Secur’s Mobile App Security Testing service provides a detailed security analysis of your phone or tablet-based app. A key feature of this service is manual testing by experienced security professionals, which typically uncovers many more issues than automated tests alone.
Vulnerable apps fail to validate SSL certificates
Mobile applications that send and receive sensitive information are tempting targets for man-in-the-middle (MITM) attacks where a correctly positioned attacker can view and manipulate traffic. Mobile applications use the same approach to securing communication as conventional web sites: SSL/TLS. However, SSL certificate validation is far from trivial and mobile applications often fall short of the standard of certificate validation performed in mainstream browsers.
Without sufficient validation of SSL certificates in a mobile app, an attacker can substitute a legitimate SSL certificate with one under his control and thus view or manipulate sensitive information submitted by the user. Mobile app users who regularly connect to untrusted public wireless networks are particularly at risk, both from rogue access points and from other users of the wireless network. Unlike with conventional phishing attacks, browser-based blocking of malicious websites is not sufficient to defend against this type of attack.
Secur has discovered SSL certificates in the wild which may have been used in MITM attacks targeting banking applications, and has also discovered an invalid certificate masquerading as *.itunes.apple.com (though iOS appears to behave correctly and rejects such a certificate). With billions of downloads of mobile apps — from the Apple App Store and Google Play — the attack surface is potentially huge and obviously attractive to fraudsters. In a study conducted in late 2012, more than 17% of tested Android applications failed to fully validate SSL certificates.
Mobile app and server testing
When a customer uses an app to access your services over the internet, it is imperative to ensure security at both ends. It is pointless developing a highly secure app if there are gaping holes in the servers that store and process customer data; conversely, even if your servers are completely secure, an insecure app could allow customer data to be retrieved or redirected to a remote attacker.
Accordingly, Secur’s mobile app testing includes the following client-side activities:
- Decompilation of the installed app
- Searching for sensitive information hard-coded within the app
- Verifying the security of locally stored credentials
- Checking that SSL certificates and signatures are properly validated
- Discovering insecure use of cryptography for transmitting data or for local storage
- Source code analysis (if appropriate)
- Checking that automatic updates do not provide a conduit for attackers to install arbitrary code
- Verifying all sensitive information is removed after uninstalling the app
- Looking for unintended transmission of data, such as the user’s phonebook when it is not required
The app testing service also includes testing of the web services used by the app. The following aspects are examined in detail to ensure that the backend servers do not expose customer data to other parties:
- Server configuration errors
- Loopholes in server code or scripts
- Advice on data that could have been exposed due to past errors
- Testing for known vulnerabilities
- Reducing the risk and enticement to attack
- Advice on fixes and future security plans
Typical issues discovered during a mobile app and server test
- Vulnerability to man-in-the-middle (MITM) attacks
- Insecure storage of sensitive data on mobile devices
- Insecure use of cryptography
- Weak session management
- Unauthorised access to other users’ accounts
- SQL injection
- Server misconfigurations
- Command injection
- Well-known platform vulnerabilities
- Back doors and debug options
- Errors triggering sensitive information leaks
- Broken ACLs/Weak passwords
About Secur’s mobile app security testing service
The service is designed to rigorously push the defences of not only the app itself, but also the servers it interacts with. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.
A final written report provides an analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of both the app and the web services it uses.
The Mobile App Security Testing service can be used to ensure compliance with PCI DSS requirement 11.3, (penetration testing) as it includes both network and application layer testing. Secur is a PCI Approved Scanning Vendor (PCI ASV).
Cost and duration
The duration of a test depends on the size and complexity of an app, but can start from 10 days (approx eight days testing, two writing up).