Many organizations already have some form of mobile presence or plans to deploy one in the near future but don’t know how to get started with mobile application assessments. This guide will help you make informed decisions when procuring mobile application assessment services.
A mobile application assessment can be broken down into the following four components:
- Assess platform-specific considerations, such as permission management for Android
- Review the device for remnants of sensitive used by the mobile application.
- Reverse engineer the mobile application binary for sensitive information and to gain a deeper understanding of the application.
- Review the mobile application for threats similar to web and other application types: authorization and authentication information, the transport of confidential/integral information, testing for vertical and horizontal privilege escalation, checking for overflows and input validation etc.
Since most testing engagements are severely constrained by time and budget, we encourage you to make provisions to quickly get the tester up to speed, helping them understand the business critical information being processed and the functionality of the mobile application. This knowledge allows the tester to more quickly come up with a solid testing strategy focusing on the important areas within the application; the time saved also allows for more risk-relevant testing coverage.
Some common steps for a tester performing mobile application assessments include the following:
- Developing an understanding of the mobile application and perform threat modeling which results in a document test case checklist (we have our proprietary Threat Model Express methodology that guides this process.
- Reviewing the mobile device on which the application is installed, looking at the access control to both application and data files.
- Rooting and or otherwise extracting the mobile application binary to performing reverse engineering.
- Setting up the mobile device such that the tester can review all communication between the server and the mobile application, proxying the traffic.
- Review the mobile application server’s authentication and authorization controls.
Based on our experience, we believe that the typical mobile application developers would benefit from a deeper understanding of the general and platform-specific threats that mobile applications face..
- Exploit-Me Mobile: Hands-on labs for mobile applications assessments
- Other postings on mobile security
About the Guest Blogger:
Andre Harricharran joined Security Compass as a Security Consultant with a Bachelor of Computer Science and a Master’s degree in Information Technology Security from the University Of Ontario Institute Of Technology. Andre has extensive knowledge in technology roadmapping, pentesting, network security and disaster recovery. With 13 + years in the information technology field, Andre brings a tremendous amount of experience to every project he is working on