MOBILE APPLICATIONS SECURITY TESTING- TEST FOR THE WORST

We all love apps, especially, the fancy, colourful apps, that promise all-your-problems-end here kind of euphoria. You wish! Really, as if the world could be so simple. However, some apps undoubtedly make our lives much simpler (Ahem, no pun intended).

So what types of applications are we talking about here? Well, that’s not the point. What I would like to elaborate here are the risks that come as a package with our life saving (sometimes literally) mobile apps, which threaten our identity, productivity and other areas critical for our day to day communication.

Why? What’s wrong with those lovely looking apps?

In simple terms, A LOT. In more complex terms, if your device or credentials have been compromised, you got a lot to lose. Now, picture this on a bigger scale, at the business or corporate level. The extent of loss is unfathomable if even a single employee downloads the app that gives the access of internal resources to malicious users who can then access the individual systems and get hold of confidential information. Phishers and hackers are constantly inventing newer ways to compromise such vulnerabilities related to web security. Users want more and more apps, and companies try to develop and deploy these apps quickly, which puts security in the back seat.

Top Mobile apps vulnerabilities and Dealing with them

As per the tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

The report compiled by WhiteHat shows that whilst many different attack methods exist, XSS (Cross Site Scripting) is the most popular, followed by Content Spoofing. To add to this, many other attack methods, such as SQL Injections, Information Leakage, and Stolen Credentials could all be the side-effects of an XSS attack.

Reference: WhiteHat-Security Statistics report 2012 (https://www.whitehatsec.com/resource/stats.html)

The 2013 Threat Report from the Websense ® Security Labs (WSL) also revealed how often malicious apps abuse permissions, especially in the use of SMS communications, something very few legitimate apps do. Risks increased as the mobile devices are used for web surfing and social media more often than actually making the calls.

So let’s dig a little deeper, and understand these vulnerabilities, and best practices to deal with them.

1. Excessive Permissions and Privileges– This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that have more access are easy target for attackers due to broad attack surface. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

Best Practice– App Developers should restrict granting privileges and permissions to the applications. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, and should invoke the access rights.

2. Malware– Just like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discovered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Best Practices– Applications should validate all form inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

3. Ineffective Session Termination– When the user clicks logout button, the session gets terminated only locally on the client side, without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where attacker can access victim’s session and this can lead to identity threat.

Best Practice– After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-authenticated.

4. Buffer Overflow– Attacker uses buffer overflows to corrupt the execution stack of the application. Attacker sends the carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Best Practice– Buffer overflow protection techniques can be used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

5. SQL Injection– It is used by hackers to steal data from the applications where user input is not validated. As a result, the user can inject SQL statements into the database and have them executed.

Best Practice– The only way to check if your application is vulnerable to SQL injection is by scanning it with the automated web application security scanner.

6. Bad Data Storage Practice– Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. If data is not protected property, jailbreaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal information and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Best Practice– Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

7. Cross Site Scripting– This attack requires the user to execute a malicious URL which could have been crafted in a manner that appears to be legitimate. Attacker then effectively executes something malicious in the user’s browser.

Best Practice– Use web vulnerability scanner that checks for the XXS vulnerabilities. It will show which scripts/URLs are vulnerable to these attacks.

Some of the other common vulnerabilities include weak server side controls, poor authentication and authorization, weak or broken encryption, insufficient transport layer protection and broken cryptography. The solution to deal with these threats lies in employing a vulnerability analysis solution that can automate security quality testing.

Testing Techniques to Deal with these Vulnerabilities

The mobile applications need to be exhaustively tested for vulnerabilities that put data and device at risk. Threat-profile based test cases are used, and threat profiles are derived from different types of mobile applications. Once the vulnerabilities are identified, these need to be patched, and retested. Some of the most common testing techniques include:
Black box/Dynamic Testing– Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually.

Code Review– It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hardcoded passwords and secret keys, weak algorithm usage and hardcoded keys and data storage definitions.

Penetration Testing– For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks.

Mobile Application Security Assessment– It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them.

Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.

Hope for the Best, but Test for the Worst.