The Mobile Security Testing guide-Towards a Standard Methodology

Welcome to the mobile security testing guide! If you are having an Android or iOS mobile device, you will see this very useful, so keep yourself concentrated and continue reading.

Do you remember yourself years ago testing too many different apps and getting bored at the end? I am talking about the time even before the smartphones. When we got the smartphones, we had the different apps for them too, remember? Now, we finally reached the time when we have the pre-release security testing. It has become a standard to have the security app on your mobile phone.

What was the main goal of this project? That would definitely be helping the users to understand everything that must be known about the Android testing and iOS testing.

We will now represent you the OWASP top 10 mobile security risks. The first one would be the Improper Platform Usage. It is also called the M1, a category that covers a misuse of a platform feature or some kind of a failure in the purpose to use the platform security controls. There are many different ways a mobile app can experience the M1, including some Android intents, misuse of TouchID, the Keychain, some platform permissions and other various security controls which may be the part of the mobile operating system.

Insecure Data Storage. This is the second issue, also known as M2. It covers the category which is actually a combination of M2 and M4 from the Mobile Top Ten from 2014. Besides the insecure data storage, it also covers the unintended data leakage.

M3, the Insecure Communication is the poor handshaking, a weak negotiation, sensitive assets and more.

Insecure Authentication, M4, is capturing the notions of the authentication of the end user and also a bad session management. For example, it may be failing of the identification of some user at all, weakness in the session management etc.

The fifth place takes M5, Insufficient Cryptography, where the code applies the cryptography to some sort of the sensitive information asset.

M6, or the Insecure Authorization. A category which captures the failures that happen in the authorization. M7, the Client’s Code Quality. This one is made to capture the things like buffer overflows, some sorts of code-level mistakes and similar.

Code Tampering. M8. It covers the binary patching, method hooking, the local resource modification…

Reverse Engineering and Extraneous Functionality. Those would be the M9 and M10. The first one includes the analysis of the final code binary in the purpose to determinate the source code it owns. The final one is made for the backdoor functionality or some other internal development security controls.

Okay, we saw the detailed list, and hope it helped you to understand it all better. But why do we need a mobile application security guide? As you are already well aware, technology changes every day. By changing, the security risks also change. Everything changes. So, the users may find themselves lost among all the app’s not knowing how to run those properly.

Did you know that the mobile operating systems are somehow more secure than the desktop operating systems, the traditional ones? Yes, that is the truth, but the problems may still appear. You can easily have troubles with the data storage, proper using of the cryptographic APIs etc. That is why we are at mobile security tips!

Mobile Application Security-the Key Areas

What is the quality which is valuable for the mobile app testing? That would definitely be the penetration testing tools which have the background in the network itself. There is almost none mobile app which doesn’t talk to the back-end service. It is a good thing to remember that those services are also vulnerable to some attacks. What we must do is to prioritize the data’s protection on the mobile device and the network too. In that case, we will increase our mobile security. We will now show you what are the key areas in the mobile security, so let’s start!

Local Data Storage. I am pretty sure that you are already well aware how to keep your sensitive data safe. That is just a must and the first step for your security. It happens that the app uses the operating system mechanisms improperly, and in such a case the data can be exposed to some other app which is running at that moment. It can also happen that the sensitive data appear in the cloud storage, keyboard cache etc.

Besides that, mobile devices can be stolen much easier than the computers, right?

What is must while creating the mobile apps? First of all, taking care when storing the user’s data. For such a purpose and appropriate key storage, APIs can be used, which would take the advantage of the hardware-backed security features when it is available. The best choice would definitely be to create the app with the current API version.

Communication with the Trusted Endpoints. Everything that needs to be said here is that the mobile apps must set up the secure and encrypted channel for the network communication by using the TLS protocol which has the appropriate setting. Forget about the open Wi-Fi.

Authentication and Authorization. Are you sure that all of the authentication and authorization logins happen at the endpoint? We must inform you that those can also happen on the mobile app side. Mobile apps react differently from the web apps and in that case, they store the long-term session tokens which are actually unlocked with the user-to-device authentication features. That can be a fingerprint scanning, for the example. Yes, it does provides the easier and quicker login, but it also leaves some space for the room for error.

It is very important for the security testers to know the advantages and also the disadvantages of the different possible architectures. For example, OAuth2, when used, is allowing the client-side authentication logic to be easily outsourced to some other apps which are placed on the same device.

What about the code quality and exploit mitigation?

The management issues and some other traditional injection attacks are not often seen in the mobile apps. They mostly have the connection with the trusted back-end service and also the UI. Besides that, such a protection also exists against the browser exploits, for example, the well-known XSS. It allows the attacker to easily inject their scripts into the pointed web pages in a purpose to bypass the access control. There are so many free security features which are offered by the compilers and the mobile SDKs. They help a lot when we come to increasing the security and mitigating the attacks.

The Mobile AppSec Verification Standard

We are going to talk about the verification standard here, and also the checklist and testing guide. All of this three documents map to the actual same basic set of the security requirements. For achieving the different objectives, they can be used alone or combined.

We will start with the Mobile Application Security Verification Standard(from OWASP), which is also known as MASVS. It defines a mobile app security model. Besides that, it also lists the generic security requirements for the particular app. MASVS is often used by the architects, testers, developers, consumers etc. It is used in so many ways with a purpose to define and to understand the qualities of a real secure mobile app.

MTSG. This is the second one, which’s full name is the Mobile Security Testing Guide(from OWASP). This is actually a manual used for the security of the mobile app. Providing the verification instructions for the requirements of the previous one, MASVS, it operates the best system-specific practices. It also helps while ensuring that everything is completed and consistent in the process of the mobile app’s security testing.

The Mobile App Security Checklist. The third part, tracking the compliance against the first one during those practical assessments.

Step by step through navigating the mobile security testing guide

These are the main sections of the MTSG:

1.The General Testing Guide. This one contains the mobile app security testing methodology. Besides that, it does the general vulnerability analysis techniques.

2.The Android Testing Guide. Covering the mobile security testing specially designed for the Android platform. It also includes the security basis, reverse engineering techniques, the prevention etc.

3.The iOS Testing Guide. Same as the previous ones, but all for the iOS platform.

4.The Appendix. The additional technical test cases which are actually OS-independent. For example, the authentication and session management, network communications, cryptography and more.