Enterprise Mobility is ubiquitous. Forrester research states that 49% of enterprises plan to increase spending on mobile devices and applications. However, for every positive development in this market, there is often a corollary risk. The proliferation of mobile devices has led to the BYOD surge, flux of varied OS platforms, and the convergence of mobile, social and cloud technologies. Combined, these have made mobile devices vulnerable to a variety of security risks. Therefore, it’s critical for enterprises to understand the changing dynamics of mobile technology and what it can do to protect data.
There are many potential weak spots in a mobile application that makes mobile app auditing important. Some of them are:
- Insecure Data storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client-Side Injection
- Poor Authentication and Authorization
- Improper Session Handling
- Security Decisions via Untrusted Inputs
- Side Channel Data Leakage
- Broken Cryptography
- Sensitive Information Disclosure
Security associated with mobile applications can often be identified and mitigated through security testing. Mobile Application Security Testing can help enterprise defend against malware and vulnerabilities and deliver secure applications and applications platforms. Some of them are:
1. Static Analysis:
Static Analysis employ automated tools for analysis of the application’s source code. Since this testing is performed during implementation phase of SDLC on smaller segments of code, it detects vulnerabilities at a very early stage and suggests potential remediation. It is also performed during testing phase on the integrated code to verify availability & accountability of the application.
2. Dynamic analysis
This testing performs deep analysis of web applications to establish a deep understanding of the vulnerabilities of a single web application. Unlike source code scanners, a dynamic analysis program doesn’t have access to the source code and therefore detects vulnerabilities by actually performing attacks. Dynamic Analysis is performed during last stages of implementation phase of SDLC and is also performed during testing phase as well as Maintenance/Support phase.
3. Manual Penetration Testing
Penetration testing involves use of various tools and scanners. It helps uncover complex vulnerabilities not detected by automatic scanners. It attempts to exploit the vulnerabilities to determine whether unauthorized access or malicious activity is possible. Penetration testing is conducted on running systems in realistic environment. It is performed during Testing and Maintenance phase after automated scanning is completed and when code base is more stable.
Since no single type of testing is capable of discovering all possible flaws and vulnerabilities in the binary code of an application. Therefore there is a need to perform various testing techniques to uncover a wider range of vulnerabilities. In the end it all boils down to enterprise requirements. However, I hope to have suggested some food for thought in choosing the right security testing strategy.