Sunday, June 26, 2016

Mobile Application Testing

Technology is evolving faster by the day. Today, we see mobiles are no longer mobiles, they are small computers. The smartphones run powerful applications, providing everything to users at their fingertips. Users can use their mobiles for:
  • Logging in to banks in order to transfer funds
  • Purchasing or selling shares via trading portals
  • Booking travel or movie tickets
  • Tweeting or social networking
  • Donating to charity

As money transactions move to mobiles, hackers also move their attention to it. Hence, as a precautionary measure, securing mobile applications becomes important. This article introduces you to the three key aspects of securing mobile applications.
Mobile applications may be a -
  • web application accessed via a WAP browser.
  • thick client application sending out an HTTP request or an SMS.

Security testers should broadly focus on the following categories while analyzing their test cases -
  • Local Storage of Data
  • Hard-coded Sensitive Data in the Source Code
  • Data in Transition


Let us further discuss these categories in detail from a security tester’s perspective.

Local Storage of Data
The local storage of data can also be referred to as a “Handset Memory Analysis” for mobiles.
Mobile applications store data in the local memory of a handset. This data is stored by developers in files locally and is used by the application.
  • The Android OS stores data in files at runtime, but due to its native sand-boxing mechanism, obtaining access to this data is difficult. It also stores some data in the SQLite database.
  • The Apple iOS stores sensitive information like keystrokes, snapshots and other cached information in the iPhone local memory in the form of client-side SQLite databases or .plist files.
  • The Java application in Nokia phones stores it in the form of RMS files. These RMS (Record Management System) files get stored permanently and are easily accessible. Sometimes, they are easily readable when connected to a PC via a data cable. These files have a history of containing sensitive information like bank account numbers, beneficiary details or registered biller(s) auto-pay details.

A security tester needs to conduct a Handset Memory Analysis to detect sensitive information stored in the device.
A mobile application should not store sensitive data in user handsets. If at all it is necessary to store some data, it should be stored in a secure manner using strong encryption algorithms. It can further be stored at non-reachable locations with strict permissions.

Hard-coded Sensitive Data in the Source Code
Applications are also known to comprise hard-coded data in the source code. We may come across various types of sensitive data like –
  • payment gateways hard-coding the credentials
  • applications hard-coding the server and application-specific details
  • developer names & comments explaining the code pieces

Reverse-engineer the source code to obtain readable code files. This would ultimately help discover hard-coded data. It would also help reveal the application logic.
  • Android packages the application in .apk files, which have to be reverse-engineered to .dex files and then to readable class files.
  • Other .jar files can be simply renamed to .rar and extracted by WinRAR software. This results in decompiled class files that can be read using text editors.

A security tester has to decompile the application code in order to detect sensitive data or hard-coded information.
A mobile application should not hard-code sensitive data in the client-side code.

Data in Transition
Another aspect of mobile usage is the communication channel. Data in transit may be vulnerable to sniffing or manipulation. The data in transit can be tampered or stolen to –
  • obtain access to other user accounts.
  • transfer funds from other accounts.
  • sell shares of other users in order to create a nuisance.
  • conduct social engineering.

During a security test, the tester should analyze the data in transition. The HTTP traffic in mobile networks can be intercepted via a proxy editor tool. Here, the security tester can execute targeted manipulation attacks in order to test the application’s resilience against such attacks.
Mobile applications should thus implement server-side validation to prevent data manipulation in transit. Strong SSL encryption should also be implemented to protect data in transit.

Conclusion
There may be various dimensions to mobile application attacks. This article attempts to focus on three key aspects of the mobile security testing domain. Most of the tests revolve around these three aspects. OWASP and other known security forums periodically release guidelines for securing mobile applications. All these guidelines should be diligently followed by developers and included in the detection armory by a security tester.

Originally written by me for Palizine Magazine in 2011 

12 comments:

  1. I prefer to read this kind of stuff.Thanks for the post.
    sandiegoappdevelopment.com

    ReplyDelete
  2. Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.
    static application security testing sast

    ReplyDelete
  3. Hello ! Thanks you very much for your useful program !!! I have one question : Is it possible to start the lock screen when someone turn on my computer ?
    Gallery lock

    ReplyDelete
  4. Nice it seems to be good post... It will get readers engagement on the article since readers engagement plays an vital role in every blog.. i am expecting more updated posts from your hands.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete
  5. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Great work admin.Keep update more blog.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies

    ReplyDelete

  6. corporate network securityWe provide low-cost IT service and best-outsourced administrator, it services corporate network security it's much better in network security

    ReplyDelete
  7. Hai Good information shared about IOS. In future everything about ios . This blog post is really helpful. Please keep updated tutorials…

    ReplyDelete
  8. Great article. Developing a mobile application and mobile code security can be difficult, especially when you are building for more than one platform.

    ReplyDelete
  9. You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...
    Mobile App Development Company

    ReplyDelete
  10. Try this Vender app! Vender is a mobile application that lets you manage your leads and tasks in 1 app. Communicate and Log Your Activities, get Things Done, backup and Sync All Your Devices and decide Better with Visual Reports

    ReplyDelete