Mobile apps have been increasingly gaining ground in the communication industry. Enterprises are rapidly adopting innovative mobile applications to transform their business capabilities as the mobile presence is critical for businesses to attract, retain and communicate with customers; it has become an integral part at both work and in their personal lives. The newer mobile computing technologies are increasingly embraced by the consumers across the globe, and this exponential growth of mobile devices and business applications has attracted a large number of well-organized cyber criminals and independent hackers, who are seeking monetary benefits with highly competent modus operandi.
Some Key challenges:
- Mobile malware have grown over 17,000 new unique forms, some of Android/Zitmo, Android/Spitmo and Android/Citmo mobile malware families work in conjunction with the Zeus, Spy Eye and Carberp Windows crimeware suites.
- Native Mobile Applications from third parties designed for normal use but containing unintended security vulnerabilities or specifically designed to commit fraud.
- Raise of phishing attacks that leverage the limitation of mobile device screen size or web browser view
With more and more customers switching to smart phones, brands today have capitalized this to reach out to their customers directly with more pace, mobility and efficiency than ever before. However, as much as anything virtual comes with transparency, agility and cost effectiveness, it is not entirely devoid of privacy and security issues.
To counter it, brands, whether they serve communication, gaming, utility, multimedia, productivity or travel-based functionality, need to adhere to robust Mobile App Security Tests for the following.
Installation package: Check the installation package thoroughly. This is done by de-compiling, speculating and making modifications to the installable file from the mobile device. A thorough review of the source codes would help you spot vulnerable codes.
Local file system: Run a security check on local file systems to test temporary files and cached data that already exists in the mobile device. This would also help monitor database related security.
Insecure file permissions: Check the internal & external disk space, rights & permission on the target file, file encryption and authorization of user access.
Error handling & session management: Check for application exception management, error handling functionality and randomness of session identifiers, and spot the attacks abusing sessions.
Business logic flaws: Test everything relevant for logic flaws, security functions, multi-stage processes, trust boundaries and adjustments made to quantities.
Client-side injections: Test for client-side injections to detect malicious inputs on the installed applications. Ensure that you also get a cross-site scripting, HTML injection and other relevant checks done.
Server-side validation: Check for validation on the server side for injection, cross-site scripting on the server end.
Replay attack vulnerabilities: Keep an eye on malicious inputs that come as legitimate requests from an authorized or an unauthorized user. Check for response splitting and cache poisoning too.
Permitting the usage of mobile smartphone devices and multi-purpose or mission critical applications in corporate environments by conducting a detailed technical assessment of security controls would enable the stake holders to identify, assess and diligently manage mobile security risks. Mobile security assessment for device security and application security testing are broadly categorized as native mobile application penetration testing, mobile website penetration testing, hybrid application & website penetration testing, native application secure code review, mobile device security & configuration review, secure SDLC consulting on threat modeling & coding.
Mobile App security concerns mainly arise out of malicious functionalities and vulnerabilities. While the above list may act like a checklist to effectively mitigate risks, app developers and security teams must also keep an eye out for new threats at all times.
[su_box title=”About Manoj Rai” style=”noise” box_color=”#336588″]
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain. Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.