3G and 4G network enabled smart phones are today being used more and more for accessing the Internet, for performing financial, business, and social transactions, and for media consumption. However, the safety of the data being consumed by the end user using the apps distributed via mobile application stores, poses a big security issue.
To add to this, Gartner predicts that almost 25% of organizations will launch their own apps by 2017.
While this will make creating new apps much more efficient, it may also become a reason-of-feast for the hackers as they will have more to hack into. It’s only a full-fledged security testing enabled environment that will save the apps (and the companies) from otherwise leaking a big load of personal data from the mobiles.
In short – security of the apps will be vitally business-critical.
So, what can be done about this? What really is needed?
An app testing strategy that will not only analyse the security risks involved of using an app on the smartphones – but also support in eliminating the same.
When the men-in-the-middle (MITM) attack apps that communicate sensitive information, and manipulate the same for their benefit, a secure SSL certificate validation* can mitigate the risk. However, this is easier said than done as billions of app users use risky untrusted networks, making them an easy prey to the MITMs.
All mobile apps fall in one of the following three main categories:
- Native apps – These are written to run only on a specific platform and supported devices. For example, an iOS app runs only run on iPhone.
- Web applications – These are built using standards like HTML5 and can be accessed by any mobile device.
- Hybrid applications – These apps usually have a layer of native application around a Web-based user interface and provide the best of both worlds.
Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016 – for all the obvious reasons.
Mobile Security Testing Process – An Overview
Like everything else, providing security testing for apps needs a method to overcome the madness. Here are three basic steps suggested by experts in the field that must be performed to achieve the desired objective:
- Intelligence Gathering (gather as much as possible information about the app)
- Threat Modeling (identify threats for the app – specific or prepared)
- Vulnerability Analysis (identify vulnerabilities in the app with the previous created test cases using Dynamic methods (Passive network monitoring and analyzing), Runtime analysis (analyzing the communicating process for internal components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods (Timeline analysis)
10 critical activities to be performed to make apps secure
At a broad level, we need to test the following to ensure mobile app security: Data leakage, flow, and storage capabilities, encryption, authentication, server-side controls, and points of entry.
Ten specific activities to be performed while testing the Security of Mobile Applications are:
- Automated security testing of mobile applications for multiple mobile devices across multiple platforms over diverse networks
- Use of a cloud-based mobile Testing Lab that enables uploading locations or the actual apps themselves for testing
- Performance of a huge variety of automated security tests for identifying embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
- Dynamic analyses and testing of apps in labs providing the required environment to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
- Analyses of results for each mobile application.
- Assessment of automated code that helps IT teams secure mobile apps in agile-based environments.
- Inspection of all features of the apps in real-time in controlled environments, and comparison of the results against a plethora of known applications.
- Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
- Assessment of whether or not an app has been built according to the peculiar demands of compliance in your industry, as it is vital to follow the right standards for regulations and mandates.
- Last – but definitely very important – keep checking and testing for the new security threats that keep surfacing ever so often.
To cover all the bases and ensure that effective testing is performed, a third-party organization with the right expertise can prove to be your best bet. At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android apps do not fully validate SSL certificates.