Application development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing.
2. idexcel
Introduction
Application development has come a long way in last two decades, but it is puzzling to see that despite major security
breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or
functional testing. Any application can be flawless and high-calibre in terms of functionality, but can be rendered meaning-less
if any hacker or malicious user can perform any number of common exploits. Exponential rise in the usability of
mobile applications for different purposes put the mobile devices in great danger of being hacked or compromised.
The market for mobile application development is changing rapidly, giving rise to increased requirement to ensure the
authenticity and legitimacy of these apps. Application Security testing is one of the key success factors for the companies
involved in developing and deploying these mobile applications on several platforms. In this paper, we will explore the
growing trends of mobile applications, security concerns due to these growing trends and how to deal with them.
2 Page
Launch Secure Application
3. Launch Secure Application
idexcel
Growth of
Mobile Applications
Mobile applications have been one of the biggest inno-vations
in the recent years, and the growth is exploding
as people are using apps all day long. The move to
mobile is being fuelled by mobile developers turning out
applications for their businesses, resulting in a greater
demand for mobile applications security testing.
Broadly speaking, there are three types of mobile appli-cations:
Mobile apps have changed the way we live our lives, and
interact with the environments. The Apple App Store
leads in the number of apps available, with the impres-sive
850,000 apps. Games are the most popular type of
apps (33%), followed by widgets (8%). Facebook is the
top messaging app used by 700 million users around the
world, followed by WeChat, used by 300 million users.
An average person downloads 22 apps on their smart-phone,
spends almost 80% of the time in apps. Revenue
from apps is expected to be $36.7 Billion by 2015. One
in four mobile apps once downloaded is never used
again. The statistics shown below indicate that there is a
significant growth in the number of free apps down-loads.
3 Page
Native applications: Applications written for a specif-ic
platform, and only run on the supported devices.
Web applications: Applications that are accessible by
any mobile device as these are built using standards
such as HTML5.
Hybrid applications: Applications that have
web-based interface with a layer of native application
around it to get the best of both the worlds.
Some of the mobile application growth statistics are as
follows:
Portio Research (March 2013) Estimates: 1.2 billion
people worldwide were using mobile apps at the end of
2012. This is forecast to grow at a 29.8 percent each
year, to reach 4.4 billion users by the end of 2017. Much
of this growth will come from Asia, which will account
for almost half of app users in 2017.
mobiThinking note: 1.2 billion apps users is a large
number, considering that analysts estimate that there
aren’t much more than a billion smartphones world-wide,
and that apps development in recent years has
largely focused on smartphones (mostly just one or two
types of smartphones), but it is still only a minority of
phone users. There are 6.8 billion mobile subscriptions
worldwide, according to the ITU (February 2013) – that
means approximately 17 percent of mobile subscribers
use apps.
4. 4 Page
Launch Secure Application
Mobile Applications
Security Concerns
and Vulnerabilities
The above statistics indicate that there is definitely an
explosive growth in mobile application usage, however,
along with this growth come pain points for developers
and businesses as there is a lack of standards that need to
be addressed and highlighted to show a good business
opportunity for mobile application security in the coming
years.
This unregulated growth in mobile applications develop-ment
and usage is exposing mobile devices and data to
major security risks where applications vulnerabilities are
exploited by malicious users. What is the motive behind
these attacks? For an individual, attackers are interested in
the credentials of the device and external services such as
banking, email etc. They want access to the personal data
such as address book, they want credit card details, and
they need access to the device so that they can use it or
steal trade secrets and other sensitive data. For organisa-tions,
use of vulnerable applications by the employees on
LAN or their personal devices can lead to data breaches,
and increased corporate liability. Attack points include:
According to tests run by HP Fortify, 86% of apps that
accessed potentially private data sources such as
Bluetooth connections or address books, lacked security
measures to protect the data from access. 86% of the apps
lacked binary hardening protection, 75% apps did not
encrypt data before storing it on the device and 18% of
apps transmitted data over the network without using SSL
encryption. Another 18% used SSL, but did so incorrectly.
