Question

An analyst is investigating anomalous behavior on a corporate-owned, corporate-managed mobile device with application whitelisting enabled, based on a name string. The employee to whom the device is assigned reports the approved email client is displaying warning messages that can launch browser windows and is adding unrecognized email addresses to the "compose" window.

Which of the following would provide the analyst the BEST chance of understanding and characterizing the malicious behavior?

A. Reverse engineer the application binary.
B. Perform static code analysis on the source code.
C. Analyze the device firmware via the JTAG interface.
D. Change to a whitelist that uses cryptographic hashing.
E. Penetration test the mobile application.

Answer 1

Performing static code analysis on the source code would provide the analyst the best chance of understanding and characterizing the malicious behavior. The correct answer is option B. Perform static code analysis on the source code.

Step-by-step explanation:

The BEST chance of understanding and characterizing the malicious behavior on the corporate-owned, corporate-managed mobile device would be to perform static code analysis on the source code. This process involves examining the code of the email client application to identify any vulnerabilities or suspicious behavior.

By analyzing the code, the analyst can identify if there are any sections of the code that allow the warning messages to launch browser windows or if there are any codes responsible for adding unrecognized email addresses to the 'compose' window. Static code analysis provides insight into the inner workings of the application and helps identify potential security issues.

While other options, such as reverse engineering the application binary or changing to a whitelist that uses cryptographic hashing, could also provide some understanding of the behavior, these options may not be as effective as static code analysis in characterizing the specific malicious behavior in this scenario.