from the backend.

Out of the total 319 identified API keys, 90 API keys (i.e. 28%) were found to be valid. 12 keys were found to allow read-email access.







SendGrid API Keys

SendGrid is a communication platform intended for transactional and marketing emails. Exposed SendGrid API keys allow attackers to send unauthorized emails from the affected account. They can also gain access to sensitive information such as email addresses, subject lines, and message contents.

Hardcoding the API key  with excessive permission.

Out of 319 identified API keys, 128 keys were found to be valid. 121 keys allowed actors to send emails, 65 keys allowed actors to delete API keys, and 42 keys allowed actors to modify 2FA.






Mailgun API Keys

Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale. If exposed, these keys can be used to send unauthorized emails from the affected account, gain access to sensitive information, and monitor/analyze email traffic, which could reveal business-critical information.

Hardcoding the API key  with excessive permission.

35% of the analyzed apps allowed anyone to send and read emails.

How Does BeVigil’s Jenkins Plugin Help?

Image depicting how the BeVigil plugin can help find security issues in mobile apps

Let's understand what Jenkins is. Jenkins is an open-source automation server widely used for continuous integration and continuous delivery (CI/CD) of software projects. Jenkins provides many plugins to extend its functionality and supports various types of build, deployment, and testing tasks. 

Jenkins works by triggering automated builds and tests whenever changes are made to the source code repository. It integrates with version control systems such as Git, SVN, and Mercurial, and can be configured to run automated tests, code analysis, and packaging of the application.

Jenkins is a powerful automation tool that helps software teams to improve their software development processes by automating repetitive tasks and enabling faster feedback cycles. Its popularity is due to its flexibility, scalability, and ease of use, making it a preferred choice for many development teams around the world.

Working of BeVigil’s Jenkins Plugin

BeVigil Jenkins plugin will help app developers remediate issues at the time of development. As soon as a developer commits a code, they will receive a detailed security report from the BeVigil Jenkins plugin for APK or IPA files. This report would include information such as:

  • What is the issue?
  • What is the impact?
  • What are the remediation steps?
  • Which file issue was found?
  • What was the exact match in the source code which led to our scanner detecting it as a threat?
Screenshot of the security report generated by BeVigil’s Jenkins Plugin

How can a Developer Use the BeVigil Plugin?

In order for a developer to utilize the Jenkins plugin (offered by BeVigil), they must have the following installed in their system:

  • Java
  • Android SDK tools 
  • Jenkins

Steps for Installing the Plugin

BeVigil’s Jenkins plugin can be installed in any system by following the series of steps stated below:

  1. Open Jenkins and click on Manage Jenkins.
  1. Now, select Manage Plugins.

  1. Navigate to the Available plugins tab, and search for the "BeVigil VI" plugin. Click the checkbox next to the plugin, and then click on "Install without restart" to install the plugin.

  1. The plugin installation is successful, as seen in the Download progress tab.

Setting up Environment Variables for Jenkins

  1. To set environment variables for Jenkins, open the Jenkins dashboard and navigate to Manage Jenkins -> Configure System. Find the Global Settings section and tick the Environment variables checkbox to enable it.
  1. After JDK is installed, we need to set environment variables for JAVA_HOME  in Jenkins which would be the JDK path.
  2. Once the Android SDK Tools is installed, we need to set the environment variable ANDROID_HOME pointing to our Android SDK location.
  3. After putting both values, users need to click on the Save button to apply changes.

Configure Pipeline Settings

  1. Go to the Jenkins dashboard, click on the new item, select freestyle project, add the item name, and click on OK to set up the project.
  1. After the project setup is done, go to source code management, select GIT, add the repo URL, and select the branch which you want Jenkins to run.
  1. Select Add to build steps and select Invoke Gradle Script. Select the Use Gradle Wrapper, check the Make gradlew executable checkbox, and add the wrapper location. Now add assembleDebug in the tasks to be invoked box. When you run the assembleDebug task, Gradle compiles the source code of your application, processes resources, and generates an APK. 
  1. Click on the build button and select Scan your app with BeVigil CI option. Now add the following details in the form:
  • API KEY: Your BeVigil API Key
  • App Type: Select Android/ioS
  • App Path: This is the path to your built app relative to the root of your Jenkins workspace. This path would be generated using the assembleDebug task command.
  • Package Name: Enter the package name for your application
  • Scan Timeout: This is the time (in minutes) after which the scan will timeout on the plugin.
  • Severity Threshold: This tells BeVigil to set a threshold for the vulnerabilities:
  • Low: The security report will include low, medium, and high vulnerabilities
  • Medium: The security report will include includes medium and high vulnerabilities
  • High: The security report will include includes only high vulnerabilities
  1. After everything is done, click on the Save button.
  1. We need to click on Build Now to build the project.

  1. You can now go to the console output to see the security report of the app, if a successful build has happened. 
  2. The report can be downloaded to see the security issues present in the mobile application and resolve them proactively.

What’s coming next?

In the next phase, developers will be able to add one more step to the build steps, i.e., if at the time of build if some high-security issues are found in the mobile application then the build will fail at this stage. It cannot go to the next stage of the pipeline. The image below shows the working of the CI/CD pipeline in a software development life cycle.

Configuration changes can be made in the build steps, at the third step of the pipeline, which will make sure that if any high-security issues arise in the build stage, then it would not proceed to the further stages. Our plan is to incorporate the BeVigil plugin into various CI tools, such as Travis, Circle CI, Bamboo, GitLab CI/CD, Azure Pipelines, and CodeShip. If you're utilizing a different CI tool to test your app builds apart from Jenkins, kindly click on this link to make your selection. 

Video Demonstration of the Plugin Setup

Attributions

Related Blogs

No items found.