Mobile applications provide convenient way to access consumer and business services online. Mobile applications can store sensitive information and also exchange data including personal information and such through API interfaces. Also each platform be it Android or iOS have its own security related differences and recommended ways to implement security features which not always are considered during the development of mobile application software.

Therefore to make sure that custom made mobile applications and their back-end services implement adequate security features and overall have an acceptable level of security – mobile application security tests are conducted. Mobile applications can contain vulnerabilities related to insecure storage of personal and user data, encryption mechanisms could be implemented in a non-secure way and so on. As there are multiple platforms and their security ecosystem to consider a mobile application security testing methodology shall be employed when conducting mobile applications security tests.

Mobile Application Security Verification Standard is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android.

The testing methodology can be applied in multiple ways:

• Black-box test
• Partial source code review (gray/glass box test)

In order to find as many vulnerabilities and security weaknesses as possible in a limited time-frame the second option should be selected as disclosing the source code to the auditors allows them to better understand the inner workings of an application and security relevant mechanisms employed by developers e.g. user input sanitization filtering implementation. By looking at source code auditor can know for sure what input is filtered and what is not – comparing to black-box test where he would have to spend additional time to run certain test-cases to have an approximate understanding of such mechanism.

If source code is not available or the goal of the test is to verify the mobile application security in a typical external attack scenario, then black-box approach is used. The back end application subjected to a range of test patterns and payloads corresponding to multiple vulnerability classes as categorized in the methodology. Comprehensive API security audits are performed manually as automated tools can only support the process, but do not replace the expert yet. Automated tools such as application vulnerability scanners, source code security scanners are used in the process for automating routine tasks. Not all vulnerability classes are applicable to every application – it is dependent on technology stack used by the developers.

Mobile application security audit results in a report which contains identified security vulnerabilities and defects, their risk score, proof-of-concept material and if the source code is available then vulnerable code is pinpointed. Apart from demonstrating the security risks the report provides additional information on what security measures can be applied to further improve the quality of an application.

Making sure that issues are fixed

After vulnerabilities are fixed, our experts can verify that the applied fixes or mitigation measures are sufficient and remove the problem by conducting a re-check, during which the report is updated with information on which problems have been successfully mitigated and indicate if there are any issues left that still need to be addressed.