End to End Mobile Application Penetration Test
Mobile devices have undeniably changed the way individuals and companies do business. In fact, surveys revealed that mobile technology will remain a disrupting force for the next ten years. Through mobile devices and applications, millions of users became more productive and interactive with the world. Mobile devices have extended and enhanced capabilities and processes in many ways.
Despite their given benefits, mobile devices and applications are also exposed to potentially aggressive environment. Data inventory and protection, revocation and then compliance are just few of the many dangers faced by owners of mobile application. These mobile applications expose the users and their respective mobile devices to a host of common problems that simply do not exist way back then. Accounting new attacks and threats properly require the utilization of end to end mobile application security assessment.
Mobile Application Assessment Methodology
Our comprehensive demand to this mobile application testing is to see and determine the entire technology pile including network, server and client. This comprehensive and holistic approach is utilized so that unwanted vulnerabilities detected in the component can be utilized while testing the server.
Before the testing begins, we facilitate full installation of application and carry out inclusive walk-through utilizing several functions available. We identify ways on how components work altogether and leverage the flow as assessment takes place continuously. The following are also highly imperative assessments that you need to be familiar with:
1. Mobile Client Assessment
In this type of assessment, there are essential areas that need to be tested. These include file systems, memory, run-time pampering, source code analysis, input validation, binary analysis and inter-application communication. Each and every category covers a wide scope. Taking for instance when evaluating memory, sensitive data kept in memory must be scrubbed properly including the password, database connections, usernames and more.
The following risks are assessed during the mobile application security test:
- Insecure Data Storage. The data on your mobile phone are easily exploitable and security weakness is common. When there is Insecure Data Storage, loss of data can happen for the worst scenario. Often, data that are lost include usernames, passwords, cookies, authentication cookies and other important data which can create vulnerabilities for businesses and result to identity fraud or theft.
- Unintended Data Leakage. Unintended data leakage often happens when developers accidentally put sensitive information in a location in the mobile app that is easily accessible. As such, information becomes exposed and places risks to data on the mobile device.
- Broken Cryptography. This mobile app risk happens when your adversary is able to successfully return an encrypted data or code back to its original source which in the end forms flaws within the system. This will then weaken the system which results in code theft, intellectual property theft, reputational damage and many others.
- Security Decisions Via Untrusted Inputs. This mobile app vulnerability often results in loss of reputation. Moreover, it has a great impact on the integrity as well as confidentiality. This happens because of weak implementation of application functionalities which makes an improper behavior that grants easy access for attackers.
- Lack of Binary Protections. Due to this risk, the user and the application are exposed to outside threats. These threats can subsequently do some activities that interrupt business functions or they may engage in criminal activities using the information from you.
2. Network Assessment
Network traffic delivered from a mobile device to a server is the next one to be evaluated. These cover areas like transport layer security covering certificate pinning, SSL certificate management and more. Network assessment also covers other areas like data stream assessment, hosts communication enumeration and malware analysis. Each of these areas covered also has their specific items covered.
The following main risks are assessed during the mobile application testing:
- Client Side Injection. This risk results when a malicious code is executed within a mobile device through the use of mobile app. When that happens, the security of the data is weakened and they become easily exploitable. What the malicious code does is steal information which can affect businesses in the way of identity theft, fraud and other criminal activities.
Improper Session Handling. This mobile app risk, most of the time, results in an attacker impersonating another person and performing activities and functionalities in lieu of them without their knowledge. This could result in theft, fraud and interruption to business functions.
Poor Authorization and Authentication. Authorization and authentication is a very important part of data security. They are what protect your data from theft which can use them on various criminal activities. This means that having poor authorization and authentication for your data will put you in problems such as information theft, reputation damage and fraud.
3. backend web service Assessment
Once the network and the client sections of the applications are assessed, the server side is evaluated wherein all the things learned from network and client portions of the evaluation can be leveraged. All parameters and URLs collected from binary and static as well as data stream analysis are now utilized to assess the back-end and determine whether this is in communication with web services or web application.
The assessment includes steps such as vulnerability assessment of mobile application which covers session management, access control, authentication, logic testing and input validation. The next step is mobile SOAP1 or REST2-based Web service testing to find vulnerabilities in common online service-based back-ends and statistic analysis of back-end code. The last step is focused on evaluating the source code of mobile’s back-end system utilizing Java, NET and more.
The following main risks are assessed during the mobile application test:
- Weak Server Side Controls. This mobile risk encompasses almost all that the bad things that a mobile app can do, although it doesn’t happen on the phone. However, because of the prevalence of weak servers that affect not just mobile phones but even computers, it has been listed one of the top ten mobile risks of 2014. What happens when you have weak server controls is that data on your mobile are easily exploitable and security weakness is almost common.
- Insufficient Transport Layer Protection. This is a security weakness for mobile application backend web service that are caused by applications that do not take proper precautions in protecting their network traffic. This happens because they often fail to use SSL/TLS which then in turn leaves the data exposed and easily exploited.
Mobile Application Security Assessment Deliverables
All clients will be provided with the access to secure dashboard to track the progress of the assessment.
The technical report will include:
- The description of the identified security issue
- The likelihood, impact and risk assessment
- The test execution steps to reproduce the finding
- The exact location of the issue, including the parameters / functions
- If the issue is exploitable, the Lean Security consultant will try to see what data can be extracted
- The tools used during the assessment
- The screenshots of the finding
- The video of the issue
- Mapping to OWASP category
- Mapping to PCI DSS category
- Detailed recommendation, including the code examples
- References to the vendors guidelines and best practices
The project manager will also communicate the executive report containing the following:
- The executive summary
- The overview security posture
- Comparison with other companies in the same industry
- The number of critical, high, medium and low issue identified
- The number and types of apps have been assessed
- The high level risk explanation in terms of technology, people and processes
- High level recommendations
Related articles and further reading
The Minimalist Guide to Mobile Application Security: Why Less Can Be More - Ensuring mobile application security is a must and the “less is more” approach could be more beneficial in achieving this goal. You would think that adding more rules, security tools and safeguards is the best approach. When you take streamlined application design into consideration, you will see why less is more is the better tactic. Try designing mobile applications in a way that the amount of data permitted in device downloads or exposed in apps is minimized. This will help you reduce the risk of revealing sensitive information...
Packages and services
Basic Mobile Application Penetration testing service, which allows identifying OWASP Top 10 security issues and suited for Low risk mobile apps (data collection, branding apps with high volume etc).
The test can be used part of the internal due diligence process to identify the immediate and easy to find vulnerabilities.
After the test, Lean Security will provide the report to help with the remediation activities.
Premium mobile application security assessment, which includes the dynamic and static application testing. Suitable for highly sensitive mobile applications, such as eCommerce applications, gaming applications, booking apps etc.
The methodology is based on OWASP and NIST standards. The test is performed by senior certified penetration tester (Australia based). Thorough risk assessment helps prioritise the remediation actions