Mobile ApplicationSecurity Testing

White Paper

Launch Secure Applications

idexcel

IntroductionApplication development has come a long way in last two decades, but it is puzzling to see that despite major security breaches, security testing takes a back seat as compared to other forms of quality testing measures such as usability or functional testing. Any application can be flawless and high-calibre in terms of functionality, but can be rendered meaning-less if any hacker or malicious user can perform any number of common exploits. Exponential rise in the usability of mobile applications for different purposes put the mobile devices in great danger of being hacked or compromised.

The market for mobile application development is changing rapidly, giving rise to increased requirement to ensure the authenticity and legitimacy of these apps. Application Security testing is one of the key success factors for the companies involved in developing and deploying these mobile applications on several platforms. In this paper, we will explore the growing trends of mobile applications, security concerns due to these growing trends and how to deal with them.

idexcel

2 P a g e

Launch Secure Application

Growth of Mobile ApplicationsMobile applications have been one of the biggest inno-vations in the recent years, and the growth is exploding as people are using apps all day long. The move to mobile is being fuelled by mobile developers turning out applications for their businesses, resulting in a greater demand for mobile applications security testing.

Broadly speaking, there are three types of mobile appli-cations:

3 P a g e

Mobile apps have changed the way we live our lives, and interact with the environments. The Apple App Store leads in the number of apps available, with the impres-sive 850,000 apps. Games are the most popular type of apps (33%), followed by widgets (8%). Facebook is the top messaging app used by 700 million users around the world, followed by WeChat, used by 300 million users. An average person downloads 22 apps on their smart-phone, spends almost 80% of the time in apps. Revenue from apps is expected to be $36.7 Billion by 2015. One in four mobile apps once downloaded is never used again. The statistics shown below indicate that there is a significant growth in the number of free apps down-loads.

Native applications: Applications written for a specif-ic platform, and only run on the supported devices.

Web applications: Applications that are accessible by any mobile device as these are built using standards such as HTML5.

Hybrid applications: Applications that have web-based interface with a layer of native application around it to get the best of both the worlds.

Launch Secure Applicationidexcel

Some of the mobile application growth statistics are as follows:

Portio Research (March 2013) Estimates: 1.2 billion people worldwide were using mobile apps at the end of 2012. This is forecast to grow at a 29.8 percent each year, to reach 4.4 billion users by the end of 2017. Much of this growth will come from Asia, which will account for almost half of app users in 2017.

mobiThinking note: 1.2 billion apps users is a large number, considering that analysts estimate that there aren’t much more than a billion smartphones world-wide, and that apps development in recent years has largely focused on smartphones (mostly just one or two types of smartphones), but it is still only a minority of phone users. There are 6.8 billion mobile subscriptions worldwide, according to the ITU (February 2013) – that means approximately 17 percent of mobile subscribers use apps.

4 P a g e

due to the UI look and feel. If mobile applications are critical to business, these questions can create a growing dilemma. BYOD (Bring Your Own Device) and BYOA (Bring Your Own Application) has received plenty of attention and are major cause of serious malware problems as well.

Rigorous testing of mobile applications is critical; however there are very few organizations that have a comprehen-sive understanding, and resources for implementation of all the aspects of security testing

The Open Web Application Security Project’s (OWASP) Top Ten Mobile Applications Security Risks include:

Launch Secure Application

Mobile Applications Security Concerns and VulnerabilitiesThe above statistics indicate that there is definitely an explosive growth in mobile application usage, however, along with this growth come pain points for developers and businesses as there is a lack of standards that need to be addressed and highlighted to show a good business opportunity for mobile application security in the coming years.

This unregulated growth in mobile applications develop-ment and usage is exposing mobile devices and data to major security risks where applications vulnerabilities are exploited by malicious users. What is the motive behind these attacks? For an individual, attackers are interested in the credentials of the device and external services such as banking, email etc. They want access to the personal data such as address book, they want credit card details, and they need access to the device so that they can use it or steal trade secrets and other sensitive data. For organisa-tions, use of vulnerable applications by the employees on LAN or their personal devices can lead to data breaches, and increased corporate liability. Attack points include:

According to tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of

apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

Security related to mobile applications is more challenging as compared to desktop or web applications because they have smaller footprint on the virtual machine. HP conduct-ed security testing on more than 2,000 Apple iOS mobile apps developed for commercial use by some 600 large companies in 50 countries. The results showed that nine out of 10 applications had serious vulnerabilities, 97 percent apps inappropriately accessed private information sources within a device, and 86 percent proved to be vulnerable to attacks such as SQL injection.