Security related to mobile applications is more challenging
as compared to desktop or web applications because they
have smaller footprint on the virtual machine. HP conduct-ed
security testing on more than 2,000 Apple iOS mobile
apps developed for commercial use by some 600 large
companies in 50 countries. The results showed that nine
out of 10 applications had serious vulnerabilities, 97
percent apps inappropriately accessed private information
sources within a device, and 86 percent proved to be
vulnerable to attacks such as SQL injection.
Mobile applications become vulnerable to security attacks
because development is focused on features, not security,
users don’t even have security in their radar. Developers
are unaware of the underlying platform, and users are
easily social engineered.
Mobile application testing is challenging due to the
compatibility issues as any mobile application can be
deployed across devices with different Operating Systems
( Android, iOS, BB, Windows etc), versions of an operating
system ( B4.x, 5.x, iOS 4.x etc), keypad type such as hard
keypad or virtual keypad, and manufacturers like Nokia,
Apple, Samsung, HTC etc. There is no guarantee that if an
application works well on any given device, it will work
well on another device even if it is from the same product
family as the CPU, screen resolution, OS optimization,
hardware and memory could be different.
Testing tools available for web-based and desktop applica-tions
cannot be used for mobile applications. Hence for
testing mobile applications, complex scripting techniques
and new tool development are required. Additionally, for
any application to be globally popular and acceptable, it
must meet industry standards. Any well-developed mobile
application can be easily rejected by the end user merely
idexcel
Data Storage: Key stores, application file system,
application database, caches, configuration files
Binary: Reverse engineering to understand the
binary, find exploitable vulnerabilities, key genera-tion
routines, embedded credentials
Platform: Function hooking, mobile botnets,
malware installation, application architecture
decisions based on platform
5. 5 Page
Launch Secure Application
idexcel
due to the UI look and feel. If mobile applications are
critical to business, these questions can create a growing
dilemma. BYOD (Bring Your Own Device) and BYOA (Bring
Your Own Application) has received plenty of attention
and are major cause of serious malware problems as well.
Rigorous testing of mobile applications is critical; however
there are very few organizations that have a comprehen-sive
understanding, and resources for implementation of
all the aspects of security testing
The Open Web Application Security Project’s (OWASP) Top
Ten Mobile Applications Security Risks include:
Insecure Data Storage
Weak Server Side Controls
Insufficient Transport Layer Protection
Client-Side Injection
Poor Authentication and Authorization
Improper Session Handling
Security Decisions via Untrusted Inputs
Side Channel Data Leakage
Broken Cryptography
Sensitive Information Disclosure
6. confidentiality, authentication, integrity, availability,
authorization and non-repudiation. Each of these aspects
is critical for the success of any security testing framework,
and these extend to mobility applications as well. Organi-zations
need to follow the latest mobile security best
practices, and dig deep to look for vulnerabilities that can
cost them money, reputation and time. So let’s look a little
deeper, and understand these vulnerabilities, and the best
practices to deal with them.
them.
6 Page
Launch Secure Application
It is easy to deduce that mobile applications pose signifi-cant
risks, and it may take years to learn and implement
the right methodologies for developing a platform for
testing these applications. However, for any mobile appli-cation
development company, the first step towards
addressing the issue is to identify all the threats that the
application can pose to the end user. The end user can be
an individual, or a corporate client.
Some of the aspects that need to be tested by the QA team
as a part of security testing of mobile applications include
Web
Services
idexcel
Common Security
Threats and Best
Practices
Threat Detail Best Practice
Excessive Permissions
and Privileges
This is one of the most serious and
common vulnerability that creates a
great deal of privacy concerns in the
mobile devices. Applications that reside
on the mobile device have excessive
access privileges and permissions such
as access to contact list, receiving and
sending messages, update rights,
location and access to other devices
such as microphone, camera etc.
App developers should restrict granting
privileges and permissions to applica-tions.
Users should periodically check
the device setting and apps for any
excess permission, and if they feel that
any application has excessive access,
they should invoke the access rights.
