Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Challenges in Testing Mobile App Security
1. Mobile App Security
Overview of Challenges Right Approach Strategy
Mobile devices and apps are now an integral part of our work and life. Apps are the
life-breath of smart mobiles. Enterprise mobile apps as well as consumer apps have
simplified messaging, document sharing, collaboration, banking, and online shopping,
and lots more. Not only do mobile apps store personal and corporate data, but they
may also access extremely sensitive information like social security numbers and
banking PINs.
Whether it is consumer apps or internal corporate apps, the consequences of data leak
or security breaches can be dire. Any apps development firm that fails to safeguard the
privacy of its users is bound to get ripped in the press, while any corporate app that
leaks data can cause untold damage to enterprises.
And, things are getting trickier for
enterprises as the threat to smart mobiles are rising:
55% SMBs and 66% enterprises provide company-owned or supported mobile devices to
employees
Only 11% users agree that they only access apps from corporate app store when outside office
(meaning most access third-party apps on unprotected networks)
Mobile malware is getting more sophisticated and its volume grew by 614% from March 2012
to March 2013
75% apps don’t encrypt properly when storing data
8866%% aappppss don’t have proper protection against common attacks
Challenges to Fail-Proofing Security of Mobile Apps.
Needless to say, securing mobile devices, data and connections is at the top of the list
for enterprise IT managers as well as mobile app testers. It doesn’t help that testing
and securing mobile applications comes with its own set of problems and
complications:
Even if you simply build apps for iOS and
Android, there are various versions of the
operating systems on which the app will have to
run. Each version can have a different set of
vulnerabilities, and the app tester needs to be
aware of them all.
There are dozens of major mobile devices on
which the application needs to function.
Performance testing itself is a tough task, but
when you identify and consider the security
vulnerabilities specific to devices, the task of
securing mobile apps gets even more intricate.
1OS Variations
3 Automation Tools
Lack of Mobile Testing
While the testing basics remain the same
whether you are testing a mobile app or a web
application, the same automation tools won’t
work for both. While many test automation and
testing tools for mobile have emerged, there is
dearth of full-fledged standard tools that can
cater to every step of the security testing
pprroocceessss..
5Looming Deadlines
When you are working on an enterprise-scale
app, there is a chance that newer version of
OSes will be released before you complete the
app! App developers are under tremendous
pressure to deliver apps within a short period,
and security testing can take a back seat in
such a scenario. Agile development and testing
ccaann pprroovviiddee aa ssoolluuttiioonn..
Device Fragmentation 2
QA Professionals 4
Dearth of Experienced
Mobile security testing requires a strong grasp
of the how mobile devices, OSes and tools
work. In addition, understanding of server-side
and client-side interactions, data storage and
authentication work on mobile is also need.
Lack of professionals with the blend of right
knowledge also impacts mobile security at
ttiimmeess..
Mobile App Security Risks at all Too Real
With BYOD and Cloud Computing trends gaining widespread acceptance, information has escaped the four
walls of the enterprise. On the other side, consumer-facing apps sit on a large treasure trove of private
consumer data that hackers would love to get their hands on. And, there are several major threats to mobile
application security.
How can you battle all the small and big mobile security dangers out there? Too many developers focus just
on development or performance testing at the start and consider security factors only after a bulk of
development is finished. The first thing is to start application development with the right mindset.
Data Storage Data Sensitivity
Ask these basic
questions and keep
the answers in mind
throughout the
testing process.
Secure Notifications Client-side Entry Points
Is the app available offline?
Can a hacker attack the app
offline?
Are all potential client-side
entry points validated and
secure?
Authentication Offline Security
Non-repudiation
Does the app store sensitive
data? Is the data encrypted at
all the key points? Are there
pluggable loopholes that a
hacker can exploit?
Is the data encrypted, and is
it stored at a secure and
trusted location?
Can the data on the app always
be trusted and verified by the
user? Are there logs of app
events that can pinpoint origin
of data with integrity?
Can anyone with access to
peripheral information access
the app, or is there a strict
authentication process?
Can pop-up notifications or
logs leak sensitive data to
unauthorized users?
Three-Pronged Strategy for Rock Solid Security
When you come right down to it, the biggest risk to lies in insecure mobile APIs, data leaks in transit,
malicious apps, and stolen or lost devices. To elevate the security of enterprise mobile apps and devices, we
need to follow a three pronged approach, focusing on:
Securing all wireless (including GSM, LTE, CDMA, NFC, Bluetooth) mobile
connections through encryption, validation and authentication
Protecting the app against traditional threats like SQL injections and malware &
Neutralizing specific threats posed by different OSes and versions
Securing data and devices through encryption, remote access to devices and
data-wipe features
Yes, it is quite a bit of work. And, if you try and follow all the best practices of testing and securing mobile
applications, you will end up spending a lot of time and effort in it. In fact, according to CIO Insight, mobile
application testing consumes 25% of the IT budget!
Are you looking for a reliable partner who can help you secure your mobile
applications? Do you want help with fail-proofing the security of your
enterprise mobile assets?
Cygnet Infotech has been building enterprise scale applications sine more than a
decade. Our QA assurance services for web as well as mobile apps have helped several
enterprises and ISVs accelerate time-to-market and deliver high-performance and secure
solutions that please the end users.
We can help you secure your iOS, Android, BlackBerry and Windows Phone apps through
comprehensive:
Manual penetration testing
Source Code review
Threat modeling
Vulnerability assessment
Server vulnerability testing
Mobile Test automation
And lots more
We can help you find a solution to your mobile app development, testing and security
problems. Get in touch with us and get an obligation-free assessment of your needs now!