Mobile Application Security Assessments | Mobile App Security Testing

SPECIALIZED SECURITY ASSESSMENTS AND TESTING FOR MOBILE APPLICATIONS

SMARTPHONES ARE PARTICULARLY VULNERABLE TO A MYRIAD OF SECURITY THREATS

Modern information security has not sufficiently dealt with threats to mobile platforms, whether it be Apple iOS, Google Android, or Microsoft devices.

Investopedia notes that the market has shifted rapidly, leaving consumers to catch up - a fate that also applies to mobile device engineers, security specialists, and application developers alike.

This is congruent with the development of mobile applications that have not been completely tested for security flaws, largely due to the many different types of mobile devices and operating systems, all of which require a plethora of specific tools, tests, and skills for proper testing.

The Cap Gemini World Quality Report notes that - according to statistics in 2012 - 18% of companies reported that they didn't have enough time to test mobile apps, 65% reported not having the applicable tools for testing, and 52% reported not having the devices available.

The level of security of a mobile operating system (OS) determines how secure its apps will be.

Since the OS is the software foundation for a mobile device it is possible that a large number of apps can be compromised due to an OS vulnerability, such as with the Pegasus malware that allowed active exploitation of iPhone data from multiple apps due to a flaw with iOS.

In addition to this, NowSecure notes that it is very important to realize that the traditional network security model of malware threats does not always hold true in the mobile market.

As highlighted in their 2016 report, traditional network security models differ from mobile security models in a number of ways, such as:

• MOBILE DEVICES TYPICALLY DO NOT GIVE END-USERS ROOT ACCESS.
• MOBILE DEVICES HAVE A MYRIAD OF ATTACK SURFACES.
• MOBILE DEVICES HAVE OS ACCESS-CONTROL THAT MAY LIMIT SECURITY APP FUNCTIONALITY.

Also according to their assessment which tested mobile devices using their Vulnerability Test Suite, 82% of Android devices were vulnerable to at least one of 25 major OS flaws. As noted by CVE Details in 2015 Android devices were shown to have 130 vulnerabilities, versus 375 for the iOS.


Yet OS vulnerabilities can undermine the security of mobile apps in other ways:

  • Offline attacks can be done by malicious people without the ability of mobile apps to warn the user when in disconnected mode.
  • reverse engineering apps to their source code allows a previously closed-source app to be modified. if a person could bypass security measures, a modified app (acting as malware, a backdoor, etc.) can be released into the mobile platform ecosystem.
  • Binary inspection, disassembling app packages, and other, allow a malicious person to view an application's assembly code and/or find hidden data in the code, along with being able to find vulnerabilities in the code that can be exploited (i.e. weak encryption ciphers, probable attack vectors, backdoors, weak app architecture, back-end/server-side web apis that are vulnerable to attack, etc. ) in order to compromise entire systems (e.g. SQL databases, web servers, and more). zero-day exploits can also come to fruition using the techniques above.

    MOBILE APPS OPERATE ON MANY NETWORKS

    Many mobile security threats are related to how data is transmitted to and from mobile devices, and how strong the encryption is. Modern smartphones - such as Android and Apple mobile phones - can operate along multiple bands of cellular frequencies, including 1G, 2G, 3G, 4G, etc. Older telecommunication protocols utilize the GSM digital protocol for call encryption between the caller and the local tower using an outdated, compromised cryptosystem. More recent cellular protocols - such as 3G/4G/LTE - utilize newer standards which provide better security.

    It is also important to note that phone calls can be intercepted via GSM interceptors and IMSI catchers, and in addition to this, radio scanners can sniff unencrypted/plaintext mobile traffic. The use of strong encryption systems can mitigate some of these issues.


    In addition to cellular data transmission, connections to Wi-Fi create a myriad of security problems when the system is not managed correctly, such as:

    • Many public wi-fi hotspots do not properly encrypt data, and many more make it easy for hackers to use packet sniffers to capture & view wireless plaintext data/packets.
    • Most carriers configure & ship smartphones to connect automatically to the carrier's wi-fi hotspot network when in range. this situation allows a malicious person to mimic a wi-fi hotspot by using an identical SSID, which results in mobile devices automatically connecting without authentication and without any warning to the end-user.

      ASTONISHINGLY, AS STATED BY NOWSECURE, ROUGHLY 40% OF MOBILE USERS ROUTINELY CONNECT TO PUBLIC HOTSPOTS WHICH ARE OFTEN UNENCRYPTED AND NOT SECURE!


