challenges in testing mobile app security
DESCRIPTION
TRANSCRIPT
Mobile App SecurityOverview of Challenges Right Approach Strategy
Mobile devices and apps are now an integral part of our work and life. Apps are the
life-breath of smart mobiles. Enterprise mobile apps as well as consumer apps have
simplified messaging, document sharing, collaboration, banking, and online shopping,
and lots more. Not only do mobile apps store personal and corporate data, but they
may also access extremely sensitive information like social security numbers and
banking PINs.
Whether it is consumer apps or internal corporate apps, the consequences of data leak
or security breaches can be dire. Any apps development firm that fails to safeguard the
privacy of its users is bound to get ripped in the press, while any corporate app that
leaks data can cause untold damage to enterprises.
55% SMBs and 66% enterprises provide company-owned or supported mobile devices to employees
Only 11% users agree that they only access apps from corporate app store when outside office (meaning most access third-party apps on unprotected networks)
Mobile malware is getting more sophisticated and its volume grew by 614% from March 2012 to March 2013
75% apps don’t encrypt properly when storing data
86% apps86% apps don’t have proper protection against common attacks
And, things are getting trickier for enterprises as the threat to smart mobiles are rising:
Needless to say, securing mobile devices, data and connections is at the top of the list
for enterprise IT managers as well as mobile app testers. It doesn’t help that testing
and securing mobile applications comes with its own set of problems and
complications:
Even if you simply build apps for iOS and
Android, there are various versions of the
operating systems on which the app will have to
run. Each version can have a different set of
vulnerabilities, and the app tester needs to be
aware of them all.
There are dozens of major mobile devices on
which the application needs to function.
Performance testing itself is a tough task, but
when you identify and consider the security
vulnerabilities specific to devices, the task of
securing mobile apps gets even more intricate.
OS Variations1
Challenges to Fail-Proofing Security of Mobile Apps.
While the testing basics remain the same
whether you are testing a mobile app or a web
application, the same automation tools won’t
work for both. While many test automation and
testing tools for mobile have emerged, there is
dearth of full-fledged standard tools that can
cater to every step of the security testing
process.process.
Lack of Mobile TestingAutomation Tools3
When you are working on an enterprise-scale
app, there is a chance that newer version of
OSes will be released before you complete the
app! App developers are under tremendous
pressure to deliver apps within a short period,
and security testing can take a back seat in
such a scenario. Agile development and testing
can provide a solution.can provide a solution.
Looming Deadlines5
Device Fragmentation 2
Mobile security testing requires a strong grasp
of the how mobile devices, OSes and tools
work. In addition, understanding of server-side
and client-side interactions, data storage and
authentication work on mobile is also need.
Lack of professionals with the blend of right
knowledge also impacts mobile security at
times.times.
Dearth of ExperiencedQA Professionals
4
With BYOD and Cloud Computing trends gaining widespread acceptance, information has escaped the four
walls of the enterprise. On the other side, consumer-facing apps sit on a large treasure trove of private
consumer data that hackers would love to get their hands on. And, there are several major threats to mobile
application security.
How can you battle all the small and big mobile security dangers out there? Too many developers focus just
on development or performance testing at the start and consider security factors only after a bulk of
development is finished. The first thing is to start application development with the right mindset.
Mobile App Security Risks at all Too Real
Data SensitivityData Storage
Non-repudiation
Authentication Offline Security
Secure Notifications Client-side Entry Points
Ask these basic questions and keep the answers in mind throughout the testing process.
Does the app store sensitive data? Is the data encrypted at all the key points? Are there pluggable loopholes that a hacker can exploit?
Is the data encrypted, and is it stored at a secure and trusted location?
Can the data on the app always be trusted and verified by the user? Are there logs of app events that can pinpoint origin
of data with integrity?
Can anyone with access to peripheral information access the app, or is there a strict authentication process?
Is the app available offline? Can a hacker attack the app
offline?
Can pop-up notifications or logs leak sensitive data to unauthorized users?
Are all potential client-side entry points validated and
secure?
Three-Pronged Strategy for Rock Solid Security
When you come right down to it, the biggest risk to lies in insecure mobile APIs, data leaks in transit,
malicious apps, and stolen or lost devices. To elevate the security of enterprise mobile apps and devices, we
need to follow a three pronged approach, focusing on:
Yes, it is quite a bit of work. And, if you try and follow all the best practices of testing and securing mobile
applications, you will end up spending a lot of time and effort in it. In fact, according to CIO Insight, mobile
application testing consumes 25% of the IT budget!
Securing all wireless (including GSM, LTE, CDMA, NFC, Bluetooth) mobile connections through encryption, validation and authentication
Protecting the app against traditional threats like SQL injections and malware & Neutralizing specific threats posed by different OSes and versions
Securing data and devices through encryption, remote access to devices and data-wipe features
Are you looking for a reliable partner who can help you secure your mobile applications? Do you want help with fail-proofing the security of your
enterprise mobile assets?
Cygnet Infotech has been building enterprise scale applications sine more than a
decade. Our QA assurance services for web as well as mobile apps have helped several
enterprises and ISVs accelerate time-to-market and deliver high-performance and secure
solutions that please the end users.
Manual penetration testing
Source Code review
Threat modeling
Vulnerability assessment
Server vulnerability testing
Mobile Test automation
And lots more
We can help you secure your iOS, Android, BlackBerry and Windows Phone apps through
comprehensive:
We can help you find a solution to your mobile app development, testing and security
problems. Get in touch with us and get an obligation-free assessment of your needs now!