Testing the security of mobile applications

Developers pay a lot of attention to the design of mobile applications, focusing on making them as user-friendly and understandable as possible, and security testing allows us to determine how secure the program is. According to statistics, mobile apps are downloaded billions of times a year, and almost 60% of the time spent in the digital space involves the apps use.

We use many applications every day, and almost half of them contain sensitive data such as passwords, API keys, etc. These data have strict encryption requirements and most of them use features that can disclose users' personal data.

This is why mobile devices are the subject of increased attention and discussions on security issues.

OWASP Mobile TOP 10 is one of the main methodologies of application vulnerability testing. 

The OWASP Vulnerability Report is based on a generalized opinion of security experts from around the world. It ranks risks based on the frequency of defects, the severity of vulnerabilities, and their potential impact. It gives developers and security specialists an understanding of the most serious risks and allows them to minimize the possible consequences of vulnerability exploitation by attackers. You can find a brief overview of the OWASP Top Ten here.

Below is a description of 10 vulnerabilities that are used to characterize the security level of a mobile application.

M1: Improper Platform Usage

The inappropriate use of the Android and iOS platforms is a main threat, as many apps inadvertently violate the relevant security guidelines. Misuse extends to any platform feature or failure to apply security controls.

M2: Insecure Data Storage

Improper data storage is another significant vulnerability, as attackers can gain physical access to a stolen device or log in using malware.

In the case of physical access to the device, an attacker can easily access the device's file system after connecting it to a computer. Many programs that are freely distributed allow access to directories and personal data contained in them.

This means that one should keep two things in mind:

• sensitive data in the application must be stored in an encrypted form;
• programs can share data with other programs.

M3: Insecure Communication

Data transfers to and from mobile apps usually involve the Internet or a telecommunications provider. It is well known that attackers have been successful in exposing users' personal information if this transmission is not secure.

Hackers intercept user data on a local network through a compromised Wi-Fi network by connecting to it through routers, cell towers, proxy servers, or using an infected application with malware. Sometimes, when sending requests to the server with data sent by the user, some of them are sent using the HTTP protocol instead of HTTPS. 

For example, an attacker creates a compromised Wi-Fi network to which a user connects. In this way, he starts analyzing all traffic so the user's data sent to the server via HTTP can be intercepted. The attacker will see the user's data in the intercepted packet. To protect against this vulnerability, one should use data encryption.

M4: Insecure Authentication

Mobile devices sometimes fail to identify users, which allows attackers to log in using default credentials. They can often bypass authentication protocols due to poor implementation while directly interacting with the server.

It includes the following items:

• absence of requirements for user identification verification;
• lack of session control verification;
• shortcomings in session management.

M5: Insufficient Cryptography

Without sufficient cryptography, attackers can revert sensitive data to its original state and gain unauthorized access.

There are three ways that attackers try to exploit cryptographic issues:

• gain physical access to the mobile device;
• monitor network traffic;
• use malware on the device to access encrypted data.

M6: Insecure Authorization

Without proper authorization measures, hackers can gain access to sensitive data and elevate privileges to expand their attacks. Unsecured direct object reference (IDOR) allows access to files, accounts, and databases. The program is unsafe if the authorization mechanism neither verifies users nor grants permissions.

M7: Client Code Quality

Poor coding practices can lead to vulnerabilities in the code. The risk is especially high if team members use different coding methods and do not cooperate or provide sufficient documentation. Because of poor coding, a mobile device user might experience slower request processing and an inability to properly download the necessary information. Detecting this vulnerability is a difficult task, as hackers often need a complicated manual analysis of the code. 

M8: Code Tampering

App stores often contain fake versions of mobile apps, such as apps with modified binary files, which include malicious content or backdoors. Attackers can deliver these fake apps directly to the victim through phishing or publish them on app stores.

M9: Reverse Engineering

Hackers can develop applications and analyze the code - this is particularly dangerous because attackers can test and modify the code to inject malicious functions. Reverse engineering helps attackers understand how a program works, which allows them to recompile it.

M10: Extraneous Functionality

Hackers can investigate mobile applications through log and configuration files, identifying and using redundant functions to access the server side. For example, they can perform privileged actions anonymously. Manual code reviews before release help reduce this risk. 

The success of a cyberattack on a mobile application directly depends on how carefully the user protects their data. A prerequisite for hacking can be elevated privileges or programs downloaded from an unofficial source.

The success of a cyberattack on a mobile application directly depends on how carefully the user protects their data. A prerequisite for hacking can be elevated privileges or programs downloaded from an unofficial source.

To test the security of a mobile application, the following steps should be taken:

• check whether the security structure of the application requires a strong password and ensures that an attacker cannot use the passwords of other users;
• check whether logins, passwords, credit card numbers, and other data of program users are protected from attacks by automated systems and cannot be obtained using brute force attacks;
• protect the application and network from DoS attacks;
• verify the compliance of the access session time;
• find dynamic dependencies and take measures to protect these vulnerabilities from hackers;
• check that the application does not provide access to sensitive content or functions without proper authentication;
• prevent unsafe data storage in the device's memory; 
• protect the application from SQL injection attacks;
• find cases of unmanaged code and eliminate the consequences;
• analyze data storage and data verification requirements;
• provide session management to protect information from unauthorized users;
• analyze all cryptographic codes and correct errors, if necessary; 
• ensure that the program's business logic is protected and not exposed to external attacks;
• ensure that the certificate has not expired if the program uses certificate pinning;
• analyze the interaction of system files, identify and eliminate vulnerabilities;
• prevent the system from buffer overflows or memory integrity violations;
• check the protocol control units (for example, whether the default page is reset by malicious iFrames); 
• protect the application from malicious attacks;
• protect the system from malicious intrusions while the application is running;
• check user files and prevent any possible harmful effects;
• eliminate the possible harmful effects of cookies;
• ensure regular monitoring of information security;
• analyze various data flows and protect the system from potentially harmful effects.

Having analyzed the possibility of using the OWASP Mobile TOP 10 methodology for mobile application security testing, we can conclude that it allows us to clearly analyze the number of potential vulnerabilities that can lead to a breach of the confidentiality, integrity, and availability of information the application receives, stores, and processes.