Technology is
evolving faster by the day. Today, we see mobiles are no longer mobiles, they
are small computers. The smartphones run powerful applications, providing
everything to users at their fingertips. Users can use their mobiles for:
- Logging in to banks in order to transfer funds
- Purchasing or selling shares via trading portals
- Booking travel or movie tickets
- Tweeting or social networking
- Donating to charity
As money
transactions move to mobiles, hackers also move their attention to it. Hence,
as a precautionary measure, securing mobile applications becomes important.
This article introduces you to the three key aspects of securing mobile
applications.
Mobile applications
may be a -
- web application accessed via a WAP browser.
- thick client application sending out an HTTP request or an SMS.
Security testers
should broadly focus on the following categories while analyzing their test
cases -
- Local Storage of Data
- Hard-coded Sensitive Data in the Source Code
- Data in Transition
Let us further
discuss these categories in detail from a security tester’s perspective.
Local Storage of Data
The local storage
of data can also be referred to as a “Handset Memory Analysis” for mobiles.
Mobile applications
store data in the local memory of a handset. This data is stored by developers
in files locally and is used by the application.
- The Android OS stores data in files at runtime, but due to its native sand-boxing mechanism, obtaining access to this data is difficult. It also stores some data in the SQLite database.
- The Apple iOS stores sensitive information like keystrokes, snapshots and other cached information in the iPhone local memory in the form of client-side SQLite databases or .plist files.
- The Java application in Nokia phones stores it in the form of RMS files. These RMS (Record Management System) files get stored permanently and are easily accessible. Sometimes, they are easily readable when connected to a PC via a data cable. These files have a history of containing sensitive information like bank account numbers, beneficiary details or registered biller(s) auto-pay details.
A security tester needs
to conduct a Handset Memory Analysis to detect sensitive information stored in
the device.
A mobile
application should not store sensitive data in user handsets. If at all it is
necessary to store some data, it should be stored in a secure manner using
strong encryption algorithms. It can further be stored at non-reachable
locations with strict permissions.
Hard-coded Sensitive Data in the Source Code
Applications are
also known to comprise hard-coded data in the source code. We may come across
various types of sensitive data like –
- payment gateways hard-coding the credentials
- applications hard-coding the server and application-specific details
- developer names & comments explaining the code pieces
Reverse-engineer
the source code to obtain readable code files. This would ultimately help
discover hard-coded data. It would also help reveal the application logic.
- Android packages the application in .apk files, which have to be reverse-engineered to .dex files and then to readable class files.
- Other .jar files can be simply renamed to .rar and extracted by WinRAR software. This results in decompiled class files that can be read using text editors.
A security tester
has to decompile the application code in order to detect sensitive data or
hard-coded information.
A mobile
application should not hard-code sensitive data in the client-side code.
Data in Transition
Another aspect of
mobile usage is the communication channel. Data in transit may be vulnerable to
sniffing or manipulation. The data in transit can be tampered or stolen to –
- obtain access to other user accounts.
- transfer funds from other accounts.
- sell shares of other users in order to create a nuisance.
- conduct social engineering.
During a security
test, the tester should analyze the data in transition. The HTTP traffic in
mobile networks can be intercepted via a proxy editor tool. Here, the security
tester can execute targeted manipulation attacks in order to test the
application’s resilience against such attacks.
Mobile applications
should thus implement server-side validation to prevent data manipulation in
transit. Strong SSL encryption should also be implemented to protect data in
transit.
Conclusion
There may be
various dimensions to mobile application attacks. This article attempts to
focus on three key aspects of the mobile security testing domain. Most of the
tests revolve around these three aspects. OWASP and other known security forums
periodically release guidelines for securing mobile applications. All these
guidelines should be diligently followed by developers and included in the
detection armory by a security tester.
Originally written by me for Palizine Magazine in 2011
I prefer to read this kind of stuff.Thanks for the post.
