Enterprise Security Testing of Mobile Apps

Mobile app development tools

Even this paper discussing about the security testing of mobile apps, it will be better to explain about the various Mobile application development framework from a tester’s perspective. Following are the tools/frameworks used to develop mobile applications.

Native

Native applications are platform specific installable applications those can be downloaded from different app-stores. Native applications are able to consume the device/os specific features and work both offline and online. These apps developed using native development tools like, iOS and Android.

Hybrid

It is a combination of both native and mobile web. These applications can access some level of device specific features, but the performance of the applications will be less compared to native apps.

Mobile Web

Non installable application works only when the device is online. These applications are developed using web technologies like, HTML5, CSS, Javascript. These application cannot access the device specific features.

Mobile Based threats

As the usage of mobile applications increase in various industries like, financial, healthcare, the mobile based threats are also a growing concern. Mobile based threats can be categorized as application based threats, web based threats and device based threats.

Device based threats

Applications installed from an un-known/un-approved sources or installation of un-authorized application invites all kinds of intruders. For example an enterprise application running in jailbroken or rooted device will increase the possibility of threat. The application should have ability to prevent it running from such devices.

Application based threats

Native applications which are installed in the device, from trusted or un-trusted sources may introduce threats like tampered applications may have fraudulent purpose, malware applications provides open door to the intruder, information based threats collects sensitive data to perform financial scam.

Web based threats

 In the web based applications running on a mobile device, there are possibility for cookie stealing, browser loop holes, downloads, phishing.

Security Testing Mobile Apps

The security testing of a mobile application should consider the below three components,

1.    The mobile device and App

a.    Operating Systems

b.    Processor

c.    Memory

d.    Sensors

e.    Interfaces

2.    The connectivity (GPRS, WiFi, etc)

3.    The server side components (web services, feeds etc)

Considering the above components, below are the few scenarios to be included while security testing.

1.    Encrypt all the communication from server to client and vice versa

2.    Concurrent account login

3.    Encrypt all the information storing locally in the mobile app

4.    Disabling apps from running in routed/jail Brocken devices

5.    Manifest Settings – Debug-able, write to external storage

6.    The source code of the android application should not be reverse engineered (APK and IPA obfuscated).

7.    Information Leakage - Stack Trace – Disable the log errors/exception/information in production version of the application

8.    Paste enabled on sensitive fields - Password

9.    Lack of Splash page for Background Screens

Security Testing Frameworks/Tools

Considering the importance of security of mobile applications, various organizations provides helpful framework/tools for security testing

1.    OWASP Mobile security project – provides a checklist for mobile app security testing. A pen-tester or an organization can consider this check list as a baseline for their mobile apps.

2.    Appium – provides opensource framework for automating mobile app testing for any mobile operating systems and it works well in any languages like Java, Objective-C

3.    Calabash – A cross platform framework enable users to develop and execute automated test cases for mobile apps.

4.    iPad file explorer – used for exploring the file structure of wide variety of iOS applications.

5.    Android Debug Bridge – a command line tool for assessing the security of mobile apps across many android devices.

CONCLUSIONS

An attacker may first target the mobile application. So, as we discussed above, careful selection of testing tools and scenarios to test are important in the mobile security testing. Effective way to speed-up the testing is to use automation tools as much as possible.