To ensure that the users are not subjected to such situations, security testing for mobile applications is necessary. This is what we will talk about in this quarterly expert series.
ShieldCast - Fall 2018
Mobile Application Security Testing Prerequisites
You must be aware of the items below before starting security testing of any mobile application:
|Security Testing Prerequisites|
Application functionality which defines user interaction with application and helps in identifying targeted surfaces for attack
Application domain as different domains have different risk profiles
Understand how app stores manage data in idle state, data in use, and data in transit state
Built-in user authentication and authorization mechanism
Different points of entry within application
Operating systems supported by application
Integrated third party applications
Transport protocol used for communication with other applications
Remote services used by application
Strategize Mobile Application Security Testing Plan
Once the prerequisites are defined, the next step is to devise a sound security testing strategy for your mobile application. Below is the list to keep in mind while planning for mobile app security testing:
Overall architecture of mobile app along with all connected remote services needs to be verified here to ensure that security controls are forced at all levels.
Verify that sensitive data like user credentials and other information is stored securely in encrypted format and cannot be accessed through unauthorized medium.
Authentication And Authorization
Verify that user login data and sessions are managed securely without leaving any loopholes for attackers.
Ensure that information exchanged between mobile app and remote services is safe during transit.
Cross check that APIs and services like push notifications and location sharing of underlying platform used by mobile app are safe to use and are used in a secure manner.
Reverse Engineering Defense
Verify that your mobile app cannot be reverse engineered so that there is no risk of attackers inducing malware in it and uploading to app store.
- MobSF - Complete penetration testing solution for Android/iOS/Windows
- Drozer – Android app vulnerability identification
- Radare - Can be used for reverse engineering attacks for Android and iOS apps
- mitmproxy – Intercept data between app and services to identify vulnerabilities
- Santoku – virtual machine having all mobile app security testing tools
- Frida – Test java script exploits in Android/iOS/Windows
- QARK – toolkit for exploiting Android apps
- Codified Security – Provides static and dynamic security testing for mobile apps
- Kiuwan – Largest technology cover for mobile app security testing
- WhiteHat Sentinel Mobile Express - This is a mobile security testing and assessment platform
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org
Tips To Secure Mobile Data
- Install apps only from official app stores and always keep them up to date. Verify permissions of installed apps
- Encrypt the stored data
- Always use VPN on public Wi-fi
- Turn off automatic Bluetooth connectivity
- Set up remote wipe