MOBILE APPLICATION SECURITY ASSESSMENTS
| MOBILE APP SECURITY TESTING
SPECIALIZED SECURITY ASSESSMENTS
AND TESTING FOR MOBILE APPLICATIONS
SMARTPHONES ARE PARTICULARLY VULNERABLE TO A MYRIAD OF SECURITY THREATS
Investopedia notes that the market has shifted rapidly, leaving consumers to catch up - a fate that also applies to mobile device engineers, security specialists, and application developers alike. This is congruent with the development of mobile applications that have not been completely tested for security flaws, largely due to the many different types of mobile devices and operating systems, all of which require a plethora of specific tools, tests, and skills for proper testing. The Cap Gemini World Quality Report notes that - according to statistics in 2012 - 18% of companies reported that they didn't have enough time to test mobile apps, 65% reported not having the applicable tools for testing, and 52% reported not having the devices available. The level of security of a mobile operating system (OS) determines how secure its apps will be. Since the OS is the software foundation for a mobile device it is possible that a large number of apps can be compromised due to an OS vulnerability, such as with the Pegasus malware that allowed active exploitation of iPhone data from multiple apps due to a flaw with iOS. As highlighted in their 2016 report, traditional network security models differ from mobile security models in a number of ways, such as:
• Mobile devices typically don't give end-users root access • Mobile devices have a myriad of attack surfaces • Mobile devices have OS access-control that may limit security app functionality
Also according to their assessment which tested mobile devices using their Vulnerability Test Suite, 82% of Android devices were vulnerable to at least one of 25 major OS flaws. As noted by CVE Details in 2015 Android devices were shown to have 130 vulnerabilities, versus 375 for the iOS.
YET OS VULNERABILITIES CAN UNDERMINE THE SECURITY OF MOBILE APPS IN OTHER WAYS:
• Reverse engineering apps to their source code allows a previously closed-source app to be modified. if a person could bypass security measures, a modified app (acting as malware, a backdoor, etc.) can be released into the mobile platform ecosystem.
• Binary inspection, disassembling app packages, and other, allow a malicious person to view an application's assembly code and/or find hidden data in the code, along with being able to find vulnerabilities in the code that can be exploited (i.e. weak encryption ciphers, probable attack vectors, backdoors, weak app architecture, back-end/server-side web apis that are vulnerable to attack, etc. ) in order to compromise entire systems (e.g. SQL databases, web servers, and more). zero-day exploits can also come to fruition using the techniques above.
MOBILE APPS OPERATE
ON MANY NETWORKS
MANY MOBILE SECURITY THREATS ARE RELATED TO HOW DATA IS TRANSMITTED TO AND FROM MOBILE DEVICES, AND HOW STRONG THE ENCRYPTION IS
• Many public wi-fi hotspots do not properly encrypt data, and many more make it easy for hackers to use packet sniffers to capture & view wireless plaintext data/packets.
• Most carriers configure & ship smartphones to connect automatically to the carrier's wi-fi hotspot network when in range. this situation allows a malicious person to mimic a wi-fi hotspot by using an identical SSID, which results in mobile devices automatically connecting without authentication and without any warning to the end-user.
MOBILE APPS ARE TRANSPORTABLE AND CAN BE LOST, THEY MUST REMAIN SECURE EVEN WHEN THE DEVICE IS GONE
The following security threats present very real concerns with the use of transportable, mobile devices:
• Settings of the os may jeopardize the security-posture of the apps.
• The storage of data on the mobile device is often not encrypted or secure, and the data is often stored in a mobile filesystem that is easy to compromise (e.g. SQLite databases, sd cards, XML files, etc.).
• The use of computer forensics and/or file system inspection could allow a malicious person to identify sensitive files.
• The leakage of corporate/personal data into the hands of malicious people is always a threat due to the nature of mobile devices, along with the very significant problem of leaky apps transmitting data in a non-secure manner.
• Different types of caches & stored app files present a security issue in the event of a lost/stolen device, as the aforementioned data files can be identified and viewed by malicious people, viz. URL caches, log caches (due to non-secure logs), clipboard caches, application screenshots, etc.
• The capturing and leaking of keyboard captures via the use of third-party keyboard apps on mobile devices can be a significant security issue.
MOBILE APPLICATIONS ARE BUILT FOR MANY DIFFERENT PLATFORMS EACH WITH THEIR OWN UNIQUE SECURITY ISSUES
MOBILE APPLICATIONS & PLATFORM SECURITY ISSUES
Android (java): according to security research, java is known for providing major attack surfaces and for presenting major security holes in software. However, certain attack vectors (e.G. Buffer overflow) are not as feasible on a java-based system.
IOS (objective c, swift): objective c allowed integer overflow, which could result in a heap overflow in objective c but results in a run-time error in swift. Other types of overflows are possible in both languages, presenting a security concern.
Phone gap: with the converging of platforms into a single framework, certain security issues have arisen. Cve details some major phone gap security vulnerabilities.
Xamarin: the xamarin cross-platform development framework allows the use of different encryption systems such as tls, through reverse engineering attacks are still possible.
WE CAN ASSESS, TEST AND REPORT ON IOS, ANDROID, WINDOWS AND MANY OTHER OPERATING SYSTEMS
• Lack of encryption such as end-to-end ssl/tls which helps to mitigate man-in-the-middle attacks.
• Storing data on sd cards (or other media) and network data transmission without the use of checksums, encryption, hashing, etc.
It is important for security tests to be done on back-end servers and systems associated with mobile applications. Reverse engineering defense controls - to determine if malicious people could uncover and manipulate any existing vulnerabilities - should be done. Fuzzing should be used to test the servers and applications. Testing encryption by attempting to sniff and crack traffic/ciphertext is also valuable as an assessment. Input validation and secure coding practices should always be utilized and tested.