Going Mobile - The Importance of Mobile Application Security Testing
Managing attack surfaces is no easy task - you can’t protect what you don’t know you have. Many businesses have their own stories of a pseudo-mythological Windows XP box that sits in the corner and makes everything run. But one of the areas that often escapes testing is our mobile apps.
With more and more businesses bringing their services on the go, we take a look at why mobile application testing is important, and what Secora commonly identifies when testing.
A Static Shock
We often tend to think of programs and applications as signed, sealed and delivered when they’re pushed out into the wider world. However, one of the first steps that an attacker, or a security consultant will take when performing a mobile application penetration test is to attempt to decompile the application.
When mobile applications are shipped, they are compiled - their code is neatly compressed and packaged into a format that can be easily installed and run by whatever mobile device they find themselves on. However, this process is often reversible to some extent with Android apps in particular, this process is extremely easy to reverse.
Using publicly available tools, attackers can decompile these apps, retrieving a large amount of source code. This is known as static analysis, and the benefits of this are quite obvious - through source code, attackers can more easily identify vulnerabilities, hidden or administrative functionality and more.
But one of the most common issues discovered with mobile apps is that of hardcoded credentials. Let’s consider a simple application that allows users to send an SMS using an external service. It is highly likely that access to this external service is managed through the use of an API key. An attacker would be able to decompile the mobile application, retrieve the API key and use it themselves to send mass spam messages. This is much more common than one would think - Secora has frequently discovered passwords, API keys, URLs pointing to interesting servers and files - the list goes on.
When performing mobile application penetration tests, Secora will decompile the application and comb it for secrets to ensure that they can be removed before the attackers can get their hands on them.
Bigger on the inside
If you aren’t testing your mobile apps, then the likelihood is, you are missing the web services that support them. All but the simplest of mobile applications are fed via web services which is used to fetch data, perform operations and more. And as web services, these pieces of functionality can contain any number of common vulnerabilities - injection, improper authentication and more.
At Secora, we use tools to intercept the traffic as it travels from the mobile application to the server, examining how it works and how both the server and the application interact with one another. From here, it undergoes the same kind of rigorous testing that we provide to any other web application or API call, attempting to use our experience to manipulate it into revealing additional data or performing some unintended action. All of the most common web application attacks are fair game - for more information on the wild, wild web, check out our blog post on the vulnerabilities we identify most often.
Get our expert help
As you can see, testing mobile applications requires a bit of a broad skill set - one requires knowledge of mobile operating systems, the ability to meticulously analyse code, the experience of testing web applications and API calls.
At Secora, we’ve done the hard work of gathering that expertise for you. Contact us to discuss testing for your mobile applications, or have a look at our wider penetration testing services.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.