With the “Digital Transformation” gaining influence in our lives and making software even more prevalent as the driver of change, you can’t help but think of the mobile platform as the key enabler. With this in mind, it’s critical to understand the infrastructure that supports your mobile app and the components that may be exposed to vulnerabilities. And with this understanding, identify potential threats and assess what the impact will be. This blog steps through some of the key points you need to consider when embarking on a mobile security testing effort.
Understanding What You’re Testing and Why
By understanding where you are vulnerable, you can make decisions on where to apply your effort and resources to protect yourself. Thoroughly assessing your mobile application’s vulnerability requires a number of tools and techniques in order to get a comprehensive view of your app’s weaknesses. But first, you really need to understand the app and how people use it. That’s why it’s important to:
- Assess APK, iOS application files, 3rd party toolkits and APIs used.
- Understand business logic and usage of the application and its functions.
- Garner a business understanding of the application, its usage, and the different user roles, sensitive areas, functions of the application.
Figuring Out the Right Tool (s) for Mobile Security Testing
After you’ve gotten a good idea of how the application works and its pieces, then you can choose your toolkit to apply to the right areas. You can choose from a number of commercial as well as open source tools. Some of the tools include AppUse, Burpsuite, and Clutch just to name a few. As with assessing any tools that you may use, figuring out what you need and don’t need, ease of use, and effectiveness are the key criteria in choosing your tool set. Keep in mind that any one tool may not do all you need and if it does, it may not do all things well. For the mobile security testing work we do at XBOSoft, one of the most important criteria in choosing tools is related to interpreting results. With so many false positives and extraneous information, being able to decipher the test results is a key criteria in evaluating the tool or set of tools that we select.
Test Methodology for Mobile Security Testing
Next, you need to think carefully through your methodology. The vulnerability assessment is planned based on the objectives established with the client.
Integral to the planning is the identification of elements of the application that are in/out of scope (e.g., sub-domains) or cannot be automatically tested (e.g., forms generating emails, change password functions, application logout functions).
After determining these factors, we ‘spider’ the application from 2 main perspectives as well as many in between:
- From the non-credentialed perspective to garner an understanding of the scope of the application visible to an un-authenticated user.
- From the most privileged user perspective to garner an understanding of the scope of the application visible to an authenticated user with the highest degree of access to the application.
We then review these results and plan penetration testing based on the initial vulnerability assessment results.
- Manual confirmation is conducted for all the findings reported by any of the tools used. Evidence is then gathered for the sampled URLs/parameters chosen by professional experience.
- We manually test elements of the OWASP Top 10 that are not addressed by the Vulnerability Assessment (e.g. Insecure Authorization, Code Tampering) leveraging a variety of licensed and open source tools.
- We manually test other non-OWASP vulnerabilities (e.g., sensitive data caching, privilege escalation).
To complete the process, you need your vulnerabilities coupled with action. After you’ve gone to the trouble of performing a security assessment of your mobile application, the most important part is developing a list of actionable recommendations to address all identified security vulnerabilities. As mentioned earlier in this blog, the tool set you use and your proficiency at understanding the results is critical because you’ll get pages and pages of results. Being able to understand vulnerabilities and taking appropriate prioritized action is the key to staying one step ahead of the bad guys. Don’t end up in the news unnecessarily. Assess your mobile application’s vulnerabilities and take action. We also offer a full range of mobile application testing services. If you need help, let us know.