Mobile applications become vulnerable to security attacks because development is focused on features, not security, users don’t even have security in their radar. Developers are unaware of the underlying platform, and users are easily social engineered.

Mobile application testing is challenging due to the compatibility issues as any mobile application can be deployed across devices with different Operating Systems ( Android, iOS, BB, Windows etc), versions of an operating system ( B4.x, 5.x, iOS 4.x etc), keypad type such as hard keypad or virtual keypad, and manufacturers like Nokia, Apple, Samsung, HTC etc. There is no guarantee that if an application works well on any given device, it will work well on another device even if it is from the same product family as the CPU, screen resolution, OS optimization, hardware and memory could be different.

Testing tools available for web-based and desktop applica-tions cannot be used for mobile applications. Hence for testing mobile applications, complex scripting techniques and new tool development are required. Additionally, for any application to be globally popular and acceptable, it must meet industry standards. Any well-developed mobile application can be easily rejected by the end user merely

idexcel

Data Storage: Key stores, application file system, application database, caches, configuration files

Binary: Reverse engineering to understand the binary, find exploitable vulnerabilities, key genera-tion routines, embedded credentials

Platform: Function hooking, mobile botnets, malware installation, application architecture decisions based on platform

5 P a g e

due to the UI look and feel. If mobile applications are critical to business, these questions can create a growing dilemma. BYOD (Bring Your Own Device) and BYOA (Bring Your Own Application) has received plenty of attention and are major cause of serious malware problems as well.

Rigorous testing of mobile applications is critical; however there are very few organizations that have a comprehen-sive understanding, and resources for implementation of all the aspects of security testing

The Open Web Application Security Project’s (OWASP) Top Ten Mobile Applications Security Risks include:

Launch Secure Applicationidexcel

Insecure Data Storage

Weak Server Side Controls

Insufficient Transport Layer Protection

Client-Side Injection

Poor Authentication and Authorization

Improper Session Handling

Security Decisions via Untrusted Inputs

Side Channel Data Leakage

Broken Cryptography

Sensitive Information Disclosure

6 P a g e

It is easy to deduce that mobile applications pose signifi-cant risks, and it may take years to learn and implement the right methodologies for developing a platform for testing these applications. However, for any mobile appli-cation development company, the first step towards addressing the issue is to identify all the threats that the application can pose to the end user. The end user can be an individual, or a corporate client. Some of the aspects that need to be tested by the QA team as a part of security testing of mobile applications include

Launch Secure Application

WebServices

confidentiality, authentication, integrity, availability, authorization and non-repudiation. Each of these aspects is critical for the success of any security testing framework, and these extend to mobility applications as well. Organi-zations need to follow the latest mobile security best practices, and dig deep to look for vulnerabilities that can cost them money, reputation and time. So let’s look a little deeper, and understand these vulnerabilities, and the best practices to deal with them.them.

idexcel

Common Security Threats and Best Practices

Threat Detail Best Practice

Excessive Permissions and Privileges

This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

App developers should restrict granting privileges and permissions to applica-tions. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, they should invoke the access rights.

MalwareJust like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discov-ered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Applications should validate all form of inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

7 P a g e

Launch Secure Applicationidexcel

Threat Detail Best Practice

Ineffective Session Termination

Buffer Overflow

Bad Data Storage Practice

When the user clicks logout button, the session gets terminated only locally on the client side without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where the attacker can access the victim’s session and this can lead to identity threat.

Attacker uses buffer overflows to corrupt the execution stack of the application. The attacker sends carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive informa-tion in data-stores in the devices. If data is not protected properly, jail breaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal informa-tion and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

Buffer overflow protection techniques can be used during software develop-ment to enhance the security of execut-able programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-au-thenticated.

