SlideShare uma empresa Scribd logo

Mobile Apps Security Testing -1

Krisshhna Daasaarii
Krisshhna Daasaarii
1 de 29
Mobile App Security Testing 1
1. What is Mobile App ? How many Types of Mobile Apps? 2. What is Mobile Testing ? Security Testing ? Mobile App Security Testing ? 3. What is meant by Threat ? Types of Threats ? Vulnerabilities ? Attacks ? 4. What are the Mobile Security Testing Key Concepts ? 5. What are the top most mobile security issues ? 6. Mobile Security Testing Advantages . 7. Mobile Security Testing Strategies to enhance the Application Security. 8. What is the necessity of mobile security testing and its statistics ? 9. Mobile Application Security Testing Methodology. 10. What are the Mobile Security Testing Deliverables ? 11. How to implement mobile security testing technique Manually and Automation ? AGENDA
Mobile Apps Testing Mobile Device Testing Mobile Testing Mobile Testing or Mobile Device Testing:- ➔Mobile Testing is testing of Mobile Handsets or devices. ➔Testing is conducted on both hardware and software. ➔Testing all the core like SMS ,Voice calls, connectivity(Bluetooth) , Battery(Charging),Signal receiving, Network are working correctly Mobile Apps Testing: ➔ It is a process by which application software developed for mobile devices is tested for its functionality, usability and consistency ➔ Mobile Application Testing is the testing of mobile applications which we are making as third party for the targeted mobile handset.
Mobile Device Security testing Mobile Apps Security testing Mobile Security Testing . Mobile security or Mobile Device security: ➔ Mobile Device security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. ➔ Mobile security is also known as wireless security. Mobile Apps Security testing: ➔ Mobile application Security testing is part of the Mobile Security Testing. ➔ Mobile application security means in depth security testing of mobile applications to conform to high security standards. Need to test the application for vulnerabilities and provide a detailed report with proof of concept. Detailed correction procedures are also included to the report to fix the issues. Mobile Application Security Testing Overview Security testing is a process to find out that whether system protects data and maintains functionality as intended.
Mobile Apps Security Testing as follows Web Applications Native Applications / Standalone Hybrid Applications
fig: Mobile Apps Revenue:
Mobile App Security Testing on Major Platforms IOS (iPhone / iPad App) Android (Android App) Windows mobile (Windows Phone App/ Nokia App) Blackberry OS(Blackberry Apps)
Threats A threat refers to anything that has the possibility to cause serious harm to a computer system. A threat is something that may or may not happen, but has the possibility to cause serious damage. Threats can lead to attacks on computer systems, networks and more.
Mobile Security Threat Types Application-Based Threats Web-based Threats Network Threats Physical Threats 1. Malware 2. Spyware 3. Privacy Threats 4. Vulnerable Applications 1. Phishing Scams 2. Drive-By Downloads 3. Browser exploits/attacks 1. Network exploits/attacks 2. Wi-Fi Sniffing Lost or Stolen Devices
MALICIOUS SOFTWARE [ VIRUS ] EFFECTS AS FOLLOWS... ❏ It can slow down your computer/mobile device/application/database server/web server ❏ It might corrupt your system files. ❏ It might make some programs faulty or corrupt. ❏ It might damage your boot sector creating problems when you boot into the windows. ❏ It might steal important information from your computer and send to some other person. ❏ It might change the power ratings of your computer and could blast the system. ❏ It can possibly wipe out your hard drive. ❏ It can redirect websites, send spam emails, alter data, destroy data, steal passwords and bank details, format our hard disk and destroys everything. ❏ It might give you sleepless nights and nightmares [terrifying dreams] if you are able to sleep.
Mobile application security testing advantages • Identify design flaws improves the security of your application. • Supports user confidence in application security. • Helps prevent application downtime and improve productivity. • Protect your organization’s information assets and reputation • Find out if client software may be manipulated to provide unauthorized access. • Identifies specific risks to the organization and provides detailed recommendations to mitigate them.
Mobile applications security testing need • Smart phones are fast replacing traditional computers. As the user base is rapidly shifting to mobiles, hackers are also shifting their attention to mobiles. Due to this trend, conducting security tests on these applications has become a necessity. • Security testing requires to find out all potential loopholes and weaknesses of the system. Mobility is everywhere…
Why is security relevant for Mobile Platform? • 40% Increase in the number for Organizations Developing Mobile Platform based applications. • 30% Increase in the no of Mobile Banking Applications. • 50% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
Vulnerability A vulnerability is a hole or a weakness in the application, it can be a design flaw or an implementation bug, that allows an attacker to cause harm to an application. • Total list of Vulnerabilities - 169
