Saucelabs
Saucelabs
Products
chevron
Platform for Test
location
Platform for Test
location
Sauce Cross-Browser
location
Sauce Mobile
location
Sauce Low-Code
location
Sauce Error Reporting
location
Sauce Orchestrate
location
Sauce API Quality
location
Sauce Visual
Global tools
location
Insights
location
Performance
Setup & integrate
location
Integrations & plugins
location
Supported browsers & devices
location
Platform configurator
Demo center
Take a product tour
Solutions
chevron
Solutions for
location
Enterprise
location
Teams
Use Cases
location
CI/CD pipeline optimization
location
Continuous testing
location
Crash & error reporting
location
Debugging
location
Mobile application testing
location
Mobile beta testing
location
Scalable test automation
location
Test analytics
location
Test orchestration
location
Visual testing
Integrations
location
CI/CD
location
Test automation
location
Test management
location
Test creation
location
Accessibility
location
API management
Pricing
Developers
chevron
Resources for devs & testers
Documentation
How to use Sauce Labs
Changelog
See what's new
Support
By framework
FAQs
Learn more about our solutions
Quickstart guides
Selenium
Appium
Cypress
Playwright
Getting started guides
Mobile app testing
Web app testing
Test orchestration
CI
Community
Join our community
Find an event
Meet our experts
Set up & configure
Integrations
Supported browsers & devices
Platform configurator
Test configuration
Resources
chevron
Explore & learn
Blog
Expert insights
Webinars
Continued learning
Videos
Watch & learn
Reports
Industry & analyst reports
White papers
In-depth insights
Demos
Explore the platform
Why Sauce Labs?
Case studies
Customer success stories
TEI Study
The ROI of Sauce Labs
Data sheets
Product information
Security
Our commitment to security
Discover by topic
All topics
Automated testing
Mobile testing
Selenium
Appium
Playwright
Cross-browser testing
CI/CD
What’s new
Back to Resources

Blog

Posted March 2, 2017

Mobile Application Security Testing

quote

Mobile application security testing

Security is a hot topic in the digital world and with the exponential growth of mobile apps available, delivering a perfectly working, highly secure app is crucial to user retention. It is important to let users know what information is being collected, as well as how and why companies are collecting it. Apps should only collect absolutely necessary data.

This blog post will provide an overview of mobile applications' security challenges as well as the requirements to overcome them and protect users’ data in the meantime.

What is security testing?

Mobile application security testing can help ensure there aren’t any loopholes in the software that may cause data loss. The sets of tests are meant to attack the app to identify possible threats and vulnerabilities that would allow external persons or systems to access private information stored on the mobile device.

Why is it important to do security testing?

We store a lot of information on our devices. Leakage of that information could cause serious damage to the devices and users. Encrypting your data can be a possible solution, but it’s not bulletproof - everything that can be encrypted can also be decrypted.

Challenges of mobile application security testing

1. Integrations with other apps

Usually, testers perform integration testing to see if an app interacts with other apps (e.g. share an article you are reading on a browser app to Facebook). What to look out for here is that the information that moves from one app to another moves from app A to app B without leaking anywhere else. The best solution is to protect and isolate data.

Environment and structure inconsistency of both the app and mobile device can create security breaches. Performing mobile testing on different OSs can help ensure this.

2. Unsecured communications

Many messaging and VoIP calling apps started to encrypt messages, but most of them encrypt messages just between users. The app provider company and prying third parties can still read them. The best option here would be end-to-end encryption, where only users with a certain key can decrypt the message. WhatsApp is a good example of messaging and communication encryption, even if it’s not perfect.

3. Security breaches that allow malware to be installed

One of the breaches in the OS or app can cause malware to be installed on your device. Malware is a malicious software that can be embedded in a downloadable file and installs itself if it finds a particular breach. This software can damage a mobile device, an OS or create a stream of information stored on the mobile devices and servers.

