HYBRID SECURITY ANALYSIS
USING HYBRID ANALYSIS METHODOLOGIES FOR MOBILE APPLICATIONS PROVIDES GREATER PROTECTION
SURVEYS - SUCH AS A STUDY BY TECH GIANT ERICSSON - ESTIMATE THAT BY 2021 THERE WILL BE A TOTAL OF 9 BILLION MOBILE DEVICES IN USE WORLDWIDE, ECLIPSING THE CURRENT NUMBER OF PEOPLE ON THE PLANET
Companies must bear the responsibility of ensuring mobile application security. Part of that responsibility lies in accurately obtaining a complete view of the security posture of mobile applications. This is done by utilizing thorough security assessment techniques to ensure that security controls are in place and are operating correctly. Ensuring complete information security includes security engineers performing both dynamic and static security assessments on applications, which entails automated scanning and penetration testing of applications, along with manual and automated source code reviews. This combined effort is what we call a hybrid security analysis - one that combines dynamic and static tests and uses the most effective techniques from each - to presents a complete picture of the security posture.
SIMULTANEOUSLY PEN TESTING AND
CHECKING YOUR MOBILE APPLICATIONS SOURCE CODE
USING THIS METHODOLOGY UNCOVERS A GREATER ATTACK SURFACE, AND CAN REDUCE POTENTIAL ATTACK VECTORS
Certain vulnerabilities can be found using a mobile penetration test that would not be found using a static code review, and vice versa. Backdoors, weaknesses in code that can be bypassed, weak encryption ciphers, etc. can often be found using a code review, while insecure APIs, SQL Injection (SQLi), Parameter Injection, Cross-Site Scripting (XSS), etc. can be uncovered using a combination of static and dynamic testing techniques at run-time. Uncovering one vulnerability using penetration testing, for instance, allows one to trace the security flaw by turning to the code review, and vice versa. As can be seen, dynamic penetration tests and static code reviews act as two halves of a complete testing paradigm that security engineers should perform on all applications. In addition to this, the security overview of the diverse array of mobile environments, frameworks, operating systems, network systems and hardware types can all be unified using a hybrid analysis despite the potential dichotomy between the aforementioned mobile systems.
Certain mobile application vulnerabilities can be easily uncovered using the dynamic security assessment technique discussed, while other security holes are more easily found using static analysis, while others are more easily found using a combination of the two. Hence, all of the attack surfaces of your application are gauged by utilizing a dual-method approach that uncovers multiple potential vulnerabilities that any one method would not sufficiently uncover alone. Dynamic penetration testing acts as a simulation of a real-world attack by attempting to probe an inner application from the outside, where the points of attack are the ``attack surfaces,`` and the methods of attack equate with the attack vectors. This type of attack assumes zero knowledge of the inner workings of the application, and is thus a black-box test. This type of security assessment method deals with the implementation of the code at run-time, and thus is a dynamic test. Since this type of test deals with actively attempting to exploit vulnerabilities, it is considered an active test, which contrasts with passive vulnerability scans.
When approaching an application from the inner-workings of the software, knowledge of the engineering mechanisms is assumed and a test can be run to review the code. Since this deals with the code itself (static) as opposed to its implementation, the test involves using automated tools and manually analyzing the code to uncover security holes that could be exploited by a hacker. When security engineers combine dynamic testing with static testing techniques - resulting in a hybrid application review - a complete overview of a mobile application's security posture is realized and the entire application attack surface is fully gauged.