Mobile Application Security Test

About Cyber Security Tests Services

Security Testing Services is a complex of services including testing information systems in three fundamental principles of information security, i.e. confidentiality, integrity and accessibility, independent from product, prior to any possible cyber-attacks and detection of current security gaps and providing solution offers to remove such gaps.

How Mobile Application Work?

Mobile applications are at the epicenter of current development trends. Most of these applications have a client–server architecture. The client runs on the operating system, which is most frequently Android or iOS. This client is downloaded to the device from the app distribution platforms, where developers publish their wares. As perceived from the user's point of view, the client installed on the smartphone is the mobile application. This is what the user interacts with to make purchases, pay bills, or read emails. But in fact, there is also another component: the server, which is hosted by the developer. Often this role is performed by the same software that is responsible for generating and processing content on the site. In other words, most often the server-side component is a web application that interacts with the mobile client over the Internet by means of a special application programming interface (API). So in reality we can regard the server as the more important component. It is where information is stored and processed. The server is also responsible for synchronizing user data between devices.

Modern mobile OSs come with various security mechanisms. By default, an installed app can access only files in its own sandbox directories, and user rights do not allow editing system files. Nevertheless, errors made by developers in designing and writing code for mobile applications cause gaps in protection and can be abused by attackers.

Comprehensive security checks of a mobile application include a search for vulnerabilities in the client and server, as well as data transmission between them. In this report, we will cover all three aspects. We will also talk about threats to users, including threats arising from interaction between the client and server sides of mobile applications. Methodology and the source dataset are described at the end of the report.

What are Mobile Application Attack Types?

  • Client-side

These attacks are mostly caused by incorrect security configurations made by application developers. The attacker is not concerned with the resources the app communicates in order to carry out such attacks. It only tries to exploit the associated vulnerabilities on the device on which the application is installed.

Examples for Client-side Attacks

  1. Insecure interprocess communication (IPC) is a common critical vulnerability allowing an attacker to remotely access data processed in a vulnerable mobile application. Let us review the workings of IPC in greater detail.Android provides Intent message objects as a way for application components to communicate with each other. If these messages are broadcasted, any sensitive data in them can be compromised by malware that has registered a BroadcastReceiver instance.
  2. One third of vulnerabilities in Android mobile applications stem from configuration flaws. For example, our experts when analyzing AndroidManifest.xml often discover the android:allowBackup attribute set to "true". This allows creating a backup copy of application data when the device is connected to a computer. This flaw can be used by an attacker to obtain application data even on a non-rooted device.
  3. Many mobile applications use a four- or six-digit PIN code for authentication. There are several ways of implementing PIN code verification when the user logs in. Performing this check on the client side is not secure: this would require that the PIN code be stored on the mobile device, which increases the risk of a leak. Authentication data is stored insecurely in 53 percent of mobile applications.
  4. Mobile devices allow viewing recently used applications and quickly switching between them. After the app moves to the background, the OS captures a snapshot of the app's current state for this purpose. Direct access to these snapshots is available only on rooted devices. It is important to make sure that snapshots do not contain sensitive data. For instance, if the owner was just using a mobile bank app, the snapshot could contain a card number. These snapshots could be stolen if the device is infected.
  • Server-side

These weaknesses are caused by the application service communicates. In this way, the attacker can bypass authorization, disclose critical information, and identify users defined on your system. He can go a little further and use these weaknesses to access your server.

Why To Perform Mobile Application Security Tests?

Thanks to the increase in portable technologies, mobile applications have started to gain much value and many important transactions such as banking, health, communication, and life have moved here. This attracted the attention of the attackers and increases the threats that may come from mobile applications.

Therefore, mobile application security tests have become very important in order to detect and eliminate the risks that may occur.

How To Perform Mobil Application Security Tests?

Mobile application security tests are performed in two phases;

  • Pre-installation phase of the mobile application.
  • Post-installation phase of the mobile application.

Tests for Mobile Applications

The purpose of mobile application tests are to detect threats on the application. In this context, the following tests are performed based on OWASP TOP 10, together with the test user profiles including the scope.

 

Android and IOS Applications

  • Pre-installation Phase

In this phase, the following steps are carried out on the application.

  • To increase the level of security by the application, the security measures applied to prevent the SSLPinning, Root / Jailbreak detection and screen capturing on the devices are detected. The information determined within this step is used for the "Post-installation" phase.
  • Source code of the application is obtained and sensitive information is searched in the application code.
  • The existence of code mixing techniques is examined on the obtained application source code.
  • AndroidManifest.xml file (Android) is checked and incorrect configurations are detected.

 

  • Post-installation Phase

In this phase, the following steps are carried out on the application. 

  • Installing on the physical device provided for mobile application or virtual machine. This navigation is registered via proxy by browsing the application like a curious user and all the functions of the application are removed for later attacking processes
  • The network movements of the application are examined and recorded with a tool such as Wireshark.
  • The storage area of ​​the application is checked with the purpose of data storage.

- (Android)SQLite databases, “.db”

- (Android)Preferences, “.xml”

- (IOS)SQLite databases, ‘.db’

- (IOS)Binary property lsit files, ‘.plist’

- (IOS)Application files, ‘.app/’

- Application logs are reviewed to find out sensitive information.

- The web services which the application communicates are identified and all methodology applied to a web application (OWASP TOP 10) are implemented in the vulnerability scanning phase.