Using mobile apps allows organizations to be more efficient and create more value for customers. However, as practice shows, the security level of mobile applications varies greatly. While many organizations have already incorporated Application Security practices into their processes, some are just thinking about implementing their security program.
Mobile application developers at some point are faced with the need to start working Mobile application developers at some point are faced with the need to start working onwith their security. It can be caused by different reasons: application customer requirements, internal company policy requirements, need to comply with regulatory and industrial IS requirements, such as GDPR, and PCI DSS.
How should this subject be approached? Is it enough to create a dedicated application security review process with experts and a checklist before releasing an application version? Or will this approach not work? And if not, what should be done?
Application security involves many aspects. We can distinguish two main cases for its implementation:
- Security of mobile apps that are just started to be developed.
- Security of existing mobile applications.
In the case of applications under development, security should be considered throughout the development lifecycle, from architectural decisions made early in the development process that determine to a large extent the security of an application, to practical guidelines for encryption, source code obfuscation and secure storage of access credentials and encryption keys. Building effective communication between the development and security teams should also not be overlooked. We can say that here we are talking, first of all, about a security view from the development team. Description of all these practices, recommendations and processes is a separate big topic, and we will talk more about it in one of our next articles.
In this article, we consider implementation of security for existing applications. This approach shows the security team’s perspective. Here, the first step is to determine what the current security level of the application, but how to do it correctly? There are a number of different tools available on the market today to analyze the security of mobile applications.
They should be chosen based on the tasks to be solved and the conditions for scanning. In particular, you need to consider whether the source code of the application being scanned is available or not. In both cases, effective testing tools can be selected, but the requirements will be different.
Besides, you should always consider if the selected tools can be easily integrated into the existing organization’s development process. Typically, today we are talking about the need to integrate into the DevOps process. This imposes requirements on the readiness of tools for integration into CI/CD processes, the degree of test automation they provide, and their speed of operation.
It is important to find out if the selected tools provide information on compliance with regulatory and industrial IS requirements. These standards contain a lot of useful information and allow mobile apps to adhere to common security practices.
When scanning mobile applications, you should combine different types of testing – Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), mobile application backend API testing, and others. Static testing is performed using the white-box method, which is based on analysis of the application source code, or, if it is not available, analysis of decompiled or byte code. Dynamic testing is performed without access to the code using the “black box” method through the application’s user interface. API testing checks interaction between frontend of the analyzed mobile application and its backend. The last two types of testing Dynamic checks interact between the frontend of the scanned mobile application and its backend and emulate the work of an attacker or malicious program. It is recommended that you perform full testing of application functionality in order to get maximum coverage for all methods of analysis. Combining different types of security analysis tools allows you to detect different types of vulnerabilities and improve the quality of testing.
In addition to improving the quality of testing, using multiple security testing tools can lead to certain questions. For example, using different and often complex scripts to run them automatically, different formats for presenting data on detected vulnerabilities, different formats for data collected during test runs, etc. All of these problems can be solved, but it is better to consider them at the stage of choosing tools.
Mobile application security testing has a number of specific features compared to web application testing, which should also be considered when organizing the testing process:
- It is necessary to create and maintain a special environment configured for testing mobile applications. This can be either physical mobile devices with testing tools installed, or emulators (in the case of Android). Moreover, it is desirable that different versions of operating systems are installed on the devices.
- You should use application distribution systems to automatically install versions of apps on test devices without having to manually download and install them.
- It is necessary to test application versions for both iOS and Android.
- If there is a web version of the application, security testing of the mobile application should be integrated with testing of the web application. For example, the same application API is often used for both mobile and web versions of an application. Using such features of application implementation, you can get a synergy effect when testing application security.
There is another important point to note. Automated scanning tools allow finding 80% of existing vulnerabilities for 20% of the effort. The remaining 20% are the most difficult to find vulnerabilities. You can find them using penetration testing, but that would take 80% of the effort. Penetration testing is performed manually using the black box method without access to the application source code. It simulates an external attack, just as a real attacker would do. Using the data obtained during automated testing can make penetration testing much more efficient.
Unfortunately, penetration testing cannot be integrated into the development process because this type of testing is performed manually. This is why it is often not used by development companies themselves to test the security of their applications. Many companies outsource penetration testing to professional vendors for one-time security assessments of their applications.
Incorporating security into the mobile application development process is an actual question that has a number of peculiarities as compared to web application security testing. It should be planned with the specifics of the organization’s development process in mind and organized using automated security scanning tools of different types.
The most universal solution is to use a mobile application security analysis platform. Such tools are also available on the market, in particular, the Stingray platform is such a solution. It is designed to be built into continuous development process, supports several different types of testing, provides all results in a unified way using a single data format, and offers recommendations on secure application development for a significant number of the most common vulnerabilities. Using Stingray makes the process of mobile application security testing fast and efficient.