Mobile Application Security Testing

OWASP Mobile Top 10, SANS 25, NIST, PCI and all applicable industry standard security frameworks are the usual standards that are followed for VAPT of mobile application testing.

Best Scanning Practice includes performing all scans and re-scans within 30 days. Also, organizations should deploy all vulnerability patches having Critical and High severity in 15 days. If organizations are unable to fix any vulnerability within 30 days, then the particular vulnerability is to be reported, so that the alternative controls to mitigate the risk could be applied and the organizations can conduct assessment for the particular finding in the next scan.

The vulnerability test report for a mobile application consists of the following steps.
• The report defines an objective and a detailed risk description for every reported vulnerability.
• The report demonstrates all the identified vulnerabilities with Proof-of-Concept (POC) collected while performing the security assessment.
• All the reported vulnerabilities in the report are categorized into severity levels such as ‘Critical,’ ‘High,’ ‘Medium’, ‘Low’ and ‘Info’ as per their Common Vulnerability Scoring System (CVSS) score, depending on the risk and the potential business impact it may cause due to vulnerability exploitation.
• Recommendations for the effective mitigation and closure of the identified vulnerabilities are assigned and mentioned in the report.
• Usually, only those vulnerabilities that are identified on the date of the assessment are reported and no vulnerabilities will be reported that are present before or after the period of the assessment.

After identifying the vulnerabilities, they are exploited to gain access to the system. After gaining access to the system, attempts are made not only to work on avoiding detection but also to gain greater access to the system as well as additional potential assets. Later the value of the compromised machine or entry point is determined.

It takes 4-5 days to complete the mobile application test (might vary depending upon the complexity of the application) and 1-2 days for the reporting.

For mobile application security testing, various commercial and open source tools such as Burpsuite, Kali Linux, Android Tamer, Genymotion, App Use etc. are used.

In Vulnerability Testing of a mobile application, the ‘entry-points’ of the application that could be vulnerable and display the weakness of the application are identified.
The two types of testing in Vulnerability Analysis of mobile Application are:
a. Static Analysis: Static Analysis is conducted using Automated, or Commercial Mobile Application vulnerability scanners to identify and detect security vulnerabilities in the application due to vulnerable security packages and misconfigured security permissions.
b. Dynamic Analysis: The purpose of Dynamic Analysis is:
• To identify potential vulnerabilities in the application’s functionality to exploit the identified vulnerability.
• To identify vulnerabilities which may not be identified in Static Analysis as Static Analysis works without the execution of the application.

Mobile application security testing is conducted to identify the programming-level issues, file access issues, configuration issues, etc. in the application that can turn out to be vulnerabilities and cause an impact on the organization that could be imminent or soon.