An Overview of Mobile App Security Testing


Darren Fitzpatrick - Espion

Mobile applications intended for consumer and enterprise use continue to achieve explosive growth and widespread adoption. In relation to IT security, the nature of how mobile devices are used present different kinds of risks beyond traditional computing environments.

Mobile applications provide access to sensitive information such as bank accounts, credit card data, personally identifiable information (PII), travel details and personal emails among others. In addition, enterprise mobile applications are extending corporate networks beyond their traditional perimeter boundaries, and present organisations with potential exposure to new kinds of security threat. Hence securing such applications and their surrounding environment is increasingly essential.

This talk would discuss various categories, mobile application security risks, using existing proprietary frameworks as a guide (e.g. OWASP and Veracode categorisations). Such can occur at different levels in the mobile technology stack (infrastructure, hardware, operating system, and application levels).

The talk would also discuss how such risks can be reduced or mitigated, ensuring that optimal security is built into mobile applications during development, as well as in the surrounding environment in which mobile applications are used. Key risk assessment steps that apply to mobile application testing include:

* Testing for Data Validation Type Vulnerabilities
* Review of Authentication and Authorisation Procedures
* Review of Session Management Procedures
* Checking for Network Communications and Transport Security
* Review of Application Data Storage Mechanisms
* Review of Information Leakage from Decompiling the Application
* Review of whether application compromises Personally Identifiable Information (PII)
* Checking for broken cryptography
* Scanning for server vulnerabilities.