5 Penetration Test Tips for Mobile Apps
Published on June 13, 2018 by Gabriel Torok
Five Penetration Test Tips to Create Secure Mobile Apps
Just as businesses and consumers make the shift from desktop-driven digital change to mobile devices and applications, so are malicious actors. While traditional attack vectors still enjoy widespread success, increasing infosec knowledge about cybercriminal origins and threat profiles has pushed attackers down a new path: Mobile.
As noted by Threat Post, for example, advanced persistent threats (APTs) like RedDawn — which masquerades in app stores as “beta” versions of useful software — are now making the shift to mobile platforms. PC Authority, meanwhile, reports that fraudulent mobile transactions are up more than 600 percent from 2015, while Dark Reading points out that mobile users are now 18 times more likely to be targeted by phishing than traditional malware attack vectors.
What does all this movement mean for mobile app developers and owners? That just designing secure applications is not enough. Ongoing penetration testing and risk assessments are now critical to ensure that apps that were safe yesterday still hold up today — and won’t fall apart tomorrow.
Historically, mobile development was a kind of digital wild west — oversight was minimal and only the strong survived. But rapid mobile uptick combined with the primacy of personally identifiable information has changed the game.
Now, companies are being held accountable for their applications. It does not matter if you are using open-source third-party code or you built the entire app in-house; governments, compliance agencies and industry standards councils have made it clear that if your app handles consumer personal or financial data, security is your responsibility.
Regulatory bodies such as the PCI Security Standards council now mandate application security best practices — and regular testing — to ensure companies are safely handling consumer data. Meanwhile, organizations such as OWASP and NIST are now explicitly identifying risks that target mobile applications and developing best practices to help organizations meet increasing expectations.
Speaking of expectations, the newly-minted General Data Protection Regulation (GDPR) and existing US Defend Trade Secrets Act make it clear that that app-development organizations are accountable for the integrity, transparency and security of any mobile app they deliver.
Bottom line? It is not enough to assume you have a secure app; regular, rigorous pen testing is essential to uncover potential vulnerabilities and patch critical problems before hackers leverage them to compromise corporate networks.
1. Mobile Isn’t Web – Recognize the Unique Risks
Ready to develop a mobile app testing plan? First up: Recognize that mobile is not web.
It is tempting to see them as one and the same. Both experience similar issues, both can be evaluated using similar tools and ultimately all apps — website or mobile — leverage the same Internet.
But here is the hard truth: Mobile devices are in a category all their own. For example, smartphones or IoT devices often lack basic security controls such as two-factor authentication or privileged access control. The result? Attacks that would never make it past solid web app defenses — such as account takeover or brute-force password cracking — are simple for attackers to circumvent on mobile devices. In addition, the sheer number and type of mobile devices means that many are running in an untrusted environment where typical rules do not apply.
2. Testing Against Attacks
Have a mobile app? Check. Recognize the unique risks of a mobile environment? Check. Now it’s time to design a mobile pentest plan. First, identify key areas to test, including:
- Proper use of Encryption – Is all sensitive information encrypted at rest and in transit? Are all keys correctly stored?
- Environmental resilience — Can your app detect root attempts? Does it recognize emulators?
- Anti-tamper detection and defense — This includes re-packaging prevention, binary and DEX integrity, and resource integrity.
- Reverse-engineering deterrents — Are you using obfuscated executables (renaming, string encryption, control flow, etc.) to make it harder for hackers to reverse-engineer your app?
- UI Security —Can hackers get to private information in other ways? Do you prevent screencasting? Allow third party keyboards? Control accessibility services?
- Credentials Management — How does your app recognize legitimate users and keep their data safe? It’s critical to leverage tools such as encryption to reduce the chance of data tampering and device binding to limit the impact of security on trusted users.
3. Risk Assessment
Next up? Create a risk assessment. Depending on the vulnerabilities that are uncovered, specific attack scenarios exploiting those vulnerabilities may be demonstrated, such as:
- Repackaging attacks — Attackers may reverse-engineer your code, create a near-duplicate of your app laden with malware and upload it to mobile app stores.
- Payment attacks — If hackers gain access to mobile applications that handle financial data they could both redirect legitimate transfers and conduct unauthorized transfers.
- Login screen attacks — Improperly stored or encrypted login screen data could allow hackers to copy this information and break device binding.
- Data attacks — If attackers gain access to mobile app databases they could read, modify or steal sensitive data.
4. Right Technique, Right Tools
Pen testing mobile apps is all about breaking them to see what happens — finding new and unexpected ways to compromise critical functions before attackers manage to do the same. This requires a combination of both technique and tools; as noted by OWASP’s Mobile AppSec Verification standard, for example, it’s a good idea to use source code scanners and black-box testing tools “wherever possible” to increase efficiency. But automation is not sufficient in isolation: “Every mobile app is different, and understanding the overall architecture, business logic, and technical pitfalls of the specific technologies and frameworks being used is a mandatory requirement to verify security.”
In addition, tools such as pen-test specific search engines like Shodan and Censys are a great way to find vulnerable nodes and open-source code, respectively, while InfoSecurity Magazine notes that Google advanced search operators can help gather anonymous information, map networks and enumerate potentially vulnerable ports.
5. Learn to Think like a Hacker
There are resources available to pen-testers want to learn more about how security vulnerabilities occur in mobile applications. See the vulnerable (on purpose) Android mobile applications and the Damn Vulnerable iOS mobile application. Also, Pen-testing mobile apps involves skills around reverse engineering, decryption, network traffic sniffers and file analysis. So, brush up on those skills.
Ignorance ? Bliss
Bottom line? When it comes to mobile application security, ignorance is not bliss. Ignoring potential application risks and the need for penetration testing is not an acceptable defense in the eyes of compliance regulators and government agencies, which now put willful ignorance and criminal intent on the same footing. Under GDPR, the Trade Secrets Act or during a PCI DSS audit, “I don’t know” is not an acceptable answer to questions about mobile app security.
The answer is simple, if not always easy: Recognize the need for ongoing pen testing of mobile apps, and respect the difference between mobile and web environments. Then, design a testing plan that targets common vulnerabilities, assesses critical risk and leverages effective tools and techniques to uncover emerging risks.
PreEmptive has partnered with application security company to offer Android App Penetration Testing services for a limited number of our customers. If you are interested, please contact us.