With the rise of working on the go and the age of constant connectivity, application developers and companies focused on software are spreading their products and supporting just about any device that has Internet connectivity. While the applications being created may look and feel the same on different devices, the underlying architecture and attack surface is very different. So while web applications and mobile applications may seem very similar, they must be tested very differently from a security perspective. So let’s take a look at mobile app testing, what it consists of, what questions it may be able to help you answer, and why it’s important.
What is it?
Just like a web application or your company’s network perimeter, mobile apps have a different level of exposure and a different set of security concerns. And while there is definitely some overlap with traditional web application penetration testing, such as injection testing and logic flaws, there are a host of other considerations that are irrelevant for traditional apps. This requires a unique approach and a different tool-set. For mobile apps, some of these unique vulnerabilities and exploits include concerns with sensitive information leakage onto the devices running these applications, the use of strong cryptography for data storage/transmission, and the principle of least privilege for device permissions.
What does Mobile App Testing consist of?
At a high level, Mobile App Testing includes both unauthenticated and authenticated penetration testing of the target application on any supported device operating systems. Beyond that testing however, binary analysis is conducted on the associated .ipa and .apk files of the compiled apps. All testing is based on the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile App Security Checklist. The following activities are a part of this testing process:
- Static Binary Analysis
- Dynamic Binary Analysis
- Analysis of Encryption/Secure Communications
- Identification of Logic Flaws/Authorization Bypasses
- Fuzzing/Scanning for Injection Flaws
- Identification of Misconfigurations and/or Packaging Issues
- Evaluation of API Endpoints and Application Traffic
If you want more detail on our Mobile App Testing Methodology, check out this blog.
Why is it important?
Ultimately, mobile app testing is becoming more prevalent because of the additional exposure to your users and to the data your organization is trying to protect. For the same reasons you are doing web application penetration testing, you should be considering mobile app security. This testing can help you answer the question of “Is my application environment secure?” when traditional web app testing or API testing may only be giving you a part of the answer. If you want to talk about more of the advantages associated with mobile app testing or figure out if you could benefit from this type of testing, reach out to us!