Security Testing For Mobile Applications

Introduction
Security Testing ensures, that system and applications in an organization, are free from any loopholes that may cause a big loss. Security testing of any system is about finding all possible loopholes and weaknesses of the system which might result into loss of information at the hands of the employees or outsiders of the Organization.
The goal of security testing is to identify the threats in the system and measure its potential vulnerabilities. It also helps in detecting all possible security risks in the system and help developers in fixing these breakthroughs coding.
Mobile applications can have complicated threat models, so security testing needs to examine a number of different aspects of these systems.
There are three major types of security testing tools to look into for mobile app security testing:
1. Static
2. Dynamic
3. Forensic  

Static
Static testing tools look at the application while at rest either the source code or    the application binary. These can be good for identifying certain types of vulnerabilities in how the code will run on the device, usually associated with data flow and buffer handling.

• Some commercial static security analysis tools and services have the capability to test mobile application code. It is important to work with the vendor to get a clear understanding of exactly what types of vulnerabilities can and cannot be identified, because most security static analysis tools were originally optimized for testing Web-based applications.

• Freely available tools for static analysis of mobile applications include theClang Static Analyzer, which is a static analysis tool for C, C++ and Objective-C programs.

• You can use the Objective C support to test for certain quality and security errors in iOS-based applications, and they can be run both from the command line and from inside Apple’s XCode development environment. In addition, the XCode-provided “otool” command can be used to extract information from iOS application binaries that can be used in support of security analysis.

• In Android environments, tools exist that extract both DEX assembly code as well as recover Java source code from Android applications.

• Examples of these tools include DeDexer, which generates DEX assembly code from an Android DEX application binary, and dex2jar, which converts DEX application binaries to standard Java JAR files.

• Standard Java analysis tools such asFindBugs can then be used to analyze these JARs. In addition, the Java bytecode can be converted back into Java source code with Java decompilers such as JD-GUI. This sets the stage for manual security analysis of an Android app.

Dynamic
Dynamic testing tools allow security analysts to observe the behavior of running systems in order to identify potential issues.

• The most common dynamic analysis tools used in mobile app security testing are proxies that allow security analysts to observe — and potentially change — communications between mobile application clients and supporting Web services. One example of such a proxy tool is the OWASP Zed Attack Proxy.

• With proxy tools, security analysts can reverse engineer communication protocols and craft potentially malicious messages that would never be sent by legitimate mobile clients.

• This allows the messages to attack the server-side resources that are a critical component of any nontrivial mobile application system.

Forensic
Forensic tools allow security analysts to examine artifacts that are left behind by an application after it has been run.

• Common things analysts might look for include hard-coded passwords or other credentials stored in configuration files, sensitive data stored in application databases and unexpected data stored in Web browser component caches.

• Analysts can also use forensic tools to look at how components of mobile applications are stored on the device to determine if available operating system access control facilities have been properly used.
• Exploring mobile device file systems can be done using tools such as theAndroid Debug Bridge that comes with the Android Development Kit or third-party tools like the iPad File Explorer, which, despite its name, should work for all iOS devices and not just iPads.

• The SQLite database engine is available natively on both iOS and Android systems and is a common way for app developers to store data in a familiar relational database-like environment. Utilities such as the SQLite Database Browser can be used to examine SQLite database files once they have been recovered from a target system.

Mobile Application Security Testing Advantages:

• Provides a complete picture of the risks in your mobile applications and helps you mitigate them through remediation guidance.

• Finds the risks related to mobile applications regardless of where those risks exist: client-side code, server-side code, third-party libraries, or underlying mobile platforms.

• Finds the security vulnerabilities that endanger your users or their data being managed by your application as well as risky or unintended behaviors.

• Delivers assessments and mitigation advice tailored to the various types of mobile applications including internal and external applications as well as applications developed using native APIs and cross-platform development frameworks.

• Supports all major smart phone platforms (including iOS, Android, Blackberry and Windows) and focuses on mobile-specific risks.

Conclusion
At present, the QA professionals have option to choose from several static, dynamic and forensic security testing tools. Many testers even prefer combining different security testing tools to protect the mobile app from evolving security attacks. However, it is always important for the testers to pick security testing tools according to the nature and requirements of each mobile app.

For more information about mobile app security testing, please drop an Email to:info@oditeksolutions.com