‫ Assessing the Security of Mobile applications (Part 2) - Testing the application (section 2)


Number: IRCAR201508270

Date: 2015-08-26

 

Testing per requirement

The requirements should be tested to achieve an outcome of either violation of the requirement, or the requirement has been met and is satisfactory.

These results will assist in concluding whether the app should be approved or rejected at a later stage depending on the organisations specific requirements and the organisations risk acceptance levels.

Requirement being tested

What to consider with regards to the app

Enabling authorised functionality

Test the user interface (displays, virtual keyboards, buttons)

Test all physical attributes used by the app (cameras, GPS, microphones, communication between devices)

Make sure calls and messages are not being utilised for purposes of the app functionality

Ensure all these attributes are functioning as intended

Preventing unauthorised functionality

Look out for intentional malicious functioning violating security (functions that assist fraudulent activity, stealing of information, opening doors for attack)

Banner ads are sometimes utilised to deceive users and provision phishing attacks

Malware detection is important but not 100% guaranteed effective

Ensure that the app doesn’t converse with untrustworthy sites, domains or servers

Limiting permissions

Ensure that the app does not have excessive permissions but the least permissions required for its intended functioning

The more permissions it has the less secure it is and the higher the potential security risk

Look out for the following permissions and consider carefully whether any are necessary:

  • Access to and storage of sensitive data (address book, contacts, passwords etc.)
  • Access to camera
  • Access to microphone
  • File input/output and removable storage (access to files)
  • Privileged commands (ability to activate commands allowing unauthorised system access and elevated attacks)
  • APIs should be carefully considered and only the required permitted

Protecting sensitive data

Apps most likely process sensitive data in one form or another, this should only be allowed if the appropriate cryptographic procedures are used to ensure the data remains secure and private

Validated cryptography must be used and implemented correctly as well as suitable key management utilised

Digital certificates need to always be properly validated

Data leakage via various unauthorised network routes needs to be considered (cellular, Wi-Fi, Bluetooth, shared system logs)

It’s recommended to study the app logs to distinguish the type of data that is leaked

Securing app code dependencies

Make sure the app does not use unsafe code. Care should be taken to only depend on code from an external source when really necessary

(Consider: external libraries and classes, dynamic behaviour, native calls and apps that communicate with each other)

Although these behaviours can prove beneficial they can also pose a great security risk so their functioning should be carefully considered and only allowed if undertaken securely.

Testing app updates

Updates should always be tested to avoid new vulnerabilities or the introduction of new weaknesses. This should be done before the update is downloaded to the mobile device.

Mobile device management within the organisation plays an important part with regards to test updates. Some polices will allow for unprompted updates, when made available, this approach should be avoided whenever possible.

Updates should always require pre-authorisation and should not be allowed to be automatic so that vetting of the update can be undertaken prior to installation.

Table 1


 

Test Methods

A varied set of test methods can be used for application vetting. Below are a few that we will cover in more detail in the article to follow (Part three)

Test methods could include:

  • Correctness testing
  • Source or binary code analysis
  • Static or dynamic analysis
  • Manual testing
  • Automated testing

Conclusion

It is critical to test an applications security features and stability to ensure secure mobile computing for both your user base and the organisations. At the high speed that apps are released some security gaps are missed and thus the exposure factor and risk is higher.

A key strategy is to build security into the development lifecycle with rigorous and methodical testing to ensure that the application is properly built. Independent vulnerability assessments and application penetration testing is highly recommended before releasing both internal and external applications.

 

References:

http://www.windowsecurity.com/

 

 

 


نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 20 مهر 1394

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0