Attack Attack is any technique to destroy, expose, alter, disable, steal or gain unauthorized access to an application. Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. • TOTAL TYPES OF ATTACKS: 69
Mobile Apps Security Testing Key Concepts
Authentication: Authentication is the process of checking credentials [i.e., checking user username or password] to identify the user. Authorization: Authorization is the process of giving privileges to the authenticated users. That means all authenticated users can not performs all operations. Depending on his roles some privileges are given to them in the form authorization. Its like user permissions, group permissions are an examples of authorization. For example for a particular bank customers, employees, administrators can login into that websites. But the options available to these persons are different at customer level, bank employee level, administrators level etc. This is authorization. Availability It is a process of checking that information & communications services must be kept available to authorized persons when they need it. Ex: ATM Confidentiality It is a process of checking that information is accessible only for authenticated/authorized users and protecting the information from any other users.
Integrity Its a process of checking that information received is not altered/modified during the transit. Non-repudiation Its a process of checking action/communication cannot later be denied. Resilience Resilience can be built into information system using encryption, using SSL, extended authentication like use of one time password, 2 layer authentication or token.
Top 10 Mobile Risks In The Year of 2012-2013 Top 10 Mobile Risks - Re- Release Candidate 2014 v1.0
Mobile Security Strategies to enhance mobile application security There are several strategies to enhance mobile application security including: • Strong authentication and authorization • Ensuring transport layer security • Encryption of data when written to memory • Granting application access on a per-API level • Processes tied to a user ID • Application whitelisting • Predefined interactions between the mobile application and the OS • Requiring user input for privileged/elevated access • Proper session handling
Mobile Application Security Testing - Methodology Mobile applications are becoming much more common and are often used to access sensitive information and functionality. Unless developers build mobile applications with security in mind, these applications can present serious security exposures, including insecure storage of sensitive information, sensitive client-side business logic, and mobile platform-specific vulnerabilities. Application Profiling Threat Analysis Research and Planning Testing Execution Daily Status
Application Profiling Need to review of all available documentation. Walk through the application in-scope of user roles. Document authentication flow Document authorization flow Goal is to create Security - centric data sheet and deep understanding of the target before testing begins. Threat Analysis Identifying the critical data, critical modules and actions within the application that would be the target of an attacker. Its done with inspection of the application and interaction with the development team or business owner. Need to note down the key worry points in the testing scope. Primary threats to the application perspective are documented. Research and Planning Once the application target has been fully identified the team will provide test case database to populate a formal testing plan. the work plan creation also includes per-project research for application-specific components or functionality and creation of custom test cases.
Testing Execution Our testing approach starts by dividing the target into functional testing blocks, and executing the work plan through those components in succession. in a typical engagement a testing block can include groups of functionality or specific goals aligned with a direct threat scenario. the assessment activities themselves are manual, with tool-assisted testing only being leveraged in cases where they will be productive. Daily Status As part of the ongoing engagement we need to deliver a daily report with the current findings and progress.constant findings delivery during the engagement allows our development team to begin triaging bugs early and on remediation strategies.retesting For the majority of our engagements we also will perform validation of the corrective action for bugs we have identified, which can be performed immediately after the assessment phase or at a later time
Mobile Applications Security Analysis Static Analysis Dynamic Analysis Forensic Analysis Source Code Binary Source code scanning Manual source code review Reverse engineering Debugger execution Traffic capture via proxy File permission analysis File content analysis
Mobile Application Security Testing Deliverables 1. Management Report: A high-level executive summary report highlighting the key risk areas. 2. Technical Vulnerability Report: A detailed report about security issues discovered, its impact, including all correction procedures along with online references. 3. Best Practices Document: Guidelines based on industry standards which can be used by the development teams
Thanks Krishnaiah Dasari(SDET)

