The Security Of Your Mobile Apps

The recent claims by US researchers that they have been able to hack into Gmail accounts with a 92 percent success rate makes one wonder – How Secure are the Mobile Apps?

http://www.bbc.com/news/technology-28895304

This is not the first time that data from a mobile app was compromised. A study done in 2013 looked at 230 top apps from third-party sites outside of the Apple App Store and Google Pay marketplaces, including the top 100 paid apps on Android and iOS. Among the paid apps, the study found 92% of the iOS apps had been hacked, compared with 100% on the Google Android platform.
However, only 40% of the popular free iOS apps had been hacked, rising to 80% for free apps on the Android platform.

So what should you as a Mobile App Development firm do to make sure that your apps are secure?

The best option is to hire a Security Testing of a Security consultant and get your mobile apps tested. However, you need to make sure they perform mobile application penetration testing as per OWASP Mobile Top 10 Risks.

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks

If you can’t afford to get your apps tested from a security expert here is what you can do. The list of tests below is not a comprehensive one but will give you a good start in making your mobile apps secure.

>> Which permissions does the app request?

Analyze the manifest file (In case of Android ) to understand the permission assigned to application

Analyze the file and directory permission assigned to application

>> Does the app transmit data?

Establish a proxy server to analyze the data transmission over the network

Use tools like Burpsuite and Paros

>> What kind of data is transmitted and to which servers?

Analyze the date through proxy server

>> Is the transmitted data encrypted?

Analyze SSL connection and authenticity of SSL certificate installed on the mobile

SSL certificate validation involves – Key length verification, encryption mechanism supported

>> How is the app handling authentication and session management?

This involve following test cases :

SQL Injection to perform authentication bypass

Modifying local SQLite database to bypass authentication

Session Replay in case of web based mobile application

Forced browsing and back refresh based attack to gain unauthorized access

>> Is the app exposing sensitive information?

Application stores sensitive information either in local SQLite, Plist database or in hard coded in code itself

To test case check:

Sensitivity of data present in SQLite and Plist file

Perform reverse engineering to extract hard-coded data present in code like encryption key

>> Is the app interacting with other apps or system services?

Generally mobile application works in sandbox (dalvik) environment and it is difficult for one application to access the data of other application. But they can call the services of other applications. This can be checked by analyzing the manifest file.

>> Is the app storing data locally?

Check SQLite, Plist and keychain based file to identify data stored locally

Check if data is stored in encrypted format or not

Perform source code analysis also

It is worth mentioning here that the list above is not a panacea of security problems. Therefore I recommend that app owners:

1. Make mobile app protection a strategic priority (a proactive exercise not a reactive one)

2. Do not assume that web application security strategies are adequate to address the vulnerabilities of a mobile app

3. Be cognizant about protecting mobile apps that deal with transactions, payments, sensitive/personal data (email Ids, phone numbers, etc.), or have high-value IP (e-commerce, financial services, digital, gaming, healthcare, government, corporate apps

4. Build protection directly into the app – harden the code against reverse-engineering, and make the app tamper-proof and self-defending – to counter how hackers attack an app

5. Use static analysis tools look at the security of your code before you take your apps to market – I recommend Kiuwan

6. Hire a security testing firm to perform VA and Pen Test on your apps

About the Author:

Jyotiprasad Bhatt (JP) is the Founder of ImpactQA and can be contacted at jpbhatt@impactqa.com