Mobile applications can open up companies to a whole new customer base and access to new markets. But it can also open up the organisation to new attack vectors; whether these be new web services to support the mobile application, intellectual property or other sensitive data built into their applications or insecure applications that could lead to reputational damage, theft or other loses. 7 Elements have tailored a 3 tier approach to mobile application testing that focuses on identifying business and technology risks, identifying vulnerabilities within the deployment and provides supporting remedial advice.
The mobile application security testing methodology can be broken down in to three stages:
- Information Gathering
- Static Analysis
- Dynamic Analysis
Stage One: Information Gathering
The information gathering stage aims to prepare the testers for future testing phases by allowing a solid level of understanding of what the application does, how it does it, and what its functions are. This leads to identifying attack surfaces and understanding normal application activity. This stage helps to build awareness of the technologies in use within the application, mobile device and web components. At the end of this stage the tester will have gained an understanding of the application in normal use and can identify abnormal activity and functionality when exceptions occur.
Stage Two: Static Analysis
This stage focuses on the analysis of the mobile application binary or source code if available. If the source code isn’t made available to test, the binary may need to be extracted from the device and disassembled, and in some cases, decrypted. During this stage the testers will attempt to identify the application permissions, frameworks, libraries, hardcoded secrets, such as API keys and credentials, data entry points, and access control measures and sanitation of data passed to the application. At the end of this stage, depending on the results, it may be necessary to go back to stage one and gather further information on the newly discovered components. Information discovered in this stage prepares the testers for dynamic analysis of the application.
Stage Three: Dynamic Analysis
Using the data collected in the test so far, an informed security assessment of the mobile application client, servers and associated services can be performed. In this phase the use of intercepting proxies, debugging tools and scripting is used to perform dynamic access of the application in use. By the stage the attack surface of the application will have been identified, normal activity will be understood, and the tester can start to introduce unexpected data and identify how the application interacts with the various components identified in the previous stages.
Testing will focus primarily on the following components:
- Session Management
- Data Storage
- Information Disclosure
- Common Web Application Issues
- Networking Protocols
- Transport Layer Protection
- Run Time Manipulation
- Defensive Controls
If you would like to explore your organisations exposure to mobile application security flaws then please get in touch with our team to discuss how we can help.