Apr 15, 2016 By Sarah Vonnegut
Users expect the apps they download to be secure and safe, in addition to fast and feature-packed. It’s up to the organizations releasing applications – which most likely includes you, if you’re reading this – to meet (and exceed) their expectations. If you don’t meet expectations, you’re in bad luck: A 2013 study found that 88% of Americans have negative views of companies with mobile apps or sites that perform poorly or too slowly.
Securing mobile applications from malicious users – while providing every bit of functionality and features your users expect – may not be a simple task, but it is a necessity. Only through a solid application security program is that possible, and mobile security testing is a crucial part of the SDLC, as well as in AppSec programs.
Why Do We Need Better Mobile Application Security Testing?
We’re on our phones constantly, and our phones have become extensions of our work and personal life. We keep our work email, medical info, passwords and other sensitive email stored on our mobile devices. And for the average consumer, a locked phone is enough.
But if you’re in the security industry, or a developer on mobile applications, you know better. You’re aware of the major security issues that have arisen with the proliferation of mobile device usage. You’ve heard the horror stories of Starbucks’ Mobile Payment App hack, the iOS App Store hack last fall, the LastPass password management leak last summer. And you also know all the amazing technological advances in the mobile landscape, from real-time collaboration to smart apps and smartwatches to on-the-go-banking. And you know how vigilant we need to be about security.
You may have some security gates or other security practices – but if you don’t have a solid mobile application security testing strategy in place, you’re not doing enough.
What the Numbers Tell Us About Mobile App Security:
Business applications are becoming ever more critical to business success – yet we’re failing to secure them before release. Last year, a Ponemon study found that 33% of the 640 organizations surveyed never test their apps for security issues before deployment and that most companies test less than half of the applications they deploy at all. That adds up tonearly 12 million mobile devices being carried around with active vulnerabilities. And with BYOD at an all-time high, including 67% of companies allowing any apps to be downloaded on BYOD devices, it’s even more critical that your applications are sound before going to market.
Our own research on the State of Mobile Application Security was just as grim. We found that the average app had over 3 critical or high risk vulnerabilities exposed, with 33% of all vulnerabilities detected as critical or high severity. Half of all the vulnerabilities would either enable attackers to steal personal or sensitive information, or expose authentication and authorization issues to allow remote execution, OS or app takeover, or worse.
Feeling invincible just because your company or applications haven’t been hit by attack is like any other bad habit. Speeding, smoking, drinking – they’re “fine” until you get in trouble – or worse, hurt yourself or others. You can think of developing mobile apps without securing them as a careless speeder, weaving in and out of traffic with no care as to who or what gets in the way.
Security is the freaked-out passenger sitting next to you, telling you to avoid that speed trap and cop on the side of the road (compliance issues), as well as where dangerous bumps in the road are located (malicious attackers). That’s the beauty of mobile application security testing, when it’s done right. It’s not there to slow you down – it’s there to keep you going, safely.
4 Ways to Get the Most out of Your Mobile Application Security Testing Tools:
- Know Your Environment
Instead of racing towards an inevitable crash, we can use what we know in order to guide our mobile AppSec testing program. When you know which platform or platforms your mobile app will be available on, the next step is to understand the attack vectors of those mobile operating systems. Android, iOS and PhoneGap each have their own security issues, so read up on
Get started with these three posts:
- Android Application Security Sucks, Here’s What to Do About It
- 40 Tips You Must Know About Secure iOS App Development
- The Worst PhoneGap Security Issues & How to Avoid Them
- Create a Checklist for the Most Common and Riskiest Vulnerabilities
The risks of vulnerabilities in one application will differ from other apps you may build. It’s important that during the application design, you make a risk assessment for the various parts of your app. The risk of different vulnerabilities in your app should be weighed, and given a risk score that is used during testing to ensure the riskiest issues are remediated before release.
Not every vulnerability is going to be given the same weight when it comes to risk factors, and creating a hierarchy for each app you build will help when it comes time to test the apps. TheOWASP Top 10 for Mobile Applications is always a great place to start, but remember that those are the most common vulnerabilities – not necessarily the riskiest.
- Practice Defense in Depth
Mobile application security testing, like web app testing, includes a range of different kinds of tools, including static analysis, dynamic analysis, and penetration testing. Each have a place in a solid mobile application security testing program, and when used correctly, can together find nearly any vulnerability that could be used against you. Using static code analysis throughout the SDLC, pen-testing before release and with each update, and using dynamic analysis to test the application in a runtime environment will help ensure a scalable, repeatable process for mobile application security testing.
- Test Mobile Apps with the Attacker in Mind
This can be a difficult concept for developers to understand, because they’re used to looking at code and judging it based on how they look at code, which is mostly for functionality and simplicity. Looking at code through the eyes of an attacker can be hard, but it’s well worth the effort. If no security training is provided at your organization, you can teach yourself, using a number of vulnerable sites, to ‘attack’ your mobile apps. ‘Hacking’ your own apps will offer you a better grasp on the attack points your app is open to.
5 Open-Source Mobile Application Security Testing Tools to Secure Your Mobile Apps:
- OWASP Zed Attack Proxy Project
Billed as one of the world’s most popular free security tools by OWASP, you know OWASP Zed Attack Proxy Project, or ZAP, is a quality offering, and that the huge number of volunteers keep the project up-to-date.
Get OWASP ZAP here.
MobiSec, originally a DARPA CFT project, was later released as open source. MobiSec offers a live environment for testing mobile environments, including infrastructure and the device itself. While built primarily for pentesters, developers can learn much from using the platform.
Get MobiSec here.
- Clang Static Analyzer
We covered this in our Open Source Static Code Analysis Tools post, but luckily Clang is also available for mobile app static analysis testing for Objective-C (iOS) apps.
Get Clang here.
A research project from the MITRE corporation, iMAS is an iOS secure application testing framework dedicated to reducing “iOS application vulnerabilities and data loss.
Get iMAS here.
Linkedin released this open source mobile application security testing tool, which stands for Quick Android Review Kit to help developers look for common app vulnerabilities in source code and packaged APKs for the Android platform.