Mobile devices are everywhere. Owning a smartphone has become commonplace around the world. For many individuals, their first experience with technology is a mobile device. As such, businesses have quickly adapted their sales techniques to these platforms, and mobile sales now account for over 72.9% of eCommerce sales [1]. However, security is a different story.
Enterprises have been lagging far behind in addressing mobile risks. According to recent reports, 97% of organizations have fallen victim to mobile device related cyberattacks. Additionally, 93% of mobile malware attacks are initiated at the network of the device being infected, while zero-day exploits have increased by 466% against mobile endpoints. With risks this substantial, performing mobile application security testing isn’t just recommended, it’s critical.
In this article, we’ll define what a mobile application security assessment is, detail why they’re important, and show you how to perform your own security audit.
Mobile application security assessments test applications that run on mobile platforms like Android and iOS for security weaknesses. These platforms have inherent security features and restrictions in place. However, these are far from perfect. Malicious apps have already managed to evade both Google’s and Apple’s security solutions and have been downloaded by users where they infect other applications, systems, and networks.
Owing to this, mobile application security assessments need to focus on risks found in 3 distinct layers: the mobile platform itself, the application, and users. Vulnerabilities also differ based on what your application does, what kind of business you’re in, and who your users are. Commercial apps need to consider insecure payments and open Wi-Fi networks. Internal applications may struggle more with poor passwords and open internal Wi-Fi networks.
Vulnerability scanning is typically the first step in performing a mobile application security assessment. Next, a certified professional penetration tester will then assess your application, APIs, back-end systems, and infrastructure. They do this by mimicking real world attacks. After testing has concluded, all findings are compiled into a detailed report with remediation advice.
Clients usually follow-up the assessment with a rescan to ensure vulnerabilities were properly mitigated.
The OWASP Mobile Application Security Verification Standard, or MASVS, is currently the industry standard for conducting mobile application security assessments. It is supplemented by the Mobile Security Testing Guide (MSTG) provided by OWASP. The MSTG serves as a guide for security testing techniques and methodologies around mobile applications, including reverse engineering.
The MSTG goes on to provide technical recommendations for verifying the security controls defined in MASVS.
OWASP also provides a Mobile App Security Checklist. This list can be used when performing assessments to ensure the application being reviewed meets requirements set forth in MASVS and the MSTG. Google has mentioned that they award badges to developers who verify their applications against a published list of MASVS Level 1 controls.
To assess the security of an application, security professionals use Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
SAST is also referred to as white-box testing. White-box testing allows testers full access to the application’s logic and source code. This gives testers a much clearer view into the application and its potential vulnerabilities. For this reason, many organizations perform SAST testing after all features are complete, but before the software is deployed. It’s also commonly referred to as “testing in the SDLC”.
DAST, or black-box testing, is the complete opposite. Testers are left to their own devices with no knowledge of what’s running on the application’s backend. Attacks are simulated from an external attack perspective, much like how a real attacker would take to an application. Black-box testing will not find every vulnerability, but it more closely simulates attacking an application in production. It’s typically performed later in the software development life cycle and can catch runtime errors that SAST might miss.
Gray-box testing is commonly used during assessments as well. Testers are given limited knowledge about the application’s internals, such as architecture or algorithms. The idea is that testers can use this information to craft more accurate test cases.
Mobile application security assessments should include:
Interaction with the application to understand how it stores, processes, and shares data.
Decompiling the application and reviewing source code.
Reviewing 3rd party libraries for vulnerabilities, malicious/updatable code.
Testing and reviewing encryption.
Performing SAST and DAST.
Reviewing the application architecture.
Creating and utilizing a threat modeling framework.
All findings are recorded and stored in a report. This report should include high-quality insights and straightforward remediation steps. Vulnerabilities should be remediated to decrease risk, improve security, and comply with standards. Your application security assessment can help protect your organization and users from attacks.
Ideally, mobile application security assessments should occur before and after deployment. Security controls should work as expected, but your developers should also be made aware of edge cases that could be exploited in production. When testing your application, you should utilize a production-like environment when performing your assessments. Assessments should include testing both application code, as well as configurations.
Developers should not be relied upon to find all security risks. ThreatScan is a vulnerability management and penetration testing platform that performs automated, in-depth scans of your application and network to discover and analyze potential risks. Our penetration testers perform manual pentests to validate your true security posture. Our users are given an instant threat score illustrating the security posture of their application, network, and overall organization.
ThreatScan comes equipped with a dashboard to keep track of all vulnerabilities, pentest progress, and remediation efforts. If you have any questions, our AI chatbot Diana can help you submit tests, download reports, and answer any cybersecurity or product related questions. We’re available 24/7 and allow integrations with email, Jira, and Slack to help your team respond and collaborate quickly.
Contact ThreatScan to learn more about starting your mobile application security assessment.
https://purplesec.us/resources/cyber-security-statistics/
https://www.synopsys.com/blogs/software-security/sast-vs-dast-difference/
https://www.synopsys.com/glossary/what-is-mobile-application-security.html
https://www.geeksforgeeks.org/gray-box-testing-software-testing/
https://www.secureworks.com/blog/mobile-application-security-assessments