Malware
Just like web apps, mobile applications
also use web services and HTTP requests
to communicate between server and
client. Common vulnerabilities such as
SQL injection, cross-site scripting, XML
bomb, buffer overflow etc. get discov-ered
during dynamic analysis. This
enables attacker to propagate malware
and gain access to devices information
without having the privileges.
Applications should validate all form of
inputs and convert scripts and script tags
to a non-executable form. Ensure that
the executables on your server do not
return scripts in executable form. You
can convert HTML and JavaScript tags
into alternate HTML encoding.
7. After logout, always invalidate the
session at the server and client side. If
session has not been active for more
than 15-20 minutes, terminate the
session. Long sessions must be re-au-thenticated.
Buffer overflow protection techniques
can be used during software develop-ment
to enhance the security of execut-able
programs by detecting buffer
overflows on stack-allocated variables
as soon after they occur, and prevent
them from becoming serious security
vulnerabilities. You can also scan your
application with scanner that looks for
buffer overflow flaws.
7 Page
Launch Secure Application
idexcel
Threat Detail Best Practice
Ineffective Session
Termination
Buffer Overflow
Bad Data Storage Practice
When the user clicks logout button, the
session gets terminated only locally on
the client side without terminating the
session at the server end. This coding
flaw makes the server susceptible to
unauthorized access where the attacker
can access the victim’s session and this
can lead to identity threat.
Attacker uses buffer overflows to corrupt
the execution stack of the application.
The attacker sends carefully crafted
input to the application, and causes it to
execute arbitrary code which can take
over the device. The attack relies on
writing data to particular memory
address, or have the OS mishandle data
types.
Insecure or bad data storage occurs
when developers assume that users will
not have access to the device file system,
and hence they store sensitive informa-tion
in data-stores in the devices. If data
is not protected properly, jail breaking or
rooting the device circumvents any
encryption protections, leading to loss of
data including username, password,
cookies, location data, personal informa-tion
and application data. SQLite
databases, Plist files, Log files, Binary
data stores, XML data stores, SD card,
cookie stores and cloud synced are the
places where data is stored most
insecurely.
Do not store data unless absolutely
necessary. Scrutinize the data security
API’s of the platform, and ensure that
they are being called appropriately. Do
not store credentials on the device file
system.
8. Launch Secure Application
Correctly implementing the mobile
device strategy, and mapping that strat-egy
to the local device setting can help
address concerns regarding data loss
prevention, VPN access, password
policies, stolen devices, and other
security issues.
8 Page
idexcel
Threat Detail Best Practice
Device Access
Device Security
The smart phones and other mobile
devices have ability to send messages
and texts, connect to wireless LANS, and
also have GPS capabilities, but lack
firewalls, intrusion detection systems
and virus protection.
Mobile devices bring unique security
and management risk as they often
operate beyond corporate boundaries,
increasing exposure to malware.
Mobile risks can be managed by active
scanning, log event aggregation, passive
network monitoring, and integration
with mobile devices and patch and
configuration management solutions.
Vulnerability scanner can be used to
enumerate devices accessing the corpo-rate
network, provide detailed mobile
device information, detect known
vulnerabilities and discover jailbroken
devices.
9. App developers must keep the following points in
mind with respect to improving the security of
mobile applications:
9 Page
Launch Secure Application
Mobile Applications
Security Testing Tools
Threat models for mobile applications can be quite com-plicated;
hence several different aspects of these
systems need to be examined. There are mainly three
types of tools for mobile application security testing:
static, dynamic and forensic. For a comprehensive
testing program, it is a good idea to use a combination
of these vendor-provided and third-party tools.
analysis tools. These tools help security analysts to
reverse engineer communication protocols, and
make potentially malicious message that will never
be sent by the genuine mobile clients. Messages
attack the server side resources that are a very
critical component of any mobile application system.
Forensic: These tools allow application security
analysts to examine the artifacts left behind by the
application once it has been run. Analysts may look
for hard-coded passwords or some other credentials
that are stored in the configuration files, unexpected
data stores in the web browser component caches
and sensitive data stored in application databases.