Recomendados

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Testing
Mobile Application TestingMobile Application Testing
Mobile Application TestingNoor Orfahly
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Mobile application testing tutorial
Mobile application testing tutorialMobile application testing tutorial
Mobile application testing tutorialLokesh Agrawal
 

Recomendados

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Testing
Mobile Application TestingMobile Application Testing
Mobile Application TestingNoor Orfahly
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Mobile application testing tutorial
Mobile application testing tutorialMobile application testing tutorial
Mobile application testing tutorialLokesh Agrawal
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Mobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariMobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariJaved Ansari
 
Mobile Application Testing Training Presentation
Mobile Application Testing Training PresentationMobile Application Testing Training Presentation
Mobile Application Testing Training PresentationMobiGnosis
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Mobile testing practices
Mobile testing practicesMobile testing practices
Mobile testing practicesRakesh Jha
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Performance testing of mobile apps
Performance testing of mobile appsPerformance testing of mobile apps
Performance testing of mobile appsvodQA
 
Mobile security
Mobile securityMobile security
Mobile securityCyberoamAcademy
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 

Mais conteúdo relacionado

Mais procurados

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Mobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariMobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariJaved Ansari
 
Mobile Application Testing Training Presentation
Mobile Application Testing Training PresentationMobile Application Testing Training Presentation
Mobile Application Testing Training PresentationMobiGnosis
 
Mobile testing practices
Mobile testing practicesMobile testing practices
Mobile testing practicesRakesh Jha
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Performance testing of mobile apps
Performance testing of mobile appsPerformance testing of mobile apps
Performance testing of mobile appsvodQA
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 

Mais procurados (20)

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Mobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariMobile Application Testing by Javed Ansari
Mobile Application Testing by Javed Ansari
 
Mobile Application Testing Training Presentation
Mobile Application Testing Training PresentationMobile Application Testing Training Presentation
Mobile Application Testing Training Presentation
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile testing practices
Mobile testing practicesMobile testing practices
Mobile testing practices
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing Strategy
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Performance testing of mobile apps
Performance testing of mobile appsPerformance testing of mobile apps
Performance testing of mobile apps
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
mobile application security
mobile application securitymobile application security
mobile application security
 

Destaque

Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009ClubHack
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Basic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingBasic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingSourabh Kasliwal
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppAbhilash Venkata
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 

Destaque (12)

Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Basic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingBasic Guide For Mobile Application Testing
Basic Guide For Mobile Application Testing
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Mobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android AppMobile Application Security Testing (Static Code Analysis) of Android App
Mobile Application Security Testing (Static Code Analysis) of Android App
 
Security testing
Security testingSecurity testing
Security testing
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Prince2 Methodology
Prince2 MethodologyPrince2 Methodology
Prince2 Methodology
 

Semelhante a Mobile Apps Security Testing -1

Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxmadhuri871014
 
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfThe Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfAnanthReddy38
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Security in Mobile App Development Protecting User Data and Preventing Cybera...
Security in Mobile App Development Protecting User Data and Preventing Cybera...Security in Mobile App Development Protecting User Data and Preventing Cybera...
Security in Mobile App Development Protecting User Data and Preventing Cybera...madhuri871014
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...madhuri871014
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 

Semelhante a Mobile Apps Security Testing -1 (20)

Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Mobile Application Penetration Testing Senselearner .pdf
Mobile Application Penetration Testing Senselearner .pdfMobile Application Penetration Testing Senselearner .pdf
Mobile Application Penetration Testing Senselearner .pdf
 
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docxMobile App Security Protecting Your App from Cyber Threats.edited.docx
Mobile App Security Protecting Your App from Cyber Threats.edited.docx
 
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfThe Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Security in Mobile App Development Protecting User Data and Preventing Cybera...
Security in Mobile App Development Protecting User Data and Preventing Cybera...Security in Mobile App Development Protecting User Data and Preventing Cybera...
Security in Mobile App Development Protecting User Data and Preventing Cybera...
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Ownux global March 2023.pdf
Ownux global March 2023.pdfOwnux global March 2023.pdf
Ownux global March 2023.pdf
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Developing Secure Apps
Developing Secure AppsDeveloping Secure Apps
Developing Secure Apps
 
Web Application Security Services in India | Senselearner
Web Application Security Services in India | SenselearnerWeb Application Security Services in India | Senselearner
Web Application Security Services in India | Senselearner
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6pp
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
Mobile App Security How Bahrain Development Companies Ensure Protection.edite...
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Application security
Application securityApplication security
Application security
 

