MOBILE APPLICATION SECURITY TESTING
Mobile applications are increasing in numbers every day. Today more mobile phones / tablets accesses web applications than PCs. More than 90% of government services in UAE can be transacted through mobile applications. Increase in the use of mobile applications means, application vulnerabilities and thus security incidents that may impact the client device or backend systems that support the mobile application.
Many mobile applications we have assessed recently across the region, indicate the need for continuous security assessment of mobile applications. Poorly hardening and securely configured mobile applications by the software developers, often outsourced by organizations, do not even follow the most basic of security guidelines.
Mobile Application vulnerabilities often lead to customer privacy violations and/or data loss. Considering this, it is important to perform a holistic security review as part of your mobile application deployment strategy.
DTS expert team of mobile application security consultants offers a detailed security analysis of your mobile application as part of our Mobile Application Security Assessment service. Our testing methods use both automated testing as well as manual testing using a combination of Mobile Application Security Framework (MobSF), OS simulators and SDK kits. Our “automated tests” detects many of the common vulnerabilities of your mobile application. However, manual testing by our security experts uncovers much more issues than the automated tests especially during a grey-box test.
Our Mobile Application Security methodology is based on the OWASP Mobile Security project and performs tests both client application as well as the server-side testing.
The initial step in the Mobile application security assessment is the mapping of the application for each type of the Operating System architecture. This will provide a detailed understanding of the application and the data flow, within the application as well as to the server.
- Application understanding
- Data Flow mapping
In this stage, the focus of the testing is to understand the weaknesses on the client side. This includes the analysis of temporary storage, sensitive information and client-side encryption
- Binary Analysis and Identification of insecure APIs
- File system analysis for identification of sensitive files and weak encryption implementation
- Memory and Process analysis
In this stage, the communication channel between the client and the server undergoes the review and attack. Sensitive plain text traffic is retrieved by analyzing
- Installation traffic
- Run time traffic
The final phase of a mobile application security assessment is to assess the security of the server. In this, the server-side application would be tested to find out how it responds to various malicious requests.
- TCP attacks are performed to identify vulnerabilities such as Buffer Overflows
- HTTP Attacks are performed to identify application vulnerabilities such as XSS, SQL injection and other OWASP listed vulnerabilities
|
M1. Weak Server-Side Control |
Test Name |
|
M1-01 |
Excessive port opened at Firewall |
|
M1-02 |
Default credentials on Application Server |
|
M1-03 |
Exposure of Webservices through WSDL document |
|
M1-04 |
Security Misconfiguration on Webserver |
|
M1-05 |
Input validation on API |
|
M1-06 |
Information Exposure through API response message |
|
M2. Insecure Data Storage |
Test Name |
|
M2-01 |
Unrestricted Backup file |
|
M2-02 |
Unencrypted Database files |
|
M2-03 |
Hard-coded credentials |
|
M2-04 |
Insecure Shared Storage |
|
M2-05 |
Insecure Application Data Storage |
|
M3. Insufficient Transport Layer Protection |
Test Name |
|
M3-01 |
Insecure Transport Layer Protocols |
|
M3-02 |
SSL/TLS Weak Encryption |
|
M3-03 |
Disable certificate validation |
|
M3-04 |
Self-signed certificate |
|
M4. Unintended Data Leakage |
Test Name |
|
M4-01 |
Information Disclosure through Logcat/Apple System Log (ASL) |
|
M4-02 |
Exposing Device Specific Identifiers in Attacker Visible Elements |
|
M4-03 |
Application Backgrounding (Screenshot) |
|
M4-04 |
URL Caching (HTTP Request and Response) |
|
M4-05 |
Keyboard Press Caching |
|
M4-06 |
Copy/Paste Buffer Caching |
|
M5. Poor Authorization and Authentication |
Test Name |
|
M5-01 |
Bypassing business logic flaws |
|
M5-02 |
Remember Credentials Functionality (Persistent authentication) |
|
M5-03 |
Client Side Based Authentication Flaws |
|
M5-04 |
Client Side Authorization Breaches |
|
M5-05 |
Insecure version of Android OS Installation Allowed |
|
M6. Broken Cryptography |
Test Name |
|
M6-01 |
Cryptographic Based Storage Strength |
|
M6-02 |
Poor key management process |
|
M6-03 |
Use of custom encryption protocols |
|
M7. Client-Side Injection |
Test Name |
|
M7-01 |
Insufficient WebView hardening (XSS) |
|
M7-02 |
Content Providers: SQL Injection and Local File Inclusion |
|
M7-03 |
Injection (SQLite Injection, XML Injection) |
|
M7-04 |
Local File Inclusion through NSFileManager or Webviews |
|
M8. Security Decisions Via Untrusted Inputs |
Test Name |
|
M8-01 |
Abusing Android Components through IPC intents ("exported" and "intent-filter") |
|
M8-02 |
Abusing URL schemes |
|
M9. Improper Session Handling |
Test Name |
|
M9-01 |
Session invalidation on Backend |
|
M9-02 |
Session Timeout Protection |
|
M9-03 |
Cookie Rotation |
|
M9-04 |
Token Creation |
|
M10. Lack of Binary Protections |
Test Name |
|
M10-01 |
Reverse Engineering the Application Code |
|
M10-02 |
Unauthorized Code Modification |
|
M10-03 |
Debug the application behavior through runtime analysis |