10 Critical Activities to Test Security of Mobile Applications

10 Critical Activities to Test Security of Mobile Applications

3G and 4G network enabled smart phones are today being used more and more for accessing the Internet, for performing financial, business, and social transactions, and for media consumption. However, the safety of the data being consumed by the end user using the apps distributed via mobile application stores, poses a big security issue.

To add to this, Gartner predicts that almost 25% of organizations will launch their own apps by 2017.

While this will make creating new apps much more efficient, it may also become a reason-of-feast for the hackers as they will have more to hack into. It’s only a full-fledged security testing enabled environment that will save the apps (and the companies) from otherwise leaking a big load of personal data from the mobiles.

In short – security of the apps will be vitally business-critical.

So, what can be done about this? What really is needed?

An app testing strategy that will not only analyse the security risks involved of using an app on the smartphones – but also support in eliminating the same.

When the men-in-the-middle (MITM) attack apps that communicate sensitive information, and manipulate the same for their benefit, a secure SSL certificate validation* can mitigate the risk. However, this is easier said than done as billions of app users use risky untrusted networks, making them an easy prey to the MITMs.

All mobile apps fall in one of the following three main categories:

  • Native apps – These are written to run only on a specific platform and supported devices. For example, an iOS app runs only run on iPhone.
  • Web applications – These are built using standards like HTML5 and can be accessed by any mobile device.
  • Hybrid applications – These apps usually have a layer of native application around a Web-based user interface and provide the best of both worlds.

Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016 – for all the obvious reasons.

Mobile Security Testing Process – An Overview

Like everything else, providing security testing for apps needs a method to overcome the madness. Here are three basic steps suggested by experts in the field that must be performed to achieve the desired objective:

  1. Intelligence Gathering (gather as much as possible information about the app)
  2. Threat Modeling (identify threats for the app – specific or prepared)
  3. Vulnerability Analysis (identify vulnerabilities in the app with the previous created test cases using Dynamic methods (Passive network monitoring and analyzing), Runtime analysis (analyzing the communicating process for internal components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods (Timeline analysis)

Reference: Security Testing Guidelines for Mobile Apps by Florian Stahl & Johannes Ströher

10 critical activities to be performed to make apps secure

At a broad level, we need to test the following to ensure mobile app security: Data leakage, flow, and storage capabilities, encryption, authentication, server-side controls, and points of entry.

Ten specific activities to be performed while testing the Security of Mobile Applications are:

  1. Automated security testing of mobile applications for multiple mobile devices across multiple platforms over diverse networks
  2. Use of a cloud-based mobile Testing Lab that enables uploading locations or the actual apps themselves for testing
  3. Performance of a huge variety of automated security tests for identifying embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
  4. Dynamic analyses and testing of apps in labs providing the required environment to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
  5. Analyses of results for each mobile application.
  6. Assessment of automated code that helps IT teams secure mobile apps in agile-based environments.
  7. Inspection of all features of the apps in real-time in controlled environments, and comparison of the results against a plethora of known applications.
  8. Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
  9. Assessment of whether or not an app has been built according to the peculiar demands of compliance in your industry, as it is vital to follow the right standards for regulations and mandates.
  10. Last – but definitely very important – keep checking and testing for the new security threats that keep surfacing ever so often.

Conclusion

To cover all the bases and ensure that effective testing is performed, a third-party organization with the right expertise can prove to be your best bet. At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android apps do not fully validate SSL certificates.

Banner_06

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

5 Ways to Build Mobile Apps that Users can Trust

5 Ways to Build Mobile Apps that Users can Trust

Mobile apps have seen a steady rise in popularity with overall app usage up by 76% in 2014. The category of apps most popular among users are shopping apps and utility apps, both of which handle sensitive user data.

An increased usage of apps increases the risk of malicious attacks. A mobile app security report found that 97 of the top 100 paid Android apps and 87 of the top 100 paid iOS apps were hacked. Among free apps, 80% of popular android apps and 75% of popular iOS apps were hacked.

An app that is easily subject to attacks cannot be expected to be popular among users! Here are a few ways you can ensure security for your app:

  1. Exercise caution while using borrowed code

In a rush to meet the requirements of intensely competitive app market, app creators are in a hurry to go to market in the shortest time possible. For this reason, many tend to use existing free code available in the web and start customizing it to reduce the hazel of building from scratch. Though there is nothing wrong in doing so, you need to be careful to ensure that there is no malicious code plugged into the code base used. Preferably, using code from a third party source one can trust reduces disasters of malicious plugins. Care should be taken to do a full review of the code before use. It also applies to any third party components your app may use in real time.

  1. Plan for security

Design your app to be as secure as possible. Critical information like login and credit card information, passwords, personal information should not reside directly on the device. And if they need to, they should be stored securely. Modern encryption algorithms can serve to secure such data.

Physically protecting the app by making it password protected, setting session time-outs and periodically erasing cached data also help to protect data stored in the device. Session time outs and passwords may be inconvenient to users and may decrease app popularity but it is very useful in protecting user information in cases where the phone gets lost or stolen.

  1. Secure communications to server

Most apps like ecommerce, banking and other utility apps link back to a server. Users may employ a variety of internet connections, secure and insecure, to use your app. Ensure the communication between the app and the server are always secure and data transmitted is not vulnerable to attacks. Make use of encryption and SSL certificates to ensure data is not intercepted during transmission.

  1. Adequate security testing

While app developers spend a lot of time performing functional testing, security testing is often ignored or saved for the last where it gets compromised due to lack of time. Subject every aspect of your app to adequate security testing to discover hidden vulnerabilities and fix them before release. Limit access to crash and debug logs as these can expose crucial information to hackers.

  1. Release regular patches

Your responsibility towards keeping your app secure does not end with the release of the app. As hackers use new ways to launch attacks, you need to release periodic security updates to ensure your app does not have any security loopholes.

Insecure mobile apps can mean loss of trust, revenue loss, and brand damage. High risk apps that collect user information or use remote servers to handle data are more susceptible to attacks and hence more attention should be given to making these apps secure.

Mobile security testing from Gallop Solutions

At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market. View on-demand version of Joint Webinar on Mobile Testing with Xamarin today.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.