Mobile Apps Security Testing -1

  • 2. 1. What is Mobile App ? How many Types of Mobile Apps? 2. What is Mobile Testing ? Security Testing ? Mobile App Security Testing ? 3. What is meant by Threat ? Types of Threats ? Vulnerabilities ? Attacks ? 4. What are the Mobile Security Testing Key Concepts ? 5. What are the top most mobile security issues ? 6. Mobile Security Testing Advantages . 7. Mobile Security Testing Strategies to enhance the Application Security. 8. What is the necessity of mobile security testing and its statistics ? 9. Mobile Application Security Testing Methodology. 10. What are the Mobile Security Testing Deliverables ? 11. How to implement mobile security testing technique Manually and Automation ? AGENDA
  • 3. Mobile Apps Testing Mobile Device Testing Mobile Testing Mobile Testing or Mobile Device Testing:- ➔Mobile Testing is testing of Mobile Handsets or devices. ➔Testing is conducted on both hardware and software. ➔Testing all the core like SMS ,Voice calls, connectivity(Bluetooth) , Battery(Charging),Signal receiving, Network are working correctly Mobile Apps Testing: ➔ It is a process by which application software developed for mobile devices is tested for its functionality, usability and consistency ➔ Mobile Application Testing is the testing of mobile applications which we are making as third party for the targeted mobile handset.
  • 4. Mobile Device Security testing Mobile Apps Security testing Mobile Security Testing . Mobile security or Mobile Device security: ➔ Mobile Device security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. ➔ Mobile security is also known as wireless security. Mobile Apps Security testing: ➔ Mobile application Security testing is part of the Mobile Security Testing. ➔ Mobile application security means in depth security testing of mobile applications to conform to high security standards. Need to test the application for vulnerabilities and provide a detailed report with proof of concept. Detailed correction procedures are also included to the report to fix the issues. Mobile Application Security Testing Overview Security testing is a process to find out that whether system protects data and maintains functionality as intended.
  • 5. Mobile Apps Security Testing as follows Web Applications Native Applications / Standalone Hybrid Applications
  • 6.
  • 7.
  • 8. fig: Mobile Apps Revenue:
  • 9. Mobile App Security Testing on Major Platforms IOS (iPhone / iPad App) Android (Android App) Windows mobile (Windows Phone App/ Nokia App) Blackberry OS(Blackberry Apps)
  • 10. Threats A threat refers to anything that has the possibility to cause serious harm to a computer system. A threat is something that may or may not happen, but has the possibility to cause serious damage. Threats can lead to attacks on computer systems, networks and more.
  • 11. Mobile Security Threat Types Application-Based Threats Web-based Threats Network Threats Physical Threats 1. Malware 2. Spyware 3. Privacy Threats 4. Vulnerable Applications 1. Phishing Scams 2. Drive-By Downloads 3. Browser exploits/attacks 1. Network exploits/attacks 2. Wi-Fi Sniffing Lost or Stolen Devices
  • 12. MALICIOUS SOFTWARE [ VIRUS ] EFFECTS AS FOLLOWS... ❏ It can slow down your computer/mobile device/application/database server/web server ❏ It might corrupt your system files. ❏ It might make some programs faulty or corrupt. ❏ It might damage your boot sector creating problems when you boot into the windows. ❏ It might steal important information from your computer and send to some other person. ❏ It might change the power ratings of your computer and could blast the system. ❏ It can possibly wipe out your hard drive. ❏ It can redirect websites, send spam emails, alter data, destroy data, steal passwords and bank details, format our hard disk and destroys everything. ❏ It might give you sleepless nights and nightmares [terrifying dreams] if you are able to sleep.
  • 13. Mobile application security testing advantages • Identify design flaws improves the security of your application. • Supports user confidence in application security. • Helps prevent application downtime and improve productivity. • Protect your organization’s information assets and reputation • Find out if client software may be manipulated to provide unauthorized access. • Identifies specific risks to the organization and provides detailed recommendations to mitigate them.
  • 14. Mobile applications security testing need • Smart phones are fast replacing traditional computers. As the user base is rapidly shifting to mobiles, hackers are also shifting their attention to mobiles. Due to this trend, conducting security tests on these applications has become a necessity. • Security testing requires to find out all potential loopholes and weaknesses of the system. Mobility is everywhere…
  • 15. Why is security relevant for Mobile Platform? • 40% Increase in the number for Organizations Developing Mobile Platform based applications. • 30% Increase in the no of Mobile Banking Applications. • 50% Increase in the number of people using the Mobile Phones for their day to day transactions. • 82% Chances of end users not using their Mobile Phones with proper caution. • 79% Chances of Mobile Phone users Jail Breaking their Phones. • 65% Chances of Mobile Phone users not installing Anti-virus on their Mobile Phones. • 71% Chances of any application to get misused. • 57% Chances of a user losing his sensitive credentials to a hacker.
