Mobile application security testing
Security is a hot topic in the digital world and with the exponential growth of mobile apps available, delivering a perfectly working, highly secure app is crucial to user retention. It is important to let users know what information is being collected, as well as how and why companies are collecting it. Apps should only collect absolutely necessary data.
This blog post will provide an overview of mobile applications' security challenges as well as the requirements to overcome them and protect users’ data in the meantime.
What is security testing?
Mobile application security testing can help ensure there aren’t any loopholes in the software that may cause data loss. The sets of tests are meant to attack the app to identify possible threats and vulnerabilities that would allow external persons or systems to access private information stored on the mobile device.
Why is it important to do security testing?
We store a lot of information on our devices. Leakage of that information could cause serious damage to the devices and users. Encrypting your data can be a possible solution, but it’s not bulletproof - everything that can be encrypted can also be decrypted.
Challenges of mobile application security testing
1. Integrations with other apps
Usually, testers perform integration testing to see if an app interacts with other apps (e.g. share an article you are reading on a browser app to Facebook). What to look out for here is that the information that moves from one app to another moves from app A to app B without leaking anywhere else. The best solution is to protect and isolate data.
Environment and structure inconsistency of both the app and mobile device can create security breaches. Performing mobile testing on different OSs can help ensure this.
2. Unsecured communications
Many messaging and VoIP calling apps started to encrypt messages, but most of them encrypt messages just between users. The app provider company and prying third parties can still read them. The best option here would be end-to-end encryption, where only users with a certain key can decrypt the message. WhatsApp is a good example of messaging and communication encryption, even if it’s not perfect.
3. Security breaches that allow malware to be installed
One of the breaches in the OS or app can cause malware to be installed on your device. Malware is a malicious software that can be embedded in a downloadable file and installs itself if it finds a particular breach. This software can damage a mobile device, an OS or create a stream of information stored on the mobile devices and servers.
4. Utilization (and integration) of different authentication procedures
Authentication procedures are a good idea to add an extra layer of security to personal information, but there are two potential problems. Firstly, to use information stored on a remote server, a login is required. Login information from your smartphone, your tablet or your desktop that is sent to a server for confirmation needs to be encrypted.
Secondly, to actually log into an app, your device needs to connect to a remote server that confirms or declines your entered credentials. Therefore, the established connection needs to be a secure one.
By authenticating through another service like Facebook or Gmail, hackers might get full access to that login information and get access to all the connected services. For example, if you log into an app with Gmail credentials, hackers will have access not only to the app you were logging in but to Gmail as well.
Login is one simple, standard but very complicated piece of code, both to write and to test.
5. Test hidden parts of the application
Vulnerabilities can be found everywhere. If you write code that is a vulnerability itself, without protecting some parameters, you are serving hackers users information on a silver platter.
SQL short codes for text boxes, radio buttons, drop-down menus and other UI precoded elements can be subjected to injection attacks.
Hidden POST parameters can leave a door open to posting undesirable content to your web app, such as streaming wrong information to your users.
A hidden GET parameter can let unfriendly attackers gather sensible and confidential personal or company information. These are just a few cases of hidden dangerous code breaches that could easily lead to data loss and information leakage. There is no other solution than to write test cases especially aimed to find hidden open doors. You can also use some code scanning tools that will help you find vulnerabilities in the uncompiled code, like HP Fortify or Checkmarx.
Security requirements when building a mobile app
Despite the risks, there are actions you can take to reduce risk. We recommend building your app using the six security requirements listed below. Your app might still not be bulletproof, but following these guidelines will help avoid many security breaches.
By no means should an app disclose information to parties other than the intended recipient. Observing this requirement, through end-to-end encryption when moving around sensitive information, can help protect against information disclosure.
Integrity refers to protecting information from being modified by unauthorized parties while being transferred. Integrity schemes and underlying technologies like confidentiality schemes can help avoid creating vulnerabilities in the code. These schemes also ensure that the information received is correct and unaltered.
This is meant to prove the identity of the users or that the app is trustworthy and it can be installed onto the devices. This piece of code will inform systems of the authenticity of the app and of the source.
Users are meant to perform certain actions and proper authorization will ensure that the user can do exactly that and not request any information. When a user can perform an action that wasn’t meant for the user, it might be called a bug. Instagram had the perfect bug-example.
When is the best time to make information available to requesters? Exactly when they need it. There needs to be a fast and reliable way to make resources available when authorized users need them.
The last security requirement may be the trickiest one to implement. The non-repudiation requirement ensures that either the sender nor the receiver can deny having sent or received something. This requirement is a trace that tracks information going from A to B ensuring it should not be modified. If it can be modified, then you have a security breach.
Security testing should be a priority when developing a mobile app - equally important to features, design, and delivering it on time. This holds true for every app, whether it is a grocery list, online shopping or a banking app. Most vulnerabilities can be avoided or limited if security practices are observed, while loopholes can be found and closed through strategic, comprehensive automated and manual mobile testing.
Here are a few good resources to learn more about security testing: