Mobile apps have been increasingly gaining ground in the communication industry. With more and more customers switching to smart phones, brands today have capitalized this to reach out to their customers directly with more pace, mobility and efficiency than ever before. However, as much as anything virtual comes with transparency, agility and cost effectiveness, it is not entirely devoid of privacy and security issues. To counter it, brands, whether they serve communication, gaming, utility, multimedia, productivity or travel-based functionality, need to adhere to robust Mobile App Security Tests for the following.Installation package: Check the installation package thoroughly. This is done by de-compiling, speculating and making modifications to the installable file from the mobile device. A thorough review of the source codes would help you spot vulnerable codes.
Local file system: Run a security check on local file systems to test temporary files and cached data that already exists in the mobile device. This would also help monitor database related security.
Insecure file permissions: Check the internal & external disk space, rights & permission on the target file, file encryption and authorization of user access.
Error handling & session management: Check for application exception management, error handling functionality and randomness of session identifiers, and spot the attacks abusing sessions.
Business logic flaws: Test everything relevant for logic flaws, security functions, multi-stage processes, trust boundaries and adjustments made to quantities.
Client-side injections: Test for client-side injections to detect malicious inputs on the installed applications. Ensure that you also get a cross-site scripting, HTML injection and other relevant checks done.
Server-side validation: Check for validation on the server side for injection, cross-site scripting on the server end.
Replay attack vulnerabilities: Keep an eye on malicious inputs that come as legitimate requests from an authorized or an unauthorized user. Check for response splitting and cache poisoning too.
Mobile App security concerns mainly arise out of malicious functionalities and vulnerabilities. While the above list may act like a checklist to effectively mitigate risks, app developers and security teams must also keep an eye out for new threats at all times.
Manoj Rai has around 14 years of IT experience in Enterprise Applications, Mobile and Infrastructure security. Has rich and diverse global experience in leading large engagements and building deep technology expertise in security testing domain.
Manoj is a Bachelor of Engineering in Computer Science with MBA in Systems and Executive Delivery Program from IIM-Bangalore. A regular speaker on various technical subjects like Ethical Hacking, Mobile security, Secure SDLC and Cloud Security areas in CISO platforms, OWASP, BLUG, NULL etc. Has been a regular blogger and has published white papers on threat management and best practices in various social groups.