  • 16. Vulnerability A vulnerability is a hole or a weakness in the application, it can be a design flaw or an implementation bug, that allows an attacker to cause harm to an application. • Total list of Vulnerabilities - 169
  • 17. Attack Attack is any technique to destroy, expose, alter, disable, steal or gain unauthorized access to an application. Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. • TOTAL TYPES OF ATTACKS: 69
  • 18. Mobile Apps Security Testing Key Concepts
  • 19. Authentication: Authentication is the process of checking credentials [i.e., checking user username or password] to identify the user. Authorization: Authorization is the process of giving privileges to the authenticated users. That means all authenticated users can not performs all operations. Depending on his roles some privileges are given to them in the form authorization. Its like user permissions, group permissions are an examples of authorization. For example for a particular bank customers, employees, administrators can login into that websites. But the options available to these persons are different at customer level, bank employee level, administrators level etc. This is authorization. Availability It is a process of checking that information & communications services must be kept available to authorized persons when they need it. Ex: ATM Confidentiality It is a process of checking that information is accessible only for authenticated/authorized users and protecting the information from any other users.
  • 20. Integrity Its a process of checking that information received is not altered/modified during the transit. Non-repudiation Its a process of checking action/communication cannot later be denied. Resilience Resilience can be built into information system using encryption, using SSL, extended authentication like use of one time password, 2 layer authentication or token.
  • 21. Top 10 Mobile Risks In The Year of 2012-2013 Top 10 Mobile Risks - Re- Release Candidate 2014 v1.0
  • 22. Mobile Security Strategies to enhance mobile application security There are several strategies to enhance mobile application security including: • Strong authentication and authorization • Ensuring transport layer security • Encryption of data when written to memory • Granting application access on a per-API level • Processes tied to a user ID • Application whitelisting • Predefined interactions between the mobile application and the OS • Requiring user input for privileged/elevated access • Proper session handling
  • 23. Mobile Application Security Testing - Methodology Mobile applications are becoming much more common and are often used to access sensitive information and functionality. Unless developers build mobile applications with security in mind, these applications can present serious security exposures, including insecure storage of sensitive information, sensitive client-side business logic, and mobile platform-specific vulnerabilities. Application Profiling Threat Analysis Research and Planning Testing Execution Daily Status
  • 24. Application Profiling Need to review of all available documentation. Walk through the application in-scope of user roles. Document authentication flow Document authorization flow Goal is to create Security - centric data sheet and deep understanding of the target before testing begins. Threat Analysis Identifying the critical data, critical modules and actions within the application that would be the target of an attacker. Its done with inspection of the application and interaction with the development team or business owner. Need to note down the key worry points in the testing scope. Primary threats to the application perspective are documented. Research and Planning Once the application target has been fully identified the team will provide test case database to populate a formal testing plan. the work plan creation also includes per-project research for application-specific components or functionality and creation of custom test cases.
  • 25. Testing Execution Our testing approach starts by dividing the target into functional testing blocks, and executing the work plan through those components in succession. in a typical engagement a testing block can include groups of functionality or specific goals aligned with a direct threat scenario. the assessment activities themselves are manual, with tool-assisted testing only being leveraged in cases where they will be productive. Daily Status As part of the ongoing engagement we need to deliver a daily report with the current findings and progress.constant findings delivery during the engagement allows our development team to begin triaging bugs early and on remediation strategies.retesting For the majority of our engagements we also will perform validation of the corrective action for bugs we have identified, which can be performed immediately after the assessment phase or at a later time
  • 26. Mobile Applications Security Analysis Static Analysis Dynamic Analysis Forensic Analysis Source Code Binary Source code scanning Manual source code review Reverse engineering Debugger execution Traffic capture via proxy File permission analysis File content analysis
  • 27.
  • 28. Mobile Application Security Testing Deliverables 1. Management Report: A high-level executive summary report highlighting the key risk areas. 2. Technical Vulnerability Report: A detailed report about security issues discovered, its impact, including all correction procedures along with online references. 3. Best Practices Document: Guidelines based on industry standards which can be used by the development teams