Exploring mobile application security
Targeting your mobile application
Mobile applications or apps as they have become known are a key way in which services are offered directly to end users in a way which is more closely tailored to the providers needs that would be possible using a traditional web application.
Apps offer a richer media experience than a web application and the provider can connect more directly and intimately. Apps can offer features while they are disconnected from the Internet and make use of phone features such as reading location data to understand where the user is, read contact data from the phone to connect users, use the microphone and offer additional options in terms of sending notifications.
As apps are so widely utilised the risks to the user and the provider should be understood as they can store and transmit sensitive information based on the type and nature of the application. The apps themselves generally use supporting services. If these are poorly architected or implemented, it may be possible to extract details from the application which could be used against those supporting services.
For example, a mobile banking application would generally benefit from more detailed assessment while an app designed to allow sharing of pet pictures would likely require less effort to assess.
Understanding the process
What are the typical stages?
Typically, the OWASP Mobile Application Security Testing Guide is used as a baseline, thereafter in-house skills and experience are used to cover additional attack surfaces.
Using the principle of starting outside and moving in generally it is wise to start to grasp how the application is architected and gain an understanding of the main components including the supporting services and infrastructure. The mobile application, whether iOS or Android based is decompiled and reviewed in a static fashion. Thereafter the application is carefully analysed to find how and where it stores information, how it interacts with the supporting services and how it interacts with the mobile platform.
Take ACTION TODAY
Protect Your Organisation with Penetration Testing
Get started with a comprehensive penetration test today and fortify your organisation against cyber threats.