Defense Lead

Cyber Security

Application Security VAPT

Mobile Application Security Testing – Methodology and Approach

ByDefense Lead

Oct 8, 2021
Mobile Application Security Testing Steps
Page Visited: 2135
Read Time:4 Minute, 56 Second

Introduction: 

Mobile phones have entered into every aspect of user’s life today, from communication and data to shopping and entrainment. To keep strong hold in the market, companies keep bringing the latest features and updates to mobile operating systems and mobile applications. 

This increased development process has made it essential for organizations to run mobile application security testing to prevent data violation and mitigate the risks. Any type of software, operating system, in mobile phones is susceptible to contain weaknesses or defects that can lead to vulnerabilities. The cyber attackers keep continuing to explore new techniques to exploit these vulnerabilities and put the user’s confidential and sensitive information at risk.

To overcome this, mobile application security testing should be performed that helps to reduce the security loop holes in mobile applications and tighten the security.

Must Read | Top 10-2016 OWASP Mobile Vulnerabilities Detail Explanation and Prevention Techniques | Click Here → OWASP Mobile Top 10-2016 Vulnerabilities  

Objective:

Mobile Application Security Testing focuses on identifying vulnerabilities that can be exploited using applications on mobile phones. This analysis attempts at detecting vulnerabilities both as a registered user and anonymous user. This testing has a high manual component at 80% and testers build custom threat profiles to discover contextual security vulnerabilities that are specific to the application. 

There are different methodologies used to perform mobile application security testing such as Black Box Security Testing, White Box Security Testing and Gray Box Security Testing.

Here, in the article, we will explain Mobile Application Gray Box Security Testing which is a combination of both white box and black box testing.

Methodology: 

The methodology proposed to the mobile security testing is a structured five-step process that needs a high level of manual testing and application understanding. 

  1. Understanding the Application
  2. Create Threat Profile
  3. Test Plan Preparation   
  4. Performing Manual and Automated Security Tests
  5. Report Generation

Each of the steps is discussed below in more detail.

1. Understanding the Application: 

The foremost step for the cyber security team before testing the mobile application is understanding the different functions and features of the application. This can be performed by browsing through the application, reading the user manuals, and if necessary examine the application along with the application owner or developers. The main goal for this step is to ensure that the security team is fully aware of the application’s functions, aims, features, etc.

2. Create Threat Profile: 

The Threat Profile contains a listing of all the threats that are identified and becomes the starting point for subsequent tests. It also includes information about threat actors, threat scenarios and represents it in a detailed illustration of how each of these components is used together. Here, penetration testers focus on the goals of the cyber attackers.

Few examples of threats for a mobile application are- 

  • Steal user credentials stored on the mobile.
  • Steal the hardcoded information like “Encryption Keys.”
  • View confidential information of the users that are present at the server.  
  • Intercept and alter the data being sent by a user to the server.

3. Test Plan Preparation: 

Next step, after completing the final Threat Profile that drives to the Test Plan preparation. Ensure that each threat in the Threat Profile is mapped to the specific pages on the application.

The Test Plan then identifies all the attacks that need to perform on those pages to assess that specific threat.

The Test Plan should include below critical threats:

  • OWASP Mobile Top-10 Vulnerabilities
  • Variable Manipulation
  • Hardcoded Secrets in the application package
  • Weak Cryptographic usage
  • Bypass Input Validation
  • Data  Leakage via other channels
  • Weak  mPIN / password
  • Hardcoded Secrets
  • Sensitive Information in Cache
  • Privilege Escalation

4. Performing Manual and Automated Security Tests: 

Once the Test Plan and Test Cases are prepared and approved, perform security testing with both manual and automated checks that comply with the Test Plan. During the process of testing, the testing engineer may identify additional tests or attacks to execute,  then ensure that this additional task is updated in the Test Plan and then perform the subsequent new tests.

The testing team should carry out the threats one by one and initiate performing the test. If the test case is successful, marked it as unsafe in the Test Plan. Ensure that the sequence of screenshots illustrating the attack is recorded and included in the final report.

5. Report Generation: 

Once the cyber security team is concluded with the tests, documenting process begins to generate the report. The detailed report should describe each vulnerability identified as well as the method of identifying it. Also, there should be potential recommendations for each finding that will be helpful to mitigate the risk. Once, the final report is reviewed and generated, share it with the client.

Below is the list of contents of the detailed testing report:

  • Summary
  • Record of Audits 
  • Vulnerabilities Identified 
  • Vulnerability Ratings 
  • Threat Profile 
  • Test Plan 
  • Compliance Requirements where applicable 
  • Screenshots where feasible 
  • Recommendations with details and additional resources.

Requirements Needed for the Mobile Application Security Assessment

Below are the pre-requisites for the Gray Box of Mobile Applications:

  • Application package file to be installed/download in the mobiles.
  • User manual, Administrative guide, Help documents.
  • Two activated login id/passwords for each privilege level.
  • Emulators used by the developers for testing.
  • Full knowledge of the architecture, processes and application workflow. 

Verification:  

  • The application is ready to be tested. 
  • No changes are planned during the test. 
  • The login ids are fully activated.
  • The application has sample data that can be used for our testing.
    • Examples of Sample data: Account Details of a user.
    • Sample content that can be viewed and queried for.
    • Sample content that may be edited or modified for our testing.

Must Read | Top 10 Security Practices for iOS Mobile Application | Click Here → Apple iOS Mobile Application Security – Best Practices 

Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.

By Defense Lead

Related Post

Application Security Security Awareness

2021 CWE Top 25 Most Dangerous Software Weaknesses

Nov 14, 2021 Defense Lead
Application Security VAPT

Application Security Testing – Methodology and Approach

Oct 26, 2021 Defense Lead
Penetration Testing VAPT

Network Penetration Testing – Methodology and Approach

Oct 13, 2021 Defense Lead

Leave a Reply

You missed

Cyber News

FBI Email Server Hacked To Send Fake Cyber Security Alert Messages

Nov 18, 2021 Haroon Tousif
Application Security Security Awareness

2021 CWE Top 25 Most Dangerous Software Weaknesses

Nov 14, 2021 Defense Lead
Cyber News

US Sanctions Pegasus Maker NSO Group and 3 Other Companies

Nov 13, 2021 Defense Lead
Information Security

2021 CWE Most Important Hardware Weaknesses

Nov 5, 2021 Defense Lead