ReplyDeletesandiegoappdevelopment.com
Thank you for the look into mobile application security testing, ! In forums I've participated in, users often say application security testing is not necessary because developers should have made their applications secure in the first place.
ReplyDeletestatic application security testing sast
Hello ! Thanks you very much for your useful program !!! I have one question : Is it possible to start the lock screen when someone turn on my computer ?
ReplyDeleteGallery lock
Useful details about mobile application testing.
ReplyDeleteMobile Application Development
Mobile Development Services
Mobile Development Company
awesome post for mobile user
ReplyDeletegatwick parking north terminal
gatwick parking south terminal
Great article. Developing a mobile application and mobile code security can be difficult, especially when you are building for more than one platform.
ReplyDeleteTry this Vender app! Vender is a mobile application that lets you manage your leads and tasks in 1 app. Communicate and Log Your Activities, get Things Done, backup and Sync All Your Devices and decide Better with Visual Reports
ReplyDeleteA writer should always try to keep its writing very simple and clear. Always use facts which are easily acceptable by general people because they are very close to their assumptions and they welcome such kind of facts.
ReplyDeleteทำ Wordpress
Nice Blog Thanks for sharing this post with a lot of useful information. I would like to get updates from you. Keep blogging.
ReplyDeleteBlackberry Application services
Thanks for aware us about the Important of Mobile application security I also want to add some important points here that can help you to get secure android app:
ReplyDelete1. SSL implementation check
2. Sensitive information management at client side
3. Code obfuscation
4. Obsolete cryptographic libraries identification
5. Validation checks at both client side and server side
6. Input sanitisation
7. Encode and decode
8. Implement checksums and tokens
9. Secure response headers
10. Authorisation testing
Read More: http://blog.entersoftsecurity.com/home/2016/9/21/entersoft-essentials-security-guidelines-to-secure-your-android-app
Nice blog – very informative. Subject well covered. As you have stated, securing mobile applications as well as the mobile devices is very important. Mobiles are used for personal purposes as well as for business purposes. When the same mobile is used for both, then ensuring security is important. This is when mobile device management software comes into play. Suggest you to give a good piece (as this one) on MDM.
ReplyDelete
ReplyDeleteAll the contents you mentioned in post is too good and is be very useful.I hope you will update more related this.
Best Mobile Applications Companies In Hyderabad
Actually i was looking for the Security Guards Companies online on google and i have seen your blog and read its post which are really nice and you have done mind blowing work on this blog...keep up doing well....
ReplyDeleteIt was thinking about whether I could utilize this review on my other site, I will connect it back to your site though.Great Thanks.
ReplyDeletesecurity penetration
good....nice
ReplyDeletecategory/advocate-resume
category/agriculture-forestry-fishing
category/android-developer-resume
category/assistant-professor-resume
category/chartered-accountant-resume
category/database-resume
category/design-engineer-resume
category/developer-resume
category/engineer-resume
category/entrepreneur-and-financial-services-resume
You’d outstanding guidelines there. I did a search about the field and identified that very likely the majority will agree with your web page.
ReplyDeleteBrij University BCOM TimeTable 2020
DAVV BCOM TimeTable 2020
I like your post there is a lot of information about software testing, which i would like to learn, thank you for the great guide. Very useful post and I think it is rather easy to see from the other comments as well that this post is well written and useful. I bookmarked this blog a while ago because of the useful content and I am never being disappointed. Keep up the good work.. Read more about QA Services
ReplyDeleteExcellent blog, I wish to share your post with my folks circle. It’s really helped me a lot, so keep sharing post like this..We are a group of volunteers and starting a new initiative in a community. Your blog provided us valuable information to work on.
ReplyDeleteSalesforce Training in Chennai
Salesforce Online Training in Chennai
Salesforce Training in Bangalore
Salesforce Training in Hyderabad
Salesforce training in ameerpet
Salesforce Training in Pune
Salesforce Online Training
Salesforce Training