Try our new research platform with insights from 80,000+ expert users
2021-05-20T06:29:00Z

Mobile Application Security

NC
  • 2
Published:May 20, 2021

What is Mobile App Security?

Mobile devices (cell phones and tablets) and the applications that run on them are much more popular today than web applications run on desktops and laptops. These devices and apps store a great deal of sensitive data that is at risk in many ways and must be protected from unauthorized access. Mobile vulnerability comes in many shapes and forms. A mobile device can be stolen, email and personal contacts can be exposed to untrusted networks, and all kinds of malware can be installed.

Despite this, a study done by IBM shows that 50% of companies have no budget dedicated to mobile app security.

Mobile application security relates to the software security posture of apps on mobile devices and involves the assessment of the applications for security issues. It is more difficult to implement security measures in mobile applications, which require measures such as tamper detection and code obfuscation) than in web apps.

Some common issues that affect mobile apps include:

  • Storage of sensitive data in a way that it can be read by other applications on the same phone.

  • Poor authentication and authorization settings that can be bypassed by malicious users or applications.

  • Lack of encryption of sensitive data
  • Use of encryption methods that are vulnerable.

These issues can be exploited by malicious applications or by an attacker using the same WiFi network as the end user.

Mobile Application Security Testing (Mobile AST)

According to an IBM study, on average, companies test fewer than half of their mobile apps, and 33% of companies never test their apps at all.

There are three main ways in which mobile AST solutions test applications:

  1. Static application security testing (SAST) is a white box testing method. This means that it tests the internal structures or workings of an application. It examines the application’s code to find flaws and weaknesses in the software. SAST should be performed early and often against any files that contain source code.
  2. Behavioral testing observes the app’s behavior as it runs in order to identify actions that an attacker could exploit.
  3. Dynamic application security testing (DAST) is a black box testing method, which means that it tests the application’s functionality. DAST simulates attacks on an application as it is running, simulating attacks to find out what vulnerabilities an attacker could exploit.

No single tool can provide a comprehensive mobile app vulnerability assessment. The three kinds of tests must be combined into an efficient holistic assessment in order to discover vulnerabilities that might otherwise have been missed.

The testing process includes:

  • Decrypting parts of the application that are encrypted.

  • Interacting with an application and learning how it receives, transmits, and stores data.

  • Decompiling the app and analyzing the resulting code.

  • Pinpointing security weaknesses in the decompiled code using static analysis.

  • Applying the understanding gained to drive penetration testing and dynamic analysis.

  • Utilizing penetration and dynamic analysis to evaluate the effectiveness of the app’s security controls (such as authorization and authentication controls).

Mobile application vulnerability testing is used in pre-production to ensure that the app’s security controls work as expected and to safeguard against implementation errors. It can help to discover edge cases (which can turn into security bugs). The testing process takes into account code as well as configuration issues in order to ensure that any security issues are discovered before the app goes live.

Mobile Application Risk Analysis

Before you can secure your application, you must perform a risk assessment in order to find out what the threats are and how at risk your mobile application is from them. A proper assessment will save time, reduce risks, and implement actionable security measures to both improve safety and meet mandatory compliance standards.

It is important, first of all, to know exactly what assets you are trying to protect. What might an attacker be interested in getting access to? Once you know this, the next steps are to:

  • identify the details of the various usage scenarios of the mobile app and the scope of the assessment.
  • undertake threat modelling in order to understand the source, the target, and the actors involved.
  • find the vulnerabilities that may be exploited by the threat, and analyze their impact on the target assets
  • Evaluate the possible impact and the likelihood of each risk in order to prioritize them
  • Decide how to mitigate or reduce the likelihood of each risk

The top five mobile app security threats are:

1. Unsecured Wi-Fi - Threat actors can leverage unprotected networks to access sensitive data directly from mobile devices or applications.

2. Apps with malicious code - Hackers can use unsecured apps to garner and exploit sensitive data.

3. Operating system vulnerabilities - Emerging vulnerabilities are monitored by software engineers, who then adjust operating systems to address threats. The best way to protect your mobile device and applications is to update your operating system whenever possible and to upgrade your mobile device if necessary (if the operating system is no longer compatible with new updates).

4. Data Leaks - Mobile apps typically store data on remote servers. Once they have downloaded a new application,. users don’t always review the permissions before filling out information. Cybercriminals who gain access to the remote servers on which this data is stored can access confidential data either from insecure storage, browser cookies, or caching.

5. Cryptography Issues - Mobile cryptography, which assures that apps operate safely, is crucial for security. Poor cryptographic implementations, or a complete lack of them, leaves sensitive data vulnerable to threat actors.

App Security Requirements

In order to effectively deploy secure software, you need clear, consistent, measurable, and testable software security requirements. Security requirements are goals set out for an application from the outset based on what need the app is meant to fill. Just as you lay out your goals for how the final app will function and what it will do, you must include your security goals as well.

In order to determine your security requirements, you must consider what specific kinds of vulnerabilities you are looking to prevent, what preventative measures you will take, and how you will measure whether your requirements are met.

There are three kinds of security requirements:

  1. Functional requirements describe what the system must do. They describe functional behavior that enforces security. Functional requirements are related to authentication, access control, and data integrity, among other things, and can be directly tested and observed.
  2. Nonfunctional requirements describe what the system must be. These are statements that support uptime and auditability requirements from regulations that might apply.
  3. Derived requirements are derived from functional and nonfunctional requirements. For example, if a system has a functional requirement of a user ID and PIN, a derived requirement might set the number of incorrect PIN guesses allowed before the account is locked. In order to create derived requirements, designers have to think like an attacker and figure out how functionalities can be abused.

In order to meet your security goals, your developers and designers need a list of specific, clear, achievable requirements. When building those requirements, consider the following questions:

  • Is the requirement complete?
  • Is the requirement clear and unambiguous?
  • Is the requirement testable?
  • Is the requirement measurable?
  • Are the requirements consistent?




Search for a product comparison
Go!
Share
PeerSpot user
0
PeerSpot user