Mobile Application Security Testing – Importance and How it works
The growing number of mobile devices and applications that send and receive data from various servers makes mobile applications security testing a dire necessity. Such mobile applications and devices are vulnerable to threat from the potential attackers looking to steal sensitive user data or harm their devices. The main aim of mobile application security testing is to identify and uncover the missing scenarios of manual testing process and reveal the security flaws in the system in order to protect the device, data and maintain the functional integrity.
Mobile App Security testing components
Mobile application security testing majorly involves the following three factors:
- File System Analysis – Once the files are identified, further analysis like reversing the application, modifying the application and extracting hidden secrets can be performed. We can also Identify changes made to existing files over multiple application operations.
- Application Reversing – In this, the app can be decompiled and from the source code, thus obtained, it is possible to remove the obfuscation if not properly handled. The code can be modified and this modified code can also be recompiled increasing the effects of mobile apps security testing efforts.
- Encrypted Data Transactions – The request and response for all transactions can be vulnerable if not secured. The transactions can be intercepted and misused.
Mobile App and Server validation testing
Mobile apps can have generic access (open source) and specific access (only authorised persons can use the app). Mobile apps with generic access will interact with third-party servers. When it comes to developing such apps, the server side security will need to be taken care by the mobile app (security needs to be ensured by the development team). In case of mobile apps with specific server access, the developing team/organization can ensure security for both the mobile apps and the servers by implementing proper security measures.
While developing the app, the developer needs to address the following points with regards to mobile application’s security:
- The client sensitive information should be encrypted and stored appropriately. The information which will be stored as Preferences, SQLite, or Flat File needs to be properly secured with encryption mechanisms and/or SQL Ciphers.
- The hard coded values should not be left traceable by the hackers when the app is decompiled using various available tools in the market. The application code should be properly obfuscated to minimize the impact of application reversing.
- Files stored on device will be forensically recovered, decrypted, and parsed for sensitive user or app data.
- Intercept and analyse data sent between app and back-end server including Wi-Fi, Bluetooth, Cellular, and NFC.
- Ensure sensitive user/app data cannot be accessed on the back-end by testing for server-side weaknesses.
- The app binary is analysed from a hacker’s perspective to identify weaknesses in code. The hackers may attempt to modify the binary and make it behave in a way that it shouldn’t.
- The app should have valid SSL certificate, so that manipulation of sensitive information is minimized to maximum possible extent.
- A report is provided which identifies all the areas that are tested and should include findings, risk ratings, and detailed recommendations on how those items can be remediated.
The mobile application security testing should also include server side validation. The below points should be taken care when testing the server side APIs:
- During the transfer of data to and from the server, the data should be encrypted.
- The system API calls should be made inaccessible to unauthorised users.
Importance of Client/Server communication
The protocol is a key component that ensures the quality of mobile app security testing. The importance of protocol is recognised the moment the packet data between web server and client is intercepted.
- The HTTP client i.e. browser initiates an HTTP request. After a request is made, the client disconnects from the server and waits for a response. The server processes the request and re-establishes the connection with the client to send response back.
- Client –The HTTP client sends a message to the server in the form of a request method, URI, and protocol version, followed by a MIME-like message containing request modifiers, client information, and possible body content over a TCP/IP connection.
- Server –The HTTP server responds with a status line request, including the message’s protocol version and a success or error code, followed by a MIME-like message containing server information, entity met information, and possible entity-body content.
The major risks to be covered for mobile app and server testing are as below:
- Data storage security (Hardcoded password/keys)
- Vulnerable and insecure server side controls
- Lack of protection for transport layer
- Vulnerability in client side injection
- Insecure authorization and authentication mechanism
- Insecure and inappropriate session handling
- Untrusted inputs to handle security decisions
- Data leakage and broken or poor cryptography
- Sensitive information disclosure due to inappropriate security architecture
- Lack of binary protection