Monday, November 28, 2011
Mobile Application Testing
Technology is evolving faster by the day. Today, we see mobiles are no longer mobiles, they are small computers. The smartphones run powerful applications, providing everything to users at their fingertips. Users can use their mobiles for:
As money transactions move to mobiles, hackers also move their attention to it. Hence, as a precautionary measure, securing mobile applications becomes important. This article introduces you to the three key aspects of securing mobile applications.
Mobile applications may be a -
Security testers should broadly focus on the following categories while analyzing their test cases -
Let us further discuss these categories in detail from a security tester’s perspective.
The local storage of data can also be referred to as a “Handset Memory Analysis” for mobiles.
Mobile applications store data in the local memory of a handset. This data is stored by developers in files locally and is used by the application.
A security tester needs to conduct a Handset Memory Analysis to detect sensitive information stored in the device.
A mobile application should not store sensitive data in user handsets. If at all it is necessary to store some data, it should be stored in a secure manner using strong encryption algorithms. It can further be stored at non-reachable locations with strict permissions.
Applications are also known to comprise hard-coded data in the source code. We may come across various types of sensitive data like –
Reverse-engineer the source code to obtain readable code files. This would ultimately help discover hard-coded data. It would also help reveal the application logic.
A security tester has to decompile the application code in order to detect sensitive data or hard-coded information.
A mobile application should not hard-code sensitive data in the client-side code.
Another aspect of mobile usage is the communication channel. Data in transit may be vulnerable to sniffing or manipulation. The data in transit can be tampered or stolen to –
During a security test, the tester should analyze the data in transition. The HTTP traffic in mobile networks can be intercepted via a proxy editor tool. Here, the security tester can execute targeted manipulation attacks in order to test the application’s resilience against such attacks.
Mobile applications should thus implement server-side validation to prevent data manipulation in transit. Strong SSL encryption should also be implemented to protect data in transit.
There may be various dimensions to mobile application attacks. This article attempts to focus on three key aspects of the mobile security testing domain. Most of the tests revolve around these three aspects. OWASP and other known security forums periodically release guidelines for securing mobile applications. All these guidelines should be diligently followed by developers and included in the detection armory by a security tester.