Mobile security encompasses network security (i.e. mobile apps often operate on the public internet and connect to backend servers) and application/software security, among other things. It is important to thoroughly test the security of your mobile applications. The great number of mobile platforms available on the market creates a multitude of different host environments that any given mobile application may be run on. Dynamic penetration testing is one of the most powerful techniques that your company may use to ensure complete data security on every mobile OS and platform. Dynamic mobile testing comprises a myriad of testing mechanisms, including the testing of: authentication protocols, session management parameters, access control mechanisms, input validation implementation, device data storage, transport layer encryption, the feasibility of reverse engineering, and more. These testing techniques offer a full range of measures that can help to ensure that your mobile applications are safe, secure and will stand up to any offensive front. Below is a brief overview of each of these security testing mechanisms that make up dynamic mobile testing.
Authentication Testing includes dynamically testing the implementation of protocols for gaining authorized access to the system via proper credentials (e.g. username, password, PIN), and is important to test in order to determine whether a malicious person can gain access to the system by inputting commands, utilizing malware, or by using automated software, etc. This also includes checking how data is pulled from back-end databases and how user input is parsed and pushed to the back-end, which can help to mitigate certain types of attacks that allow for bypassing authentication (e.g. SQL injection).
ACCESS CONTROL (AC)
Access control (AC) encompasses authentication, unique electronic identifiers, etc. and binds the aforementioned points together as a system that allows authorized users to access data on the server or to establish sessions with the server. It is imperative that your company utilizes and implements a robust access control system that allows only fully-authenticated, authorized users to gain access to the system.
Input validation is the practice of validating user input before the data is parsed. This stops a user on the client side from using command injection in order to run malicious code on the server that could allow for a data breach or unauthorized access to the system. Many attack vectors (e.g. SQLi) can be mitigated by input validation since any malicious code would be rendered benign before it is passed to the database server. According to the Common Weakness Enumeration Report, SQL injection ranked among the highest security attack vector used against applications. OWASP ranks Injection as the most prevalent attack used against applications.
SECURE STORAGE OF DATA
The secure storage of data on mobile devices is very important, as everything from encryption to the database framework in use must be taken into account. In addition to this, the vulnerabilities that are common to the OS in use may present greater security flaws that can allow such mobile storage systems to be exploited. Embedded databases such as SQLite are known to have several security issues.
NETWORK SYSTEMS IN MOBILE APPLICATIONS
When dealing with network systems in mobile applications, a sufficiently strong cipher (e.g. AES instead of RC4) must be used with Transport Layer Security (TLS) for end-to-end encryption to ensure that data is kept private and fully secure. Data in transit over a public network must be encrypted so that any data that is sniffed does not appear in plain-text.
Reverse engineering an application into source code can reveal many secrets about the application such as encryption ciphers used, backdoors that may be present, security vulnerabilities and language-specific weaknesses in the code that can be exploited, along with hard-coded secrets and more.
LEAKAGE OF APPLICATION DATA
The leakage of application data on a mobile device is very common according to the NowSecure Mobile Security report which indicates that many apps leak unique identifiers, personal user data, location data, and other private information, often in plain-text.
It is also important to note that many dynamic, automated scanning tools exist that offer only a partial understanding of your security posture. These often exist as basic scripts or even complex software that many non-professional ``hackers`` (e.g. ``script kiddies``) can use on your applications to compromise them without having detailed knowledge of application hacking. Thus it is very important to run penetration tests on your applications to ``hack yourself first``, especially since a more advanced hacker could use both automated tools and thorough manual hacking techniques to compromise your mobile applications. There are many tools and mobile security frameworks in existence such as Drozer (Android) and Needle (iOS), that can allow both our team - and a team of malicious cyber-attackers - to penetrate your mobile applications. Packet sniffers such as Wireshark, allow for the capture and analysis of data over a network, while application proxies allow for remote access to device systems, and debuggers/reverse engineering toolkits such as IDA and Hopper are all powerful tools that can be used to test your software before hackers use the same tools to compromise your applications. It is important to note, however, that automated tools cannot differentiate between false positives, false negatives, and true positives. The detailed interpretation of results, complex workflow, access control mechanisms, the implementation of authorization and authentication, etc. cannot be understood or carried out efficiently by automated scanning tools. This can only be fully used and analyzed by a manual test in conjunction with a thorough review and interpretation by an experienced security engineer.
Android is a popular, open-source mobile OS built on the Java programming language, which is known for having several high-risk security flaws that cyber-attackers can exploit. Using frameworks such as Drozer we dynamically test Android apps. Testing is an important step in application development, as the NowSecure report shows that, among popular apps on the Google Play store, there was a total of 16,036 high-risk issues found.
iOS is a powerful, closed-source mobile OS built with the Objective C and Swift programming languages, along with other languages such as C++. The C-based languages are often susceptible to buffer overflows and other attack vectors. Utilizing frameworks such as Needle we can run dynamic, comprehensive security tests on your iOS apps.
Windows mobile platforms are unique in being built on a variety of programming languages, which results in an uncommon security challenge for companies. Nevertheless, we are able to fully test your Windows mobile applications in order to mitigate common security flaws such as security holes that allow remote access to file systems on mobile devices, weak password systems that allow password-cracking tools to break passwords, and weaknesses that allow Denial of Service (DoS) attacks to compromise your business systems.
We also offer complete dynamic penetration tests for Blackberry devices and other mobile platforms that are built on a variety of operating systems, programming languages and frameworks.
which is all accomplished at run-time to better understand how an attacker could take advantage of a running application in order to exploit it. Dynamic penetration tests provide a better perspective of how secure your applications are from an attacker's perspective, while also revealing potential attack vectors that an attacker could use, along with potential vulnerabilities that could be exploited. This manual testing procedure often uses automated. We also perform static analysis assessments, which include manual and automated analysis of the code using proprietary tools along with manual code review by security engineers.
These steps are necessary to fully discover security holes in your applications which could allow an attacker to discover and exploit weak cryptographic ciphers & backdoors, bypass authentication protocols, and exploit