Blog
April 9, 2019
Application Development
Security

Application Security Testing: 5 Tips to Respond to the Threat Landscape

Application Security Testing: 5 Tips to Respond to the Threat Landscape

Smartphones have made our world more mobile, and there’s no sign that this phenomenon is slowing down.

This radical transformation has changed the way we communicate with one another, stay informed and conduct business. Many people opt to use smartphones as their primary device to help manage their life.

Andrii Shevchuk
With billions of active devices in use today, mobile app security is more important than ever before. Before an app goes live, it must be thoroughly tested for flaws which will lead to security issues and vulnerabilities ensuring the company who releases the app that user data remains safe and secure. Testing of an app just before release is often the last line of defence because done at the moment when fixes are impossible without postponing the release. If you miss a critical security vulnerability in the final phases of the testing process, you could jeopardize months or years of development work, putting user data — and ultimately your business — at risk.
Andrii Shevchuk, Head of Security Unit

One of the best resources for identifying mobile security threats is The Open Web Application Security Project (OWASP) its Mobile chapter, a not-for-profit organization dedicated to improving software security. Supported by an ever-growing community of individuals, corporations, universities and government agencies, OWASP releases software and documentation with a singular focus on making application security transparent and actionable. Organizations that have cited OWASP’s research include the National Cybersecurity Agency of France, Centre for the Protection of National Infrastructure of Great Britain, and the Defense Information Systems Agency of the United States.

Periodically, OWASP releases a collection of the most dangerous web application security flaws known as the OWASP Top 10. However, Top10 is only at the top, in addition, OWASP releases more detailed materials called Testing Guides which describe approaches to the discovery of flaws that become security issues then.

For mobile app developers, it’s a great resource to become aware of some of the biggest flaws in application security. Drawing from the OWASP Top 10, here are five top tips companies should use when testing mobile applications for security in 2019:

Identify leaky development

The Android and iOS operating systems are built with security in mind, but that doesn’t automatically make the applications developed for those platforms secure. Ultimately, application security depends on a developer’s skill and attention to following best security practices. But the pressures of application development, such as speed to market or developing with a new programming language, can cause developers to overlook critical security issues.

The proliferation of third-party frameworks, APIs or cross-platform development tools can exacerbate these problems. Software that shaves off weeks of development time might be great for quickly releasing a new version of an application, but it also presents the opportunity for developers to assume these tools are completely secure. For an application communicating directly with a third-party server, these vulnerabilities can be seen through default administrative interfaces or default content.

When testing your mobile app, ensure you’ve looked beyond the operating system itself and check for vulnerabilities in your third-party extensions, development tools and web-based interfaces.

Plug leaky data

With the European Union’s recent implementation of the General Data Protection Regulation (GDPR), data security isn’t just crucial for user information — it’s also the law. One of the key principles of the GDPR is data protection by design and default, meaning applications must be built from the ground up with data security in mind.

Unfortunately, insecure data storage can lead to unintended data leakage, posing a great risk to data security. Data leakage can stem from vulnerabilities in the operating system, development frameworks or hardware, while insecure data can live in removable storage, cloud storage and any number of logs and databases. An exploited vulnerability could find private user data created by an app stored in a local database file.

Make sure your mobile app testing takes into account how the OS, APIs and other third-party frameworks background, cache, log, process and store your application’s data.

Stop leaky communication

The beauty of mobile devices is the convenience of being able to communicate with people, products and services all around the globe. For this to even be possible, data has to be transmitted from one point to another, which can happen in any number of ways: over Wi-Fi, Bluetooth, a cellular network, an NFC chip or a physical port.

The trouble with mobile-to-mobile communications or app-to-server communications is that an insecure connection can lead to data leakage. Whether it’s eavesdropping or a man-in-the-middle attack, intercepted communications pose incredible security risks for app users.

Avoid insecure communication by operating from the assumption that your network is already insecure. Test to make sure you’re using modern SSL/TLS protocols and trusted certificates, and ensure data isn’t being sent through alternate channels like push notifications or SMS.

Prevent leaky authentication

Unlike web applications, mobile applications are not expected to be online all the time due to the unpredictability of wireless connections. This means that for carrying out security authentication, mobile apps may end up storing sensitive login credentials on the local device in order to transmit them to a server as soon as a network connection is present. Local user authentication can lead to vulnerabilities that exploit system weaknesses to share private information with an attacker.

If your mobile app requires security authentication, make sure to test for weaknesses in the authentication process. Mobile apps should be just as strong as their desktop or web equivalent and should not be able to be authenticated more easily than a web browser. One best practice is to assume client-side authentication can be exploited, so rely on server-side authentication whenever possible.

Biometric authentication method is gaining traction as it makes people feel much more secure than while typing the password.

Avoid leaky functionality

Throughout the development process, hidden dashboards or security environments may be built into an app in order for developers to continue building their apps. These environments may only exist for the sole purpose of testing and are not intended to be released to the public. However, this code needs to live somewhere — and it often resides in the app until development nears a conclusion.

Before deploying your mobile app, test to ensure there are no hidden switches or configuration settings, excess test code has been removed from the product and API endpoints are properly documented and publicly available.

Mobile application security is no longer just an option — it is a necessity. Check out Ciklum’s security testing services and ensure your app will resist malicious attacks.

Read also: