Static Analysis of Mobile Application Source Codes


The vast mobile application market is composed of a wide variety of operating systems, platforms, devices, and software systems.

This unique combination of software infrastructures presents a large number of attack surfaces and potential vulnerabilities that attackers may take advantage of. Mobile application security should thus be a very paramount sector within any business.

We can accomplish the task of ensuring application security using static source code review with a broad range of platforms and frameworks, across all major mobile operating systems.


The Android operating system (OS) leads the world's mobile platform market as the most used OS for mobile devices. Accordingly, eight out of every ten mobile phones uses the Android OS. Due to this, there are a multitude of mobile applications available for Android devices.

The Android OS provides developers with a flexible software engineering platform that is easy to develop for, partly due to its open-source nature. This is in contrast to the closed-source, sandboxed nature of the Apple iOS. However, the flexible nature of the Android platform often results in applications that have a great measure of system access that can result in a number of high-risk vulnerabilities.

There are other situations, partly unique to the Android OS, that result in security issues with Android devices that might allow attackers to have an advantage. Combining the popular mechanism of rooting with the practice of not upgrading to the latest Android OS (and thus lacking important security patches) results in a dichotomy between the desired security posture of an Android device, and the reality.

It is thus important for security professionals to manually review the source code of Android apps to ensure that no high-risk vulnerabilities exist that can be exploited, and for end-users to always upgrade to the latest, patched Android OS in order to maintain a secure platform.


The risks associated with the Android platform are further increased by the use of the Java programming language as its native language for application development. Java is a popular, object-oriented programming language that has many inherent security flaws that can present exploitable vulnerabilities in its applications. According to security research, Java is known for providing major attack surfaces and for presenting major security holes in software, such as faulty race conditions, deadlocks, and access-control vulnerabilities.

The NowSecure mobile security report even found that over 80 percent of Android devices have at least one major security fault. However, certain attack vectors (e.g. buffer overflow) are not as feasible on a Java-based system. That said, as one of the most popular programming languages, Java is mostly secure but can be improperly implemented by programmers in a way that can allow attackers to fully exploit a system.

It is imperative for security engineers to review the source code of applications written with Java, and for software engineers to utilize secure coding practices during the coding stages of application development.

IOS APPLICATION Source code analysis

The iOS by Apple is another very popular mobile OS that represents the second top mobile platform in competition with the Android OS. Apple's iOS is a sandboxed, closed-source OS, making it harder to develop for in comparison with Android platforms.

According to the 2016 mobile NowSecure security report, Apple's iOS had more vulnerabilities in 2015 than Android by a ratio of almost three to one. iOS does have some security advantages that limit the ability of attackers to exploit its applications, namely its update and patch rate.

That said, it is pivotal for security specialists to utilize security testing of iOS applications to determine their security posture in order to mitigate any vulnerabilities discovered so that future cyber-attacks can be avoided.


iOS applications are written in multiple C-based programming languages, specifically Objective-C and now Apple's own language, Swift. C++, JavaScript, etc. are also used for application development and must be taken into account when determining how secure the code is. While C is a function-oriented programming language, Objective-C (which is largely C with Object Oriented Programming (OOP) extensions added to it) is an object-oriented language.

Combining the two types of languages in application development can lead to security issues. Buffer overflows are much more feasible in C than in Java. C is also vulnerable to code injection. In addition to this, as said above, iOS applications are now predominantly written in Swift and Objective-C. Objective-C presented some security holes that are not present in Swift, e.g. integer overflow, which could result in a heap overflow in Objective C, but results in a run-time error in Swift.

While Objective-C became more secure than C in regards to access-control vulnerabilities, it did contain some issues such as the possibility of code injection and buffer overflows that remained a security concern. At the same time, Swift has some high-risk security issues such as SQL injection, reflected and stored XSS, and buffer overflows. C++ and JavaScript are also not without their vulnerabilities, and must be analyzed by security personnel to ensure that apps developed in the aforementioned languages meet strict security standards and do not present vulnerabilities that can be exploited.


With its variety of potential programming languages for each application and application component, Windows mobile systems present a unique security challenge for companies.

Security issues common to mobile Windows operating systems include allowing remote authenticated users to access the file system and execute code, and weaknesses that can be exploited by utilizing automated tools for password cracking.

Causing denial of service attacks is another security issue. A source code review by security engineers will help to ensure that your Windows mobile applications are devoid of any security vulnerabilities.


We also conduct security source code assessments of other mobile operating systems, such as the Blackberry mobile OS, the Symbian OS, and others, to ensure that your applications do not contain high-risk vulnerabilities and security flaws that can be exploited by cyber-attackers.

We assess each OS individually with our comprehensive manual reviews, which combined with our expert industry knowledge help you make sure that your applications are secure.


Our application security assessment report combines results found from the mobile code reviews with information on the potential impacts of identified vulnerabilities.

The final report offers a comprehensive explanation of all vulnerabilities found with an in-depth security review of key points describing how to harden your systems and ensure information security.

With the knowledge gained from the application security assessments, you can rest easy knowing that your mobile applications are protected and secure.