218 Billion. That is the number of mobile apps that were downloaded in 2020 (Source: Statista). It is definitely great news, but comes with a warning. Cyberattacks saw a spike of 50% in 2019 compared to the previous year. An average US resident spends anywhere close to 3.5 hours a day on their mobile devices, as per a 2019 survey by App Annie. So mobile application security is undoubtedly paramount. Businesses spend millions in ensuring great performance, impeccable user experience and useful functionalities. But mobile application security is often overlooked.
Mobile Application Security Testing
Mobile application security testing includes evaluation of an application against multiple attack and threat vectors and identification of vulnerabilities. It is a method of testing how susceptible an application is to security attacks. It checks for specifics like code quality, data flow, buffer handling, server configurations, passwords, debug options etc. Security testing of applications includes the whole gamut of checks around authentication, authorization, configuration gaps, session management, data security, malwares etc. These become important to ensure protection from data leaks, breaches, frauds or snooping incidents.
Types of Mobile Application Security Testing
Unit testing: Here, specific portions of a mobile device are tested
Factory testing: This is where defects brought on during the manufacturing or assembly phase are tested
Certification testing: This test is conducted as part of the go-to-market (GTM) phase
Application testing: Here, multiple use cases are checked encompassing functionality, performance, memory leakage, installation, usability and security
The first 3 are device testing and are often given precedence over application testing, which in fact, should be given equal importance
Challenges of Mobile Application Security Testing
A recent cyberattack on certain users of LINE, a popular mobile messaging app, in Taiwan has put the spotlight back on mobile app security.
Around 100 political figures including Cabinet and Presidential Office members were the victims of the attack. Initial investigations have revealed that point-to-point encryption was turned off earlier, which has now been turned on. This shows how important mobile application security is. Testing isn’t very easy since different users might use the apps in different ways.
A mobile application has multiple points of vulnerabilities as users download and share content. Testing apps from the perspective of data security is key though other applications in the vicinity can also pose a threat. Thus, many factors of application security become challenging yet important for testing. Some of them are:
While apps are downloaded and used, a user’s sign up, login credentials, data stored, data shared etc. are vulnerable for attacks. The threat modeling here tries to cover all possible cyber attacks both external and internal.
Security loopholes are checked and possible countermeasures are tested here. Network, phone and OS resources are all tested to understand and slot different vulnerabilities.
Analysis of Threats Related to Rooted or Jailbroken Phones:
These are specific to Android and iOS devices respectively. Installation of extra applications, unsafe code injection, overwriting of system files, random OS upgradation and attempts to gain admin access are some scenarios that are tested here.
Analysis of Threats Related to App Permissions:
Location access, Wi-Fi access, internet access, specific permission-seeking apps which need control over all the applications (e.g. – battery saving apps, application locking apps) could open the mobile devices to vulnerabilities. These need to be tested specifically.
Analysis of Threats for Android and iOS Devices:
Android, being an open system, doesn’t put any strict restrictions or verification checks when a new app is posted on Google Store. On the other hand, iOS is far more secure and robust owing to strict rules for apps. So, strategies need to be different too when it comes to the operation systems being tested.
Strategies for Mobile App Security Testing
Security levels of applications will vary based on the type of application. So, a banking app might require greater security features as compared to a much more straightforward social media app.
Plan Time and Resources:
Have a dedicated team to test the different use cases and allocate time to look at fixes and retest.
Scope Out the Effort Required:
Since security testing could go into specific use cases, effort needs to be scoped out appropriately.
Invest Time in Understanding Concepts:
Before getting into testing, it would be good to understand the security concepts well.
Keep Learning and Stay Up To Date:
Since attacks have been increasing and the same can be said about their complexities, it is important to keep researching and learning to be able to stay a step ahead of attackers.
Create Real World Scenarios:
A lot of the actual attacks cannot be gauged beforehand unless testers replicate real world scenarios and also test in real time after going live.
Conduct Code Audits Regularly:
Testing is a good thing but a lot of issues can be rectified at the code level itself by following best practices. This is where audits help.
Guidelines for Mobile App Security Testing
Create Test Cases Covering Different Scenarios Across the Entire User Journey:
It is important to ensure that test cases are reviewed for 100% coverage, be it for a specific phone model/type or a different version of an operating system. A quick review by a business analyst always helps.
Spend Some Time on Web Service Testing Tools:
Ensure to cover different data formats and methods like GET, POST, PUT etc.
Cover Multiple User Sessions Across Different Devices while Focusing on OS-Specific Features:
Pay special attention to testing the applications on rooted or jailbroken devices so real-life cases can be covered in a better manner.
Use Automation Tools Wherever Possible:
Leverage automation since it helps cover multiple scenarios encompassing different devices and operating systems in a much faster fashion.
Cover Web, Native and Hybrid apps:
Web app testing across different platforms is more or less similar to testing undertaken for a website. But testing for native apps predominantly focuses on OS-specific feature testing and hence requires a different effort estimation. Hybrid would include a mix of web and native but might still require coverage of some test cases which might be specific to a platform being used.
Tools for Mobile App Security Testing
OWASP Zed Attack Proxy (ZAP):
This is one of the most well-known tools to find vulnerabilities during the development and testing phases.
It provides a cloud-based security platform for both Android and iOS devices and provides a clear description of security loopholes along with relevant solutions.
Quick Android Review Kit (QARK):
This is a good tool for testing Android devices, with a special focus on source code analysis.
This tool helps resolve security issues in Android Studio and also provides real-time suggestions to fix issues.
This is an interactive tool which helps apps interact with other apps in their ecosystem while providing a comprehensive security overview.
Mobile Security Framework (MobSF):
This tool helps perform security for both Android and iOS apps.
Importance of Mobile App Security Testing
Mobile malware has seen a rise of around 54% in 2018 with newer variants being introduced regularly. Additionally, around 24000 malicious mobile apps are blocked every day. Mobile cyber breaches can cost up to $50Billion annually. Mobile application security thus is really important to prevent future attacks and go live with a lot more preparedness. It also helps gain customer confidence and focus on business continuity without having to worry about security.
Mobile application security testing is important as it helps companies develop secure applications with a long-term vision of serving customers. This gains more prominence since today’s apps are used for multiple purposes and customers also increasingly get worried about cyber security and data misuse. The right strategy can make a big difference.
AppSealing, offering a cloud-based, pay-as-you-go solution for mobile application security, is a robust tool which helps developers and companies secure their mobile applications in real time. AppSealing’s RASP features proactively looks for threats during runtime and continuously intercepts incoming traffic to provide alerts for any security issues. It helps companies stay away from hackers while focusing on mobile features and usability aspects.