10 Critical Activities to Test Security of Mobile Applications

3G and 4G network enabled smart phones are today being used more and more for
accessing the Internet, for performing financial, business, and social transactions, and
for media consumption. However, the safety of the data being consumed by the end
user using the apps distributed via mobile application stores, poses a big security issue.
To add to this, Gartner predicts that almost 25% of organizations will launch their own
apps by 2017.
While this will make creating new apps much more efficient, it may also become a
reason-of-feast for the hackers as they will have more to hack into. Its only a fullfledged security testing enabled environment that will save the apps (and the
companies) from otherwise leaking a big load of personal data from the mobiles.
In short security of the apps will be vitally business-critical.
So, what can be done about this? What really is needed?
An app testing strategy that will not only analyse the security risks involved of using an
app on the smartphones but also support in eliminating the same.

http://gallop.net/

When the men-in-the-middle (MITM) attack apps that communicate sensitive

information, and manipulate the same for their benefit, a secure SSL certificate
validation* can mitigate the risk. However, this is easier said than done as billions of app
users use risky untrusted networks, making them an easy prey to the MITMs.
All mobile apps fall in one of the following three main categories:

Native apps These are written to run only on a specific platform and supported
devices. For example, an iOS app runs only run on iPhone.
Web applications These are built using standards like HTML5 and can be
accessed by any mobile device.
Hybrid applications These apps usually have a layer of native application around
a Web-based user interface and provide the best of both worlds.

Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016
for all the obvious reasons.
Mobile Security Testing Process An Overview
Like everything else, providing security testing for apps needs a method to overcome
the madness. Here are three basic steps suggested by experts in the field that must be
performed to achieve the desired objective:
1. Intelligence Gathering (gather as much as possible information about the app)
2. Threat Modeling (identify threats for the app specific or prepared)
3. Vulnerability Analysis (identify vulnerabilities in the app with the previous
created test cases using Dynamic methods (Passive network monitoring and
analyzing), Runtime analysis (analyzing the communicating process for internal
components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods
(Timeline analysis)
Reference: Security Testing Guidelines for Mobile Apps by Florian Stahl & Johannes
Strher
10 critical activities to be performed to make apps secure
At a broad level, we need to test the following to ensure mobile app security: Data
leakage, flow, and storage capabilities, encryption, authentication, server-side controls,
and points of entry.
Ten specific activities to be performed while testing the Security of Mobile
Applications are:

http://gallop.net/

1. Automated security testing of mobile applications for multiple mobile devices

across multiple platforms over diverse networks
2. Use of a cloud-based mobile Testing Lab that enables uploading locations or the
actual apps themselves for testing
3. Performance of a huge variety of automated security tests for identifying
embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited
network connections, etc.
4. Dynamic analyses and testing of apps in labs providing the required environment
to verify security issues such as insecure file system, insecure data transmission,
unsafe data storage, privilege access violations, etc.
5. Analyses of results for each mobile application.
6. Assessment of automated code that helps IT teams secure mobile apps in agilebased environments.
7. Inspection of all features of the apps in real-time in controlled environments, and
comparison of the results against a plethora of known applications.
8. Assessment of the apps using binary static analysis that expose malicious
capabilities and vulnerabilities such as leakage of information.
9. Assessment of whether or not an app has been built according to the peculiar
demands of compliance in your industry, as it is vital to follow the right standards
for regulations and mandates.
10. Last but definitely very important keep checking and testing for the new
security threats that keep surfacing ever so often.
Conclusion
To cover all the bases and ensure that effective testing is performed, a third-party
organization with the right expertise can prove to be your best bet. At Gallop, security
testing forms a critical part of our mobile test strategy. Our security testing is thorough
and makes use of reusable test scenarios so that your app is secure and your customers
happy. Our tool agnostic test automation frameworks ensure accelerated testing so that
you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android
apps do not fully validate SSL certificates.

http://gallop.net/

Tags: app testing, Application Security Testing, Gallop Solutions, Mobile App Security, Mobile
Security Testing, Mobile Testing, penetration testing, security for mobiles, Security Testing,
vulnerability testing

http://gallop.net/