These tools can also be used to see how components
of mobile applications are stored on the device, and
to understand if available operation system access
control features have been effectively used.
Static: These tools look at the application while at
rest- either the application binary or the source code
to identify vulnerabilities in code, usually associated
with dataflow and buffer handling. Some static secu-rity
analysis services and tools can test mobile appli-cation
code. In order to get the clear understanding
of which vulnerabilities can or cannot be identified, it
is essential to closely work with the vendor as most
of these tools were optimized for web application
testing. There are freely available tools for C, C++ and
Objective-C programs. These tools can be used to
test for some security and quality errors, and can be
run from command line, as well from inside Apple’s
XCode development environment. Additionally,
‘otool’ command provided by XCode can be used to
get information from iOS application binaries and can
be used to support security analysis.
Tools are available for Android environment to
extract DEX assembly code and recover Java source
code from the applications. These tools can generate
DEX assembly code from Android DEX application
binary and dex2jar, which convers DEX application
binaries to standard Java jar files.
Dynamic: These testing tools allow security analysts
to understand the behaviour of running systems so
that they can identify potential issues. Proxies that
allow security analysts to observe and change the
communication between the application client and
supporting services are the most common dynamic
Proper Session Handling: Do not trust the client, use
SSL to encrypt the client, require a mobile certificate
that can be validated, expire sessions, limit the
amount of time any request is valid, do not allow
repeat requests and do not allow modified requests.
Ensure Transport Layer Security: Follow protocol to
ensure privacy between communicating applications
and their users on the Internet.
OWASP Cheat Sheets: The OWASP cheat sheet series
was created by several application security experts
and these sheets provide excellent security format.
There is also lots of information on specific mobile
application security.
idexcel
10. Launch Secure Application
Now that there is clear understanding of the main risks
involved in mobile application development, you can
determine and define your approach for mobile applica-tion
security solution deployment. While defining the
right approach, you must understand your specific use
cases, and incorporate your key objectives and business
drivers.
There can be several key points that drive strategy and
resulting architecture. These include decision such as
Bring-Your-Own vs. Corporate provided, 3rd Party Tools
vs. Native Platform Tools, Mange Security in-house vs
Outsource security, Full Data Access vs. Restricted Data
Access and Application Management vs. Application
Guidance.
You need to plan your mobile app security testing strate-gy,
starting by getting the basics under control. Mobile
security market is not mature as of today, and there is still
a long way to go to have right security controls in place.
Most breaches at data level occur due to basic configura-tion
failure such as lack of encryption, poor passwords,
poor patching etc.
Additionally, test all the layers of mobile application secu-rity
at client and server side. Continue to explore. Mobile
devices and technology will evolve at a very high pace,
hence, plan six-month strategy instead of three-to-five
years, and constantly re-evaluate new risks. Keep in mind
that business demands and requirements will change as
fast as the market. It is also worth mentioning that don’t
just test an app and forget about it. There are developer
forums for most of the major mobile platforms, and you
can find the latest emerging security threats. Continue to
enhance your test strategy to cover for these new securi-ty
threats.
Whenever possible, Automate!
10 Page
Sandboxing of Applications: Is used to isolate the
code and the impact that code can have in the
runtime environment like a mobile device
Strong Authentication and Authorization: Use
image-based authentication to secure mobile trans-actions
and mobile applications, or to authenticate
users in different situations.
Application White Listing: Prevent unauthorized
programs from running.
Mandatory User Input for privileged or elevated
access.
Tie Processes with user ID
Encrypt Data when Written to Memory
Tackling Mobile Apps
Security Testing
idexcel
11. Conclusion
Security failures occur, for a number of reasons. There can be poor coding, design flaws, insufficient training, ineffective
processes or human errors. But, failures are growing as well, as more and more mobile apps are being used in safety and
business domains. Test automation frameworks hold the key to successful mobile applications security testing. You
need to build a testing strategy that can combine different testing options, and put them together to offer best testing
results that balance the trade-off between quality, cost and time-to-market.
11 Page
Launch Secure Application
idexcel