From the first time when we held a gaming console, to today’s smartphones with computing powers, we have seen the technology evolve. Be it for carrying out financial transactions, playing games or watching videos, we spend a lot of time on mobile phones. In fact, the loved ones don’t seem distant anymore with the calls and chats made possible by the string connecting the world: THE INTERNET.
While these facilities have made our lives easier, they may expose our vulnerabilities to the dark web world. To ensure that the users are not subjected to such situations, security testing for mobile applications is necessary. This is what we will talk about in this quarterly newsletter.
ShieldCast - Fall 2018
Mobile Application Security Testing Prerequisites
You must be aware of the items below before starting security testing of any mobile application:

Security Testing Prerequisites |
---|
Application functionality which defines user interaction with application and helps in identifying targeted surfaces for attack
|
Application domain as different domains have different risk profiles
|
Understand how app stores manage data in idle state, data in use, and data in transit state
|
Built-in user authentication and authorization mechanism
|
Different points of entry within application
|
Operating systems supported by application
|
Integrated third party applications
|
Transport protocol used for communication with other applications
|
Remote services used by application
|
Strategize Mobile Application Security Testing Plan
Once the prerequisites are defined, the next step is to devise a sound security testing strategy for your mobile application. Below is the list to keep in mind while planning for mobile app security testing:

Useful Tools
Open Source
- MobSF - Complete penetration testing solution for Android/iOS/Windows
- Drozer – Android app vulnerability identification
- Radare - Can be used for reverse engineering attacks for Android and iOS apps
- mitmproxy – Intercept data between app and services to identify vulnerabilities
- Santoku – virtual machine having all mobile app security testing tools
- Frida – Test java script exploits in Android/iOS/Windows
- QARK – toolkit for exploiting Android apps
Licensed
- Codified Security – Provides static and dynamic security testing for mobile apps
- Kiuwan – Largest technology cover for mobile app security testing
- WhiteHat Sentinel Mobile Express - This is a mobile security testing and assessment platform

Have Suggestions?
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at knowledgecenter@qasource.com
Tips To Secure Mobile Data
- Install apps only from official app stores and always keep them up to date. Verify permissions of installed apps
- Encrypt the stored data
- Always use VPN on public Wi-fi
- Turn off automatic Bluetooth connectivity
- Set up remote wipe