In today's digital landscape, mobile application security has become an paramount concern.
With the increasing number of threats targeting Android applications and the stored personal data, developers and security professionals alike are seeking robust solutions to fortify their code against potential vulnerabilities.
That's why speeding up the time and minimizing the effort in the identification of mobile security issues has become definitely important.
We are excited to introduce our new project, focused on creating Semgrep rules specifically designed to enhance the security of Android apps.
Semgrep Rules for Android Application Security
The project provides a new set of specific rules for OWASP Mobile Security Testing Guide (MSTG), that will help to find security issues using static code analysis (SAST).
The Project
The OWASP Mobile Security Testing Guide (MSTG) is an invaluable resource for assessing the security posture of mobile applications. It provides comprehensive guidelines and best practices to identify and address potential security weaknesses. However, manually conducting these tests can be time-consuming and prone to human error.
This is where this project come into play.
By creating a set of Semgrep rules based on the OWASP Mobile Security Testing Guide, we aim to automate and streamline the security testing process for Android applications.
These rules act as a way to shift left in the SDLC of Mobile apps, enabling developers and security practitioners to efficiently identify and mitigate vulnerabilities in their code.
With Semgrep's static analysis capabilities and the knowledge base of the MSTG, we can significantly enhance the effectiveness and efficiency of mobile apps security assessments.
Our project bridges the gap between theory and practice, empowering developers to build robust and resilient Android applications while ensuring that security remains a top priority.
Status
Since the beginning of the project to the present stage, we have continuously strived to deliver a solution to empower developers and security practitioners and defend against evolving threats and safeguard user data.
The actual status of our project shows where it's going to be improved and where the semgrep version limitation is a blocker to create a useful rule is shown here, and every improvement will be updated as soon as it will be implemented.
How to contribute:
In future posts we'll give some insight and explain how everyone can contribute to the project, in the meantime, your feedback is absolutely welcome!
We strongly believe in the power of collaboration and community involvement, hence we invite developers, security enthusiasts, and Android app experts to actively contribute to our project through our GitHub repository.
By participating in the project, you can contribute new Semgrep rules, suggest improvements to existing rules, report bugs, or even share insights and ideas to enhance the overall effectiveness of our Android app security framework.
Visit our GitHub repository to explore the project, engage with fellow contributors, and make a meaningful impact in the field of mobile app security.
Credits
- Supervisor:
- Stefano Di Paola (Twitter: @WisecWisec)
- Project leader:
- Riccardo Cardelli (Twitter: @gand3lf)
- Contributors:
- Andrea Agnello (GitHub: @AndreNoli),
- Christian Cotignola (Twitter: @b4dsheep),
- Giacomo Zorzin (Mastodon: @gellge),
- Giovanni Fazi (Github: @giovifazi),
- Martino Lessio (Twitter: @Martinolessio),
- Maurizio Siddu (Github: @akabe1),
- Michele Di Bonaventura (Twitter: @cyberaz0r),
- Michele Tumolo (Twitter: @0s0urce)