Security Testing for Mobile Applications

Mobile devices at the workplace: this so-called trend is here to stay. In response, IT teams are recognizing their responsibility to develop a secure and high-performance operating environment for their mobile and remote workforce.

Mobile-related security risks have increased to astronomical levels in the last year:

• Over 5.7 million malware attacks were discovered and blocked.
• Over 70% of online fraud is performed via mobile apps.
• Ransomware accounts for more than half of all attacks impacting small and midsize business organizations, and mobile-related phishing attacks have increased by 50%.

All that to say: a true organizational security posture cannot ignore the mobile apps and devices that its employees and customers use.

In this article, let’s review the practice of mobile application security testing, understand the motivation behind it and discuss the best practices for mobile application security testing.

The role of apps at work

An important part of any cybersecurity strategy is to test mobile applications that access, process and store sensitive business information on the device.

A modern business may rely on several mobile applications and web services to conduct daily business operations — anything from communications and collaboration to data analytics, planning, and execution.

(Related reading: application security & software testing.)

How mobile app security testing works

Mobile Application Security Testing refers to the holistic assessment and analysis procedure of testing mobile applications for vulnerabilities. Employing a mix of static, dynamic and interactive testing strategies, along with various security scenarios (black-box, white-box and gray-box testing environments), you can develop an accurate security posture of your mobile applications.

Importantly, the testing process is not limited to the security performance of the product itself — the security testing should also include the architectural design and SDLC frameworks used to push new features to the application.

For instance, a secure mobile application bakes security capabilities early during the SDLC pipeline, and engages in continuous, shift-left testing to identify security flaws early during the SDLC lifecycle.

(Understand how vulnerabilities & threats contribute to your overall risk.)

Ways to test mobile app security

The application developers and organizations deploying mobile apps test for application security in the following ways:

• Understanding application behavior by evaluating response to data transfer and networking requests. Data is transmitted under varying loads and networking protocols to understand application behavior originating from various technologies, devices, network sources and locations.
• Decrypting application components to evaluate the security posture of the application when handling unencrypted data.
• Performing static and dynamic analysis to evaluate application code for security flaws without execution and during runtime respectively. 
• Combining interactive analysis with both the static and dynamic analysis techniques to acquire real-time feedback on vulnerabilities emulating production environments.
• Conducting black-box, white-box and grey-box testing techniques by simulating an external attack. During these tests, the attacker may have no knowledge, full knowledge or some knowledge of the target application, respectively.

Threats & challenges with mobile apps

Using these techniques, mobile app vendors and enterprises deploying mobile apps for business use can analyze security performance on the following key threat challenges and issues:

Data storage and transfers

With mobile apps, the first thing people consider is where the data resides, and how to safely and securely transfer the data. Importantly, more laws are being made to mandate certain actions here, depending on your industry, your geography and possibly other factors.

To evaluate the data storage and transfer safety and security, you’ll want to evaluate the application security for three types of data:

• Data at rest — data that’s in storage within the device.
• Data in transit — data that’s between the device and backend servers over networks that may not be private or adequately secured.
• Data in use — when the application loads and processes sensitive information using an external service running on a third-party data center.

(Learn more about third party risk management.)

Access controls & authorization

The next security challenge to consider is how access privileges and permissions are controlled as the application handles user requests.

The application must be capable of enforcing the permission controls and access policies established by the organization that uses the app. Multi-factor authentication (MFA) and/or biometrics can be used to improve security performance.

(Related reading: identity and access management & access control models.)

Network communication

Network communication is the next area to consider. Evaluate how the application responds to various network protocols used to access the data and backend data centers.

The data must be transmitted using secure HTTPS protocols and through private networks (corporate VPNs), especially when users access the services remotely.

API security & session management

As the application interacts with third-party services, evaluate the interfacing against parameter tampering, authentication bypass and vulnerabilities such as remote code execution.

To ensure that all data transmission is secure, encrypted and not susceptible to misconfigurations and vulnerabilities at the network layer, you’ll need to assess both:

• The API security headers
• The Transport Layer Security (TLS) protocols

(Related reading: API threats, API security testing & API monitoring.)

Session management

Because data processing is typically handled via the internet, your mobile app must also manage secure and robust web sessions. Testing the mobile application for session-related vulnerabilities includes generating session tokens and verifying if they are handled by the app using secure protocols such as HTTPS.

Consider implementing controls — session timeout, fixation, invalidation, and revocation — to limit the scope of a legitimate web session allowed the app will allow.

Configurations

Access control, privilege escalation controls, error handling and information disclosure is evaluated by testing for misconfigurations, which may be common for organizations deploying the app for a large user base with varied levels of access privileges.

Mobile application security testing for misconfiguration-related vulnerabilities evaluate:

• The network communication
• SSL/TLS configurations
• Application and web security headers
• Database and cloud security configurations

External libraries & integrations

Since the application service may involve several third-party integrations, it is important to evaluate the risk exposure to the corresponding external dependencies. The mobile application security testing may involve dependency scanning and vulnerability assessments for these integrations.

Mobile app security testing is of critical importance

By employing a mix of static, dynamic and interactive testing strategies, for a variety of security scenarios such as black-box, white-box and gray-box testing environments, you can develop an accurate security posture for your mobile applications.