AUTOMATED SECURITY TESTING FOR A MOBILE APPLICATION OR A BACKEND SERVER

US 20180089437A1
Filed: 09/23/2016
Published: 03/29/2018
Est. Priority Date: 09/23/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory that stores computer executable components;

a processor that executes computer executable components stored in the memory, wherein the computer executable components comprise;

an analysis component that analyzes computer instructions of a mobile application and determines an identifier pattern comprising an application programming interface for one or more server endpoints associated with the mobile application; and

a security component that performs a security test for a server device based on the identifier pattern for the one or more server endpoints.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques that facilitate automated security testing of one or more mobile applications and/or one or more backend servers for the one or more mobile applications are provided. In one example, a system includes an analysis component and a security component. The analysis component can analyze computer instructions of a mobile application. The analysis component can also determine an identifier pattern comprising an application programming interface for one or more server endpoints associated with the mobile application. The security component can perform a security test for a server device based on the identifier pattern for the one or more server endpoints.

20 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a memory that stores computer executable components;
  
  a processor that executes computer executable components stored in the memory, wherein the computer executable components comprise;
  
  an analysis component that analyzes computer instructions of a mobile application and determines an identifier pattern comprising an application programming interface for one or more server endpoints associated with the mobile application; and
  
  a security component that performs a security test for a server device based on the identifier pattern for the one or more server endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the analysis component analyzes the computer instructions of the mobile application without executing the mobile application.
  - 3. The system of claim 1, wherein the analysis component performs intra-procedural analysis of the mobile application by individually analyzing a set of procedures associated with the computer instructions.
  - 4. The system of claim 1, wherein the analysis component performs inter-procedural analysis of the mobile application by analyzing interactions between a set of procedures associated with the computer instructions.
  - 5. The system of claim 1, wherein the analysis component identifies information from a group consisting of an Internet protocol address, a hostname, a network path, one or more parameters, a set of web domains, a set of web pages, a set of web addresses, and textual data associated with the one or more server endpoints.
  - 6. The system of claim 1, wherein the analysis component stores the identifier pattern for the one or more server endpoints in a database with at least other identifier pattern for one or more other server endpoints associated with the mobile application.
  - 7. The system of claim 1, wherein the security component transmits a modified version of the identifier pattern to the server device.
  - 8. The system of claim 7, wherein the security component further transmits authentication data to the server device.
  - 9. The system of claim 7, wherein the security component determines output data generated by the server device based on the modified version of the identifier pattern.
  - 10. The system of claim 9, wherein the security component generates a security report for the server device in a human-readable format based on the output data.
  - 11. The system of claim 1, wherein the security test for the server device facilitates improved detection of a security vulnerability associated with the server device.

12. A computer-implemented method, comprising:
- receiving, by a system operatively coupled to a processor, a mobile application;
  
  analyzing, by the system, computer instructions of the mobile application;
  
  determining, by the system, one or more identifier patterns comprising one or more application programming interfaces for one or more server endpoints associated with the mobile application; and
  
  performing, by the system, a security test for a server device based on the one or more identifier patterns for the one or more server endpoints.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The computer-implemented method of claim 12, wherein the performing the security test comprises modifying the one or more identifier patterns to generate one or more modified identifier patterns for the one or more server endpoints.
  - 14. The computer-implemented method of claim 13, further comprising:
    - transmitting, by the system, the one or more modified identifier patterns to the server device; and
      
      receiving, by the system, output data generated by the server device in response to the one or more modified identifier patterns.
  - 15. The computer-implemented method of claim 13, wherein the modifying comprises adding a payload to the one or more identifier patterns.
  - 16. The computer-implemented method of claim 13, wherein the modifying comprises removing a portion of the one or more identifier patterns.

17. A computer program product for performing automated security testing of a backend server, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to:
- analyze computer instructions of a mobile application;
  
  determine an identifier pattern comprising an application programming interface for one or more server endpoints associated with the mobile application;
  
  modify the identifier pattern to generate a modified identifier pattern for the one or more server endpoints; and
  
  perform a security test for a server device based on the modified identifier pattern for the one or more server endpoints.
- View Dependent Claims (18, 19, 20)
- - 18. The computer program product of claim 17, wherein the program instructions are further executable by the processor to cause the processor to:
    - augment the identifier pattern with a payload to generate the modified identifier pattern.
  - 19. The computer program product of claim 17, wherein the program instructions are further executable by the processor to cause the processor to:
    - perform intra-procedural analysis of the mobile application by individually analyzing a set of procedures associated with the computer instructions.
  - 20. The computer program product of claim 17, wherein the program instructions are further executable by the processor to cause the processor to:
    - perform inter-procedural analysis of the mobile application by analyzing interactions between a set of procedures associated with the computer instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baset, Salman Abdul, Dolby, Julian Timothy, Rapoport, Marianna, Suter, Philippe

Granted Patent

US 10,445,507 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

AUTOMATED SECURITY TESTING FOR A MOBILE APPLICATION OR A BACKEND SERVER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED SECURITY TESTING FOR A MOBILE APPLICATION OR A BACKEND SERVER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links