The recent claims by US researchers that they have been able to hack into Gmail accounts with a 92 percent success rate makes one wonder – How Secure are the Mobile Apps?
This is not the first time that data from a mobile app was compromised. A study done in 2013 looked at 230 top apps from third-party sites outside of the Apple App Store and Google Pay marketplaces, including the top 100 paid apps on Android and iOS. Among the paid apps, the study found 92% of the iOS apps had been hacked, compared with 100% on the Google Android platform.
However, only 40% of the popular free iOS apps had been hacked, rising to 80% for free apps on the Android platform.
So what should you as a Mobile App Development firm do to make sure that your apps are secure?
The best option is to hire a Security Testing of a Security consultant and get your mobile apps tested. However, you need to make sure they perform mobile application penetration testing as per OWASP Mobile Top 10 Risks.
If you can’t afford to get your apps tested from a security expert here is what you can do. The list of tests below is not a comprehensive one but will give you a good start in making your mobile apps secure.
- Analyze the manifest file (In case of Android ) to understand the permission assigned to application
- Analyze the file and directory permission assigned to application
- Establish a proxy server to analyze the data transmission over the network
- Use tools like Burpsuite and Paros
- Analyze the date through proxy server
- Analyze SSL connection and authenticity of SSL certificate installed on the mobile
- SSL certificate validation involves – Key length verification, encryption mechanism supported
- SQL Injection to perform authentication bypass
- Modifying local SQLite database to bypass authentication
- Session Replay in case of web based mobile application
- Forced browsing and back refresh based attack to gain unauthorized access
- Sensitivity of data present in SQLite and Plist file
- Perform reverse engineering to extract hard-coded data present in code like encryption key
- Check SQLite, Plist and keychain based file to identify data stored locally
- Check if data is stored in encrypted format or not
- Perform source code analysis also
It is worth mentioning here that the list above is not a panacea of security problems. Therefore I recommend that app owners:
1. Make mobile app protection a strategic priority (a proactive exercise not a reactive one)
2. Do not assume that web application security strategies are adequate to address the vulnerabilities of a mobile app
6. Hire a security testing firm to perform VA and Pen Test on your apps
About the Author:
Jyotiprasad Bhatt (JP) is the Founder of ImpactQA and can be contacted at firstname.lastname@example.org