Security Testing on Mobile Application


 Mobile Application Security Testing


Normally security testing is not done by the normal testers and it is done by a small team of security auditors before the product or the application is launched in the market. I just came across some of the security aspects that a normal tester should be aware of to enhance the prospect of landing into a good job. Hence I am sharing my experience in the security testing (may be very little for few).


In the world of hackers and large scale online scams looming across the world. It is necessary to learn some of the basics of security testing. It is not necessary that you need to be a hacker or you need to get your self trained in some training institutes to understand the basic concepts of security.


Normally people would think about taking a ethical hacker course or online security tool to keep their information secured. However, it is not necessarily needed doing certain basic test would ensure that you are most probably staying away from the sight of the hackers. Here I would explain you about some of the basic concepts of Mobile application security testing.

I have been seriously thinking for a long time to undergo a training on the mobile application security (which some training institutes are charging thousands of dollars) and have searched on the internet for almost a year. Here is my collective outcome of the long research.

According to the McAfee Threats Report: Fourth Quarter 2010, a growing number of security threats to mobile platforms are emerging as pieces of new mobile malware increased by 46 percent from 2009 to 2010. The report notes that as more consumers use mobile devices and tablets for personal uses and business, cyber criminals have caught on. McAfee Labs said it's seen a steady incline in the number of mobile device security threats.

"The reason mobile devices have become such a big attack space is because they're being used for so much," Adam Wosotowsky, principal engineer at McAfee Labs, told CRN. (Source URL: http://www.crn.com/news/security/229208360/mobile-device-security-threats-attract-cybercriminals.htm;jsessionid=zUBN2W4VKnyANZZutVZ7IQ**.ecappj01).

This has created a necessity for the companies to concentrate on the security aspects of the application being developed for the smartphones to safeguard the user data. In this situation the security auditors and the testers find it as a tedious task to test the applications developed for the mobile devices. Here I'm going to provide you basic insight of top security concerns of the Mobile application and the steps to identify it.

Lets first discuss about the Top 10 security treats in mobile applications, which was provided by OWASP:

1) Insecure Data Storage
2) Weak Server Side Controls
3) Insufficient Transport Layer Protection
4) Client Side Injection
5) Poor Authorization and Authentication
6) Improper Session Handling
7) Security Decisions Via Untrusted Inputs
8) Side Channel Data Leakage
9) Broken Cryptography
10) Sensitive Information Disclosure

Techies would be able to grasp the basic ideas on the above topics with ease. If you are not a techie no issues, I'm going to walk through each and every treat so that people would be able to understand it with ease.

Insecure Data Storage:

Mobility apps should be server side, data should be primarily server side, and the control should be kept in the hands of the folks that know how to secure computing assets. Most of the applications on the app stores that are downloaded by the users are stored in the internal or external memory of the mobile device. It is easy for the hackers to targert the contents stored in the memory and capture it. Leaving a high chances for the hackers. I do accept that it is not possible to run the application without storing some of the components in the device. However, it is necessary that the data stored in the device should be analyzed properly before the application is launched. The sensitive information about the user or the application should not be stored in the device. The sensitive information should be stored in the server, which could be controlled and monitored with ease. If the sensitive information is to be stored on the device, it should be properly encrypted. 

Weak Server Side Control:

Weak Server Side controls, for example, is by definition not a risk specific to the mobile platform, because it’s at the server. It’s important, true. However, it’s equally important to get right for any application, regardless of the target endpoint. 

Insufficient Transport Layer Protection:

Insufficient Transport Layer protection is another category. The fundamental programmatic flaw is one that’s endemic to application programming regardless of endpoint. The data transferred should be safe and properly encrypted to avoid risks. Ensuring all the sensitive data are encrypted. This includes the data over carrier, WiFi and other NFCs.

Client Side Injection:

As like the web based applications treats, browser side attacks, XSS (the web feature), and SQL injection are basic problems. The twist isn’t the problem, it’s the impact – more direct ability to access phone functions for fraud as opposed to identity theft. This would create a negative impact on the end user of the application when his/her data is stolen. 

Poor Authorization and Authentication:

Poor authentication and authorization is definitely a mobile platform application challenge. The authorization and authentication process should be more stringent in the mobile applications before the users are being allowed to edit/view/submit the sensitive information's over the internet. Some apps soley on immutable, potentially compromised values (IMEI, IMSI and UDID) Adding contextual information is useful but could be foolproof.

Improper Session Handling:

One of OWASP’s contentions is that mobile application sessions are much longer. The sessions should be terminated properly once the user closes the application. In case the user has missed to terminate the session properly it should be automatically terminated by the system after a predefined time to avoid risk of data theft. Dont be afraid to re-authenticate every often to reduce the risk. Using device identifier as a session token is a bad idea.

Security Decisions Via Untrusted Inputs:

Consuming paid resources are often considered as safe by the users, however they could also harness the security risks. Security decisions could be leveraged to by-pass permissions and security models. Similarly depending on the platform (iOS- Abusing URL schema, Android - Abusing intents). Testers should check the caller permissions at input boundaries, Prompt the users for additional authorization before allowing. 

Side Channel Data Leakage:

Side channel data leakage is nothing but the mix of not disabling the platform features and the programmatic flaws. Which could end up sensitive information in the unintended places like web caches, keystroke logging, screenshots in the back-end (iOS devices), Crash logs, temp directories. Testers should always confirm that the credentials are not stored in the logs. Remove sensitive information before screen shots are taken. Debug the app before it is released is also necessary task for the testers to observe the files created, written or modified.

Broken Cryptography:

Broken cryptography would create a very high impact. The confidentiality of the data is lost, privilege escalation and circumvent business data. Hence the testers should verify where the data encryption starts and where it ends. Should do a stringent test on as many platforms as possible and see the encryption strength.
 

Sensitive Information Disclosure:

Apps could be reverse engineered with relative ease. Hence the testers should do a complete review of the information stored and transferred over the network before storing or passing the sensitive information like credit card numbers, SSN, etc. The sensitive and proprietary information should be stored on the server instead of storing in the device. Never allow the passwords to be hard-coded to avoid intruders.

In my next blog, will explain in detail about the best ways the testers should follow to ensure the quality of the mobile application. Also, please feel free to add your comments about the security concepts and other threats in this blog.


Join our community in Facebook and Google+ at the below URL's to stay up to date:


Facebook Page: http://www.facebook.com/SoftwareQaHelp
Google+ : https://plus.google.com/101680718973348361876

No comments:

Post a Comment