      MOBILE APPS ARE TRANSPORTABLE AND CAN BE LOST, THEY MUST REMAIN SECURE EVEN WHEN THE DEVICE IS GONE

      Mobile devices face another unique challenge: such devices can be lost, stolen, accessed by unauthorized people, etc. during transport. End-users should use passcodes, strong passwords, PINs, screen-locks, multi-factor authentication, strong encryption, etc. to fully protect their devices.

      App developers also have a large responsibility to utilize layered security with the secure coding of their apps to mitigate possible security threats that could arise from the non-secure settings of the native OS.

      The following security threats present very real concerns with the use of transportable, mobile devices:

      • Settings of the os may jeopardize the security-posture of the apps.
      • The storage of data on the mobile device is often not encrypted or secure, and the data is often stored in a mobile filesystem that is easy to compromise (e.g. SQLite databases, sd cards, XML files, etc.).
      • The use of computer forensics and/or file system inspection could allow a malicious person to identify sensitive files.
      • The leakage of corporate/personal data into the hands of malicious people is always a threat due to the nature of mobile devices, along with the very significant problem of leaky apps transmitting data in a non-secure manner.
      • Different types of caches & stored app files present a security issue in the event of a lost/stolen device, as the aforementioned data files can be identified and viewed by malicious people, viz. URL caches, log caches (due to non-secure logs), clipboard caches, application screenshots, etc.
      • The capturing and leaking of keyboard captures via the use of third-party keyboard apps on mobile devices can be a significant security issue.

      MOBILE APPLICATIONS ARE BUILT FOR MANY DIFFERENT PLATFORMS EACH WITH THEIR OWN UNIQUE SECURITY ISSUES

      Different mobile platforms are built on different frameworks, which present different security concerns that must be understood by developers:

      ANDROID (JAVA): ACCORDING TO SECURITY RESEARCH, JAVA IS KNOWN FOR PROVIDING MAJOR ATTACK SURFACES AND FOR PRESENTING MAJOR SECURITY HOLES IN SOFTWARE. HOWEVER, CERTAIN ATTACK VECTORS (E.G. BUFFER OVERFLOW) ARE NOT AS FEASIBLE ON A JAVA-BASED SYSTEM.
      IOS (OBJECTIVE C, SWIFT): OBJECTIVE C ALLOWED INTEGER OVERFLOW, WHICH COULD RESULT IN A HEAP OVERFLOW IN OBJECTIVE C BUT RESULTS IN A RUN-TIME ERROR IN SWIFT. OTHER TYPES OF OVERFLOWS ARE POSSIBLE IN BOTH LANGUAGES, PRESENTING A SECURITY CONCERN.
      PHONE GAP: WITH THE CONVERGING OF PLATFORMS INTO A SINGLE FRAMEWORK, CERTAIN SECURITY ISSUES HAVE ARISEN. CVE DETAILS SOME MAJOR PHONE GAP SECURITY VULNERABILITIES.
      XAMARIN: THE XAMARIN CROSS-PLATFORM DEVELOPMENT FRAMEWORK ALLOWS THE USE OF DIFFERENT ENCRYPTION SYSTEMS SUCH AS TLS, THROUGH REVERSE ENGINEERING ATTACKS ARE STILL POSSIBLE.

      WE CAN ASSESS, TEST AND REPORT ON IOS, ANDROID, WINDOWS AND MANY OTHER OPERATING SYSTEMS

      It is important for an application to be reviewed in an efficient manner in order to ensure that it meets strict security standards. This can be done by code reviews, static analysis, dynamic analysis, etc.

      How data is stored and transmitted over a network can result in data theft due to a myriad of issues, such as:

      • LACK OF ENCRYPTION SUCH AS END-TO-END SSL/TLS WHICH HELPS TO MITIGATE MAN-IN-THE-MIDDLE ATTACKS.
      • STORING DATA ON SD CARDS (OR OTHER MEDIA) AND NETWORK DATA TRANSMISSION WITHOUT THE USE OF CHECKSUMS, ENCRYPTION, HASHING, ETC.

      It is important for security tests to be done on back-end servers and systems associated with mobile applications. Reverse engineering defense controls - to determine if malicious people could uncover and manipulate any existing vulnerabilities - should be done.

      Fuzzing should be used to test the servers and applications. Testing encryption by attempting to sniff and crack traffic/ciphertext is also valuable as an assessment. Input validation and secure coding practices should always be utilized and tested.

      Static Source Code Analysis for a Mobile App checks the raw code for security vulnerabilities.

      Find out more

      Penetration Testing for a Mobile App attempts to discover ways a potential attacker may get in

      Find out more

      Hybrid Testing is a combination of static source code analysis and penetration testing

      Find out more

      Not Sure Which Testing System your Mobile Application needs?