Launch Secure Application

8 P a g e

idexcel

Threat Detail Best Practice

Device Access

Device Security

The smart phones and other mobile devices have ability to send messages and texts, connect to wireless LANS, and also have GPS capabilities, but lack firewalls, intrusion detection systems and virus protection.

Mobile devices bring unique security and management risk as they often operate beyond corporate boundaries, increasing exposure to malware.

Mobile risks can be managed by active scanning, log event aggregation, passive network monitoring, and integration with mobile devices and patch and configuration management solutions. Vulnerability scanner can be used to enumerate devices accessing the corpo-rate network, provide detailed mobile device information, detect known vulnerabilities and discover jailbroken devices.

Correctly implementing the mobile device strategy, and mapping that strat-egy to the local device setting can help address concerns regarding data loss prevention, VPN access, password policies, stolen devices, and other security issues.

App developers must keep the following points in mind with respect to improving the security of mobile applications:

9 P a g e

Launch Secure Application

Mobile Applications Security Testing ToolsThreat models for mobile applications can be quite com-plicated; hence several different aspects of these systems need to be examined. There are mainly three types of tools for mobile application security testing: static, dynamic and forensic. For a comprehensive testing program, it is a good idea to use a combination of these vendor-provided and third-party tools.

analysis tools. These tools help security analysts to reverse engineer communication protocols, and make potentially malicious message that will never be sent by the genuine mobile clients. Messages attack the server side resources that are a very critical component of any mobile application system.

Forensic: These tools allow application security analysts to examine the artifacts left behind by the application once it has been run. Analysts may look for hard-coded passwords or some other credentials that are stored in the configuration files, unexpected data stores in the web browser component caches and sensitive data stored in application databases. These tools can also be used to see how components of mobile applications are stored on the device, and to understand if available operation system access control features have been effectively used.

Static: These tools look at the application while at rest- either the application binary or the source code to identify vulnerabilities in code, usually associated with dataflow and buffer handling. Some static secu-rity analysis services and tools can test mobile appli-cation code. In order to get the clear understanding of which vulnerabilities can or cannot be identified, it is essential to closely work with the vendor as most of these tools were optimized for web application testing. There are freely available tools for C, C++ and Objective-C programs. These tools can be used to test for some security and quality errors, and can be run from command line, as well from inside Apple’s XCode development environment. Additionally, ‘otool’ command provided by XCode can be used to get information from iOS application binaries and can be used to support security analysis.

Tools are available for Android environment to extract DEX assembly code and recover Java source code from the applications. These tools can generate DEX assembly code from Android DEX application binary and dex2jar, which convers DEX application binaries to standard Java jar files.

Dynamic: These testing tools allow security analysts to understand the behaviour of running systems so that they can identify potential issues. Proxies that allow security analysts to observe and change the communication between the application client and supporting services are the most common dynamic

Proper Session Handling: Do not trust the client, use SSL to encrypt the client, require a mobile certificate that can be validated, expire sessions, limit the amount of time any request is valid, do not allow repeat requests and do not allow modified requests.

Ensure Transport Layer Security: Follow protocol to ensure privacy between communicating applications and their users on the Internet.

OWASP Cheat Sheets: The OWASP cheat sheet series was created by several application security experts and these sheets provide excellent security format. There is also lots of information on specific mobile application security.

idexcel

Now that there is clear understanding of the main risks involved in mobile application development, you can determine and define your approach for mobile applica-tion security solution deployment. While defining the right approach, you must understand your specific use cases, and incorporate your key objectives and business drivers. There can be several key points that drive strategy and resulting architecture. These include decision such as Bring-Your-Own vs. Corporate provided, 3rd Party Tools vs. Native Platform Tools, Mange Security in-house vs Outsource security, Full Data Access vs. Restricted Data Access and Application Management vs. Application Guidance. You need to plan your mobile app security testing strate-gy, starting by getting the basics under control. Mobile security market is not mature as of today, and there is still a long way to go to have right security controls in place. Most breaches at data level occur due to basic configura-tion failure such as lack of encryption, poor passwords, poor patching etc.