4. Utilization (and integration) of different authentication procedures

Authentication procedures are a good idea to add an extra layer of security to personal information, but there are two potential problems. Firstly, to use information stored on a remote server, a login is required. Login information from your smartphone, your tablet or your desktop that is sent to a server for confirmation needs to be encrypted.

Secondly, to actually log into an app, your device needs to connect to a remote server that confirms or declines your entered credentials. Therefore, the established connection needs to be a secure one.

By authenticating through another service like Facebook or Gmail, hackers might get full access to that login information and get access to all the connected services. For example, if you log into an app with Gmail credentials, hackers will have access not only to the app you were logging in but to Gmail as well.

Login is one simple, standard but very complicated piece of code, both to write and to test.

5. Test hidden parts of the application

Vulnerabilities can be found everywhere. If you write code that is a vulnerability itself, without protecting some parameters, you are serving hackers users information on a silver platter.

SQL short codes for text boxes, radio buttons, drop-down menus and other UI precoded elements can be subjected to injection attacks.

Hidden POST parameters can leave a door open to posting undesirable content to your web app, such as streaming wrong information to your users.

A hidden GET parameter can let unfriendly attackers gather sensible and confidential personal or company information. These are just a few cases of hidden dangerous code breaches that could easily lead to data loss and information leakage. There is no other solution than to write test cases especially aimed to find hidden open doors. You can also use some code scanning tools that will help you find vulnerabilities in the uncompiled code, like HP Fortify or Checkmarx.

Security requirements when building a mobile app

Despite the risks, there are actions you can take to reduce risk. We recommend building your app using the six security requirements listed below. Your app might still not be bulletproof, but following these guidelines will help avoid many security breaches.

1. Confidentiality

By no means should an app disclose information to parties other than the intended recipient. Observing this requirement, through end-to-end encryption when moving around sensitive information, can help protect against information disclosure.

2. Integrity

Integrity refers to protecting information from being modified by unauthorized parties while being transferred. Integrity schemes and underlying technologies like confidentiality schemes can help avoid creating vulnerabilities in the code. These schemes also ensure that the information received is correct and unaltered.

3. Authentication

This is meant to prove the identity of the users or that the app is trustworthy and it can be installed onto the devices. This piece of code will inform systems of the authenticity of the app and of the source.

4. Authorization

Users are meant to perform certain actions and proper authorization will ensure that the user can do exactly that and not request any information. When a user can perform an action that wasn’t meant for the user, it might be called a bug. Instagram had the perfect bug-example.

5. Availability

When is the best time to make information available to requesters? Exactly when they need it. There needs to be a fast and reliable way to make resources available when authorized users need them. 

6. Non-repudiation

The last security requirement may be the trickiest one to implement. The non-repudiation requirement ensures that either the sender nor the receiver can deny having sent or received something. This requirement is a trace that tracks information going from A to B ensuring it should not be modified. If it can be modified, then you have a security breach.

Conclusion

Security testing should be a priority when developing a mobile app - equally important to features, design, and delivering it on time. This holds true for every app, whether it is a grocery list, online shopping or a banking app. Most vulnerabilities can be avoided or limited if security practices are observed, while loopholes can be found and closed through strategic, comprehensive automated and manual mobile testing.

Here are a few good resources to learn more about security testing:

https://dojo.ministryoftesting.com/lessons/30-days-of-security-testing

https://google-gruyere.appspot.com/

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

Author placeholder coral
Ely Hechtel
Published:
Mar 2, 2017
Topics
Mobile App Testing
Security Testing
Share this post
Copy Share Link
Twitter
Facebook
LinkedIn
Terms of Service
Privacy Policy
EEA
CCPA
Cookie Settings
© 2023 Sauce Labs Inc., all rights reserved. SAUCE and SAUCE LABS are registered trademarks owned by Sauce Labs Inc. in the United States, EU, and may be registered in other jurisdictions.