Securing mobile applications from malicious users – while providing every bit of functionality and features your users expect – may not be a simple task, but it is a necessity. Only through a solid application security program is that possible, and mobile security testing is a crucial part of the SDLC, as well as in AppSec programs.
We’re on our phones constantly, and our phones have become extensions of our work and personal life. We keep our work email, medical info, passwords and other sensitive email stored on our mobile devices. And for the average consumer, a locked phone is enough.
But if you’re in the security industry, or a developer on mobile applications, you know better. You’re aware of the major security issues that have arisen with the proliferation of mobile device usage. You’ve heard the horror stories of Starbucks’ Mobile Payment App hack, the iOS App Store hack last fall, the LastPass password management leak last summer. And you also know all the amazing technological advances in the mobile landscape, from real-time collaboration to smart apps and smartwatches to on-the-go-banking. And you know how vigilant we need to be about security.
You may have some security gates or other security practices – but if you don’t have a solid mobile application security testing strategy in place, you’re not doing enough.
Business applications are becoming ever more critical to business success – yet we’re failing to secure them before release. Last year, a Ponemon study found that 33% of the 640 organizations surveyed never test their apps for security issues before deployment and that most companies test less than half of the applications they deploy at all. That adds up to nearly 12 million mobile devices being carried around with active vulnerabilities. And with BYOD at an all-time high, including 67% of companies allowing any apps to be downloaded on BYOD devices, it’s even more critical that your applications are sound before going to market.
Our own research on the State of Mobile Application Security was just as grim. We found that the average app had over 3 critical or high risk vulnerabilities exposed, with 33% of all vulnerabilities detected as critical or high severity. Half of all the vulnerabilities would either enable attackers to steal personal or sensitive information, or expose authentication and authorization issues to allow remote execution, OS or app takeover, or worse.
Feeling invincible just because your company or applications haven’t been hit by attack is like any other bad habit. Speeding, smoking, drinking – they’re “fine” until you get in trouble – or worse, hurt yourself or others. You can think of developing mobile apps without securing them as a careless speeder, weaving in and out of traffic with no care as to who or what gets in the way.
Security is the freaked-out passenger sitting next to you, telling you to avoid that speed trap and cop on the side of the road (compliance issues), as well as where dangerous bumps in the road are located (malicious attackers). That’s the beauty of mobile application security testing, when it’s done right. It’s not there to slow you down – it’s there to keep you going, safely.
Instead of racing towards an inevitable crash, we can use what we know in order to guide our mobile AppSec testing program. When you know which platform or platforms your mobile app will be available on, the next step is to understand the attack vectors of those mobile operating systems. Android, iOS and PhoneGap each have their own security issues, so read up on
Get started with these three posts:
The risks of vulnerabilities in one application will differ from other apps you may build. It’s important that during the application design, you make a risk assessment for the various parts of your app. The risk of different vulnerabilities in your app should be weighed, and given a risk score that is used during testing to ensure the riskiest issues are remediated before release.
Not every vulnerability is going to be given the same weight when it comes to risk factors, and creating a hierarchy for each app you build will help when it comes time to test the apps. The OWASP Top 10 for Mobile Applications is always a great place to start, but remember that those are the most common vulnerabilities – not necessarily the riskiest.
Mobile application security testing, like web app testing, includes a range of different kinds of tools, including static analysis, dynamic analysis, and penetration testing. Each have a place in a solid mobile application security testing program, and when used correctly, can together find nearly any vulnerability that could be used against you. Using static code analysis throughout the SDLC, pen-testing before release and with each update, and using dynamic analysis to test the application in a runtime environment will help ensure a scalable, repeatable process for mobile application security testing.
This can be a difficult concept for developers to understand, because they’re used to looking at code and judging it based on how they look at code, which is mostly for functionality and simplicity. Looking at code through the eyes of an attacker can be hard, but it’s well worth the effort. If no security training is provided at your organization, you can teach yourself, using a number of vulnerable sites, to ‘attack’ your mobile apps. ‘Hacking’ your own apps will offer you a better grasp on the attack points your app is open to.
Billed as one of the world’s most popular free security tools by OWASP, you know OWASP Zed Attack Proxy Project, or ZAP, is a quality offering, and that the huge number of volunteers keep the project up-to-date.
Get OWASP ZAP here.
MobiSec, originally a DARPA CFT project, was later released as open source. MobiSec offers a live environment for testing mobile environments, including infrastructure and the device itself. While built primarily for pentesters, developers can learn much from using the platform.
Get MobiSec here.
We covered this in our Open Source Static Code Analysis Tools post, but luckily Clang is also available for mobile app static analysis testing for Objective-C (iOS) apps.
Get Clang here.
A research project from the MITRE corporation, iMAS is an iOS secure application testing framework dedicated to reducing “iOS application vulnerabilities and data loss.
Get iMAS here.
Linkedin released this open source mobile application security testing tool, which stands for Quick Android Review Kit to help developers look for common app vulnerabilities in source code and packaged APKs for the Android platform.
Get QARK here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.