Code Guardian: Fortifying Mobile Banking Applications

Mobile banking applications have become a critical part of the modern banking ecosystem. Their handling of highly sensitive data and their ability to perform financial operations, coupled with their widespread adoption, make them very attractive targets for attackers. This thesis presents the design and development processes of Code Guardian, a static analysis tool aimed at supporting the vulnerability assessment of mobile banking applications distributed as APK(Android) and IPA(iOS) packages, focusing particularly on the evaluation of the obfuscation level. Code Guardian's analysis encompasses the inspection of the application's metadata, file system, embedded resources and binary executables and follows the guidelines of the OWASP Mobile Application Security(MAS) project. Firstly, a comprehensive evaluation was conducted in order to identify the most suitable components needed for the analysis workflow, ending up in the requirement of executing the analysis in a desktop environment to meet performance and compatibility constraints. Based on the results of this preliminary evaluation, the tool adopts a client-server architecture designed to combine the platform and computational requirements of the analysis with cross-platform accessibility for users. The server, developed using Kotlin and the Ktor framework, orchestrates the analysis processes by employing several techniques and external containerized tools such as Ghidra(in particular its headless version), Semgrep and a Large Language Model(LLM) in order to deeply dig into the package. On the other hand, the client is implemented using Kotlin and Compose Multiplatform allowing to share the codebase across multiple platforms (Android, iOS, desktop and web) while preserving high level performance thanks to its capability of compiling for different target platforms. To validate the effectiveness of Code Guardian, some tests were performed on a set of purposely vulnerable applications, including variants with and without obfuscation. The results proved that the tool is capable of successfully detecting the main vulnerabilities, giving recommendations to mitigate them and summarizing its findings in a structured security report.