MOBILE APPLICATION SECURITY TESTING

Mobile applications are increasing in numbers every day. Today more mobile phones / tablets accesses web applications than PCs. More than 90% of government services in UAE can be transacted through mobile applications. Increase in the use of mobile applications means, application vulnerabilities and thus security incidents that may impact the client device or backend systems that support the mobile application.

Many mobile applications we have assessed recently across the region, indicate the need for continuous security assessment of mobile applications. Poorly hardening and securely configured mobile applications by the software developers, often outsourced by organizations, do not even follow the most basic of security guidelines.

Mobile Application vulnerabilities often lead to customer privacy violations and/or data loss. Considering this, it is important to perform a holistic security review as part of your mobile application deployment strategy.

DTS expert team of mobile application security consultants offers a detailed security analysis of your mobile application as part of our Mobile Application Security Assessment service. Our testing methods use both automated testing as well as manual testing using a combination of Mobile Application Security Framework (MobSF), OS simulators and SDK kits. Our “automated tests” detects many of the common vulnerabilities of your mobile application. However, manual testing by our security experts uncovers much more issues than the automated tests especially during a grey-box test.

Our Mobile Application Security methodology is based on the OWASP Mobile Security project and performs tests both client application as well as the server-side testing.

Application Mapping

The initial step in the Mobile application security assessment is the mapping of the application for each type of the Operating System architecture. This will provide a detailed understanding of the application and the data flow, within the application as well as to the server.

  • Application understanding
  • Data Flow mapping
Client-Side Attacks

In this stage, the focus of the testing is to understand the weaknesses on the client side. This includes the analysis of temporary storage, sensitive information and client-side encryption

  • Binary Analysis and Identification of insecure APIs
  • File system analysis for identification of sensitive files and weak encryption implementation
  • Memory and Process analysis
Network Attacks

In this stage, the communication channel between the client and the server undergoes the review and attack. Sensitive plain text traffic is retrieved by analyzing

  • Installation traffic
  • Run time traffic
Server-Side Attacks

The final phase of a mobile application security assessment is to assess the security of the server. In this, the server-side application would be tested to find out how it responds to various malicious requests.

  • TCP attacks are performed to identify vulnerabilities such as Buffer Overflows
  • HTTP Attacks are performed to identify application vulnerabilities such as XSS, SQL injection and other OWASP listed vulnerabilities

 

M1. Weak Server-Side Control

Test Name

M1-01

Excessive port opened at Firewall

M1-02

Default credentials on Application Server

M1-03

Exposure of Webservices through WSDL document

M1-04

Security Misconfiguration on Webserver

M1-05

Input validation on API

M1-06

Information Exposure through API response message

M2. Insecure Data Storage

Test Name

M2-01

Unrestricted Backup file

M2-02

Unencrypted Database files

M2-03

Hard-coded credentials

M2-04

Insecure Shared Storage

M2-05

Insecure Application Data Storage

M3. Insufficient Transport Layer Protection

Test Name

M3-01

Insecure Transport Layer Protocols

M3-02

SSL/TLS Weak Encryption

M3-03

Disable certificate validation

M3-04

Self-signed certificate

M4. Unintended Data Leakage

Test Name

M4-01

Information Disclosure through Logcat/Apple System Log (ASL)

M4-02

Exposing Device Specific Identifiers in Attacker Visible Elements

M4-03

Application Backgrounding (Screenshot)

M4-04

URL Caching (HTTP Request and Response)

M4-05

Keyboard Press Caching

M4-06

Copy/Paste Buffer Caching

M5. Poor Authorization and Authentication

Test Name

M5-01

Bypassing business logic flaws

M5-02

Remember Credentials Functionality (Persistent authentication)

M5-03

Client Side Based Authentication Flaws

M5-04

Client Side Authorization Breaches

M5-05

Insecure version of Android OS Installation Allowed

M6. Broken Cryptography

Test Name

M6-01

Cryptographic Based Storage Strength

M6-02

Poor key management process

M6-03

Use of custom encryption protocols

M7. Client-Side Injection

Test Name

M7-01

Insufficient WebView hardening (XSS)

M7-02

Content Providers: SQL Injection and Local File Inclusion

M7-03

Injection (SQLite Injection, XML Injection)

M7-04

Local File Inclusion through NSFileManager or Webviews

M8. Security Decisions Via Untrusted Inputs

Test Name

M8-01

Abusing Android Components through IPC intents ("exported" and "intent-filter")

M8-02

Abusing URL schemes

M9. Improper Session Handling

Test Name

M9-01

Session invalidation on Backend

M9-02

Session Timeout Protection

M9-03

Cookie Rotation

M9-04

Token Creation

M10. Lack of Binary Protections

Test Name

M10-01

Reverse Engineering the Application Code

M10-02

Unauthorized Code Modification

M10-03

Debug the application behavior through runtime analysis