Additionally, test all the layers of mobile application secu-rity at client and server side. Continue to explore. Mobile devices and technology will evolve at a very high pace, hence, plan six-month strategy instead of three-to-five years, and constantly re-evaluate new risks. Keep in mind that business demands and requirements will change as fast as the market. It is also worth mentioning that don’t just test an app and forget about it. There are developer forums for most of the major mobile platforms, and you can find the latest emerging security threats. Continue to enhance your test strategy to cover for these new securi-ty threats.

Whenever possible, Automate!

Launch Secure Application

10 P a g e

Sandboxing of Applications: Is used to isolate the code and the impact that code can have in the runtime environment like a mobile device

Strong Authentication and Authorization: Use image-based authentication to secure mobile trans-actions and mobile applications, or to authenticate users in different situations. Application White Listing: Prevent unauthorized programs from running.

Mandatory User Input for privileged or elevated access.

Tie Processes with user ID

Encrypt Data when Written to Memory

Tackling Mobile Apps Security Testing

idexcel

Now that there is clear understanding of the main risks involved in mobile application development, you can determine and define your approach for mobile applica-tion security solution deployment. While defining the right approach, you must understand your specific use cases, and incorporate your key objectives and business drivers. There can be several key points that drive strategy and resulting architecture. These include decision such as Bring-Your-Own vs. Corporate provided, 3rd Party Tools vs. Native Platform Tools, Mange Security in-house vs Outsource security, Full Data Access vs. Restricted Data Access and Application Management vs. Application Guidance. You need to plan your mobile app security testing strate-gy, starting by getting the basics under control. Mobile security market is not mature as of today, and there is still a long way to go to have right security controls in place. Most breaches at data level occur due to basic configura-tion failure such as lack of encryption, poor passwords, poor patching etc.

Additionally, test all the layers of mobile application secu-rity at client and server side. Continue to explore. Mobile devices and technology will evolve at a very high pace, hence, plan six-month strategy instead of three-to-five years, and constantly re-evaluate new risks. Keep in mind that business demands and requirements will change as fast as the market. It is also worth mentioning that don’t just test an app and forget about it. There are developer forums for most of the major mobile platforms, and you can find the latest emerging security threats. Continue to enhance your test strategy to cover for these new securi-ty threats.

Whenever possible, Automate!

11 P a g e

ConclusionSecurity failures occur, for a number of reasons. There can be poor coding, design flaws, insufficient training, ineffective processes or human errors. But, failures are growing as well, as more and more mobile apps are being used in safety and business domains. Test automation frameworks hold the key to successful mobile applications security testing. You need to build a testing strategy that can combine different testing options, and put them together to offer best testing results that balance the trade-off between quality, cost and time-to-market.

Launch Secure Applicationidexcel

About the AuthorHarsha B N works as a Test Architect in the Mobility division of Idexcel. He has twelve years of experience in develop-ment and testing mobile applications. Prior to joining Idexcel Harsha worked with Nokia for eight years in various capacities as Program Manager, Chief Test Engineer, Project Manager working on OTA infrastructure development, Mobile Payments services, S60 SDK.

About IdexcelIdexcel is an innovative provider of IT Products & Services focused on emerging technologies. We help world leading companies build efficiencies and stronger businesses. With more than 15 years into existence Idexcel’s main focus is client satisfaction and technology innovation. Our industry expertise and a global, collaborative workforce forms the backbone of our services. We offer high degree of skills in Enterprise Applications, Cloud Services, Data-warehousing, Big Data, Analytic, QA & Testing Services, IT consulting and Staffing. Idexcel product line includes: NDS, ERP, and Cync - A revolutionary credit monitoring application for the manufacturing and �nancial management.For more information log on to www.idexcel.com.

Global Head quarters459 Herndon Parkway Suite 11Herndon, VA 20170Tel: 703-230-2600Fax: 703-467-0218Email: inquiry@idexcel.com

India Operations“Crystal Plaza” 9, 10 ,11Bhuvanappa Layout, Hosur RoadBengaluru – 560 029KarnatakaTel: +91-80-2550 8830Email: inquiry@idexcel.com

© Copyright, Idexcel. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Idexcel. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

idexcelLaunch Secure Application