Security Testing of Mobile Applications
|Organizations and users have gone mobile and so the attackers. According to reports, enterprises spends $50 million on building applications but mere 5% on the security aspect of mobile application.
Over 70% of large enterprises have been breached through mobile in the recent year, where these breaches cost millions of dollar a year. However, Garnet reports that most of the enterprises have plans to build their own application store to reduce and prevent exploit in their applications.
Anthony Lim (CISO leader) emphasize on the security testing in mobile applications.
Tweet:
@cisoleadersAnthony Lim of Cloud Security Alliance talks on Mobile application & security testing #CISOLeadersSummit https://t.co/2llvpu7ZMB pic.twitter.com/q5QQs1VNfz
— Media Corp Inter (@MediaCorpInter) February 16, 2017
“Many people can write mobile apps today but with the focus on functions, features, visuals and user experience, the security aspect of coding is often lagging and hackers are looking for such gaps to exploit.”
Now, we’re going to map out the security testing methodology, which is used by enterprises and backed by OWPS researches.
Intelligence Gathering
The business logic and application architecture are the essentials to study the internal process and interfaces of an application. Our motive is to understand the structure and find possible attack surfaces.
It includes the study on:
1. Network interface
2. Third party APIs
3. Cloud or Native storage
4. Data handling
5. User management
6. Backend server
7. Fireball
8. Database
9. Runtime(OS, Device: Rooting/not)
10. Hardware integration
Asking questions with what and how, would give you all the information you need.
Threat modeling
In this process, you need to identify and list out all the common threats to the application, be it specific or prepared(in real time hacking environment). To start, visit the OWASP top 10 mobile application, which you can find here, secondly, follow these steps to discover more:
1. List out all the sensitive data to be stored on the application(cookies, keys, passcodes, strings)
2. Find out all the ways to access the data
3. Include these exploits along with OWASP list and repeat until you get hold on everything.
Vulnerabilities analysis and common checklist
After gathering all the intelligence and identifying threats to mobile applications, the next stage would be finding vulnerabilities and fixing them. Mostly developers follow three methods to analyse the vulnerabilities:
1. Static method
Where you analyze the scope of reverse engineering and validate the source codes using automated tools or manually. Some notable automated tools are Santoku Linux and MobSF.
2. Dynamic Analysis
Here we monitor the network traffic at the device, gateway and server. Secondly, we analyze the behavior of network to application in a Jailbroken or rooted device to find exploit patterns.
Things to monitor: non-http request to server, unencrypted data request, file activity.
3. Forensic Analysis
Mobile applications saves cookies and logs in the phone’s local memory, which is a possible threat. Analyze and scan SQL database, log files, cookies, screenshots, key chain, keyboard cache for any malicious object.
Here I have covered the standard methodology to test your application security, however the findings(threat models and vulnerabilities) might differ for each application.
I’m listing few checklists from this exhaustive guide on mobile application security, which every application developer should follow.
- Use HTTPS instead of HTTP for applications to connect with server or fix HTTP with the updated cache policies
- Don’t store credentials locally, as it might be exposed to jailbroken devices or to someone with physical access to device.
- Use Secure channel for communication
- Implement standard jailbroken detection tool to prevent physical exploitation.
- Encrypt the items stored in keychain and make it unaccessible to unauthorized request
- Always enable certificate pinning for connection
As always, feel free to share your thoughts!
- Security Testing of Mobile Applications - April 20, 2017