Mobile devices, as a phenomenon, have become a huge achievement of the technical progress. At the beginning, we had a device for emergency calls, but who remembers it now? Calls, messages, a music player, a library, a shop, and so on and so forth… All of it is hidden in one instrument – a mobile phone. We go further and use the devices in our routine. With their smartphones, people can optimize plenty of working processes and keep all information up to date.
But every medal has two sides. A number of smartphones in the world grows every year making this mobile environment fragile and insecure. Fixing this situation is the main task of mobile app security testing. Any application keeps users’ data inside and helps to solve everyday problems. Would the app’s custom feel safe and rely on this product? The answer “yes” is fully developers’ responsibility.
Why is it important for startups to take care of mobile app security? Let’s leave idle talks and get straight to the point. There is some eye-opening statistic which will be useful to any business (pursuant to Mobile Security Report 2016):
In the report, there were examined 400 000 different mobile apps for Android, and following high-risk security issues were recorded:
Among these issues, those connected with sensitive data leaks are:
File system issues:
All this information means that not only malware may be the subject of our concern. From now on, our main interest is leaky apps that deal with sensitive personal or corporate data. Providing security for mobile applications requires checking some basic points. A checklist of this kind is a very changeable matter, but it should always be a part of the security system.
Penetration testing for mobile apps includes these 7 tips. Following them will help you to build a reliable safety system either on Android or iOS devices.
Strong authentication means providing multi-factor process. This will help to prevent password guessing attacks and an unauthorized access.
“Account fraud and identity theft are frequently the result of single-factor authentication exploitation”FFIEC “Authentication in an Internet Banking Environment”
Three factors for authentication:
That’s what can be a great combination to reduce the risk of unauthorized access: password authentication plus a client certificate, the ID of a device, or a one-time password. Other implementations which organizations can use: time-of-day or location-based restrictions.
Authentication means you’ve entered an app, but it doesn’t’ mean you can do whatever you want with it. Authorization will put the things right with tokens, two-factor authorization, and one-time use codes.
Work with tokens is handled with OAuth2. This is a protocol that manages the exchange of tokens; it makes secure connections possible. To achieve good results, OAuth deals with 4 basic elements:
OAuth serves as a framework granting a user’s permission with tokens. Tokens are generated for one-time use by collecting a credential (like questions sent via SMS).
The next step is to make sure that communications between a mobile app and app servers are encrypted. After a password system, you should work on public key cryptography. This system uses pairs of keys: public (used widely) and private (known by one owner).
In this field, one of the main decisions is a key size. 1024-bit keys have been cracked often, so the next number was 2048. Lots of developers skipped it and moved straight to 4096-bit keys. Nowadays, one would choose 4096, but there are cases for using 2048-bit keys:
Input validation is a process of ensuring that input data meets the application’s expectations. If this process goes incorrectly, it can lead to all sorts of problems and vulnerabilities. The most popular among them are:
You can start verifying the input with a Whitelists or Blacklists method. A Blacklist is testing an expected input against negative inputs. A Whitelists, on contrary, is testing against correct inputs. This option is preferable because a developer knows exactly what is desired for the app.
If app users deal with confidential information (healthcare, payment cards, customer data, etc.), then developers should monitor users’ activities.
“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.”PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data
Specifically, in business apps, log messages show when users access an app, also they track users’ location and ID numbers of mobile devices. Errors, including failed login attempts, should be recorded too.
As for highly-sensitive applications, IT obtains the whole picture. By this, we mean recording users’ sessions to see in details who did and what. To get an even more complete picture, developers turn to mobile screen recording.
Firstly, to avoid leaks of data, developers should separate personal apps from business apps. Creating private mobile workspaces prevents malware from accessing corporate data and stops users from manipulating a sensitive data (copying, saving, and distributing).
There are several root causes for data loss. They can be divided into three groups: connected with people, process, and technology.
When we deal with a confidential data, there are 4 basic ways to prevent leaks:
Learn more about data leaks from TecSynt’s experience: How Bugs in the API Can Tell You Users’ Credentials.
This item of the security testing checklist is especially important for business applications to protect their sensitive data. If everything has gone wrong, an extra measure to secure information is to wipe it. You can exploit this feature to your advantage. And with tip 3 you have strong guarantees – if the data is encrypted, the whole procedure can be performed instantaneously.
With regard to employee-owned devices, developers can lock or wipe corporate information while personal data is intact. At the same time, when the mobile phone is found or replaced, developers should be able to restore all necessary information.
We’ve considered the most important tips and tools helping to complete the application security testing checklist. Constant control of mobile security gives several advantages to the future of your app:
Relationships between a developer and an end user are built on trust, and you should be ready to pay a high price if you neglect this fact. As a number of mobile functions grows, people confide more and more of their secrets to their devices. It makes security checklists broader each year, and security testing becomes more and more rigorous. If you’re asking, when it’s better to work on the app’s safety, the right answer is “now”. To learn more about prototyping in general, read 5 best ways to Prototype Your Mobile Project.