Your Guide to Getting Started with Mobile Application Assessments

November 26, 2013

Many organizations already have some form of mobile presence or plans to deploy one in the near future but don’t know how to get started with mobile application assessments. This guide will help you make informed decisions when procuring mobile application assessment services.

A mobile application assessment can be broken down into the following four components:

  1. Assess platform-specific considerations, such as permission management for Android
  2. Review the device for remnants of sensitive used by the mobile application.
  3. Reverse engineer the mobile application binary for sensitive information and to gain a deeper understanding of the application.
  4. Review the mobile application for threats similar to web and other application types: authorization and authentication information, the transport of confidential/integral information, testing for vertical and horizontal privilege escalation, checking for overflows and input validation etc.

Since most testing engagements are severely constrained by time and budget, we encourage you to make provisions to quickly get the tester up to speed, helping them understand the business critical information being processed and the functionality of the mobile application. This knowledge allows the tester to more quickly come up with a solid testing strategy focusing on the important areas within the application; the time saved also allows for more risk-relevant testing coverage.

Some common steps for a tester performing mobile application assessments include the following:

  • Developing an understanding of the mobile application and perform threat modeling which results in a document test case checklist (we have our proprietary Threat Model Express methodology that guides this process.
  • Reviewing the mobile device on which the application is installed, looking at the access control to both application and data files.
  • Rooting and or otherwise extracting the mobile application binary to performing reverse engineering.
  • Setting up the mobile device such that the tester can review all communication between the server and the mobile application, proxying the traffic.
  • Review the mobile application server’s authentication and authorization controls.

Based on our experience, we believe that the typical mobile application developers would benefit from a deeper understanding of the general and platform-specific threats that mobile applications face..

Related content:

About the Guest Blogger:

Andre

Andre Harricharran joined Security Compass as a Security Consultant with a Bachelor of Computer Science and a Master’s degree in Information Technology Security from the University Of Ontario Institute Of Technology. Andre has extensive knowledge in technology roadmapping, pentesting, network security and disaster recovery. With 13 + years in the information technology field, Andre brings a tremendous amount of experience to every project he is working on

Previous Article
Business Logic Pitfalls in Trading Applications (Blog Series) — 2
Business Logic Pitfalls in Trading Applications (Blog Series) — 2

Hi there folks, Here is the second pitfall that we’ve seen in securities trading applications in capital ma...

Next Article
Porting the Gitorious installer from supporting only RedHat/Centos to support Ubuntu/Debian
Porting the Gitorious installer from supporting only RedHat/Centos to support Ubuntu/Debian

As our company grows we have started experiencing some pain points with using bare git repositories for our...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!