Do you know how many applications you have on your mobile? Probably many more than you think. Are they all secure? What security permissions have you granted to each one? Smartphones and mobile apps have transformed our daily lives, allowing us to perform countless actions and access a huge amount of information at the touch of a finger. This brings with it endless advantages but also cybersecurity risks. That is why it is essential for companies that have apps to carry out security tests on mobile applications.
TeaBot, Brata, Xenomorph, Joker… In the last year, various types of malware have infected thousands of cell phones, intending to breach critical mobile apps like banks.
This phenomenon is on the rise as criminals take advantage of the increased relevance of apps at both the personal and business level. For this reason, mobile application security audits have become one of the essential cybersecurity services for companies that have mobile apps on the market.
Below, we will address the objectives, methodology and benefits of performing mobile apps security testing on Android and iOS.
1. The five basic objectives of mobile app audits
According to Data Reportal, 90% of people accessing the Internet in the world use smartphones. This figure is significantly higher than the 66% of the population that consumes the Internet using a computer. This figure is evidence of the profound paradigm shift that has taken place over the last decade in terms of internet consumption.
Nowadays, cell phones have become essential devices in the digitization of companies and homes, thanks to the development of apps that allow people and businesses to carry out multiple actions: communicate, buy, market their products, manage their accounts, search for information…
With this data in hand, security testing of mobile applications becomes a priority task of the utmost importance for both companies and the general public. It allows app developers to detect possible security breaches and fix them before malicious actors exploit them. The company’s reputation, business continuity, and possible far-reaching economic and legal consequences are at stake.
1.1. Detection of vulnerabilities
The central objective of mobile application security testing is to detect vulnerabilities in mobile applications to anticipate cyber criminals.
To this end, a team of cybersecurity professionals must carry out a detailed audit of the apps developed by a company, taking into account the main security risks at a global level.
Mobile application security testing allows attackers to find existing security holes to compromise not only the apps but also the devices on which they are downloaded. Therefore, this makes it possible for malicious users to steal confidential user information.
1.2. Development of a mitigation plan for weaknesses
After testing the security measures and detecting vulnerabilities, the professionals in charge of mobile application security testing proceed to draw up a series of detailed recommendations to mitigate the weaknesses found in the analyzed apps.
These recommendations are essential so that the companies that have developed the mobile apps can implement the necessary measures to remedy the vulnerabilities and fortify them against cyber-attacks.
Addiionally, the recommendations are prioritized according to the characteristics of the company’s business model and the application’s operation. Prioritization is key to remedying the problems detected since neither time nor human, economic and technical resources are infinite.
1.3. Validation of protection measures and mechanisms
Mobile application security testing is a valuable cybersecurity service for detecting weaknesses and validating the measures that have already been put in place to protect mobile applications.
Thus, by employing a security audit of mobile apps, it is possible to check the efficiency and effectiveness of the security mechanisms and protocols. Moreover, at a technical level, this testing allows developers to think more and more securely when writing application code. This is known in the industry as secure development.
Continuous validation of security systems is essential, bearing in mind that the cybersecurity landscape is constantly changing, and malicious actors are constantly seeking new ways to attack companies and citizens.
1.4. Increasing protection for applications, companies and users
The detection of weaknesses, the formulation of recommendations and their implementation, and the continuous validation of security measures have a clear and resounding consequence: the level of protection of the audited application is increased.
Suppose the application is optimally protected against cyber-attacks. In that case, the company that developed it and the customers who downloaded it to their mobile devices will also be better protected against theft of sensitive information and fraud.
As we have already pointed out, smartphones and mobile apps play an increasingly central role in our daily lives and the operation of millions of companies. As a result, protecting them is a matter of vital importance. In fact, mobile application security testing is set to become a strategic activity for all companies operating in the digital world.
1.5. Compliance with the legal framework in force
Beyond the fact that companies are aware of the importance of mobile application security testing, the European cybersecurity regulatory framework is becoming increasingly demanding.
The well-known GDPR, which seeks to safeguard European citizens’ data, has recently been joined by regulatory packages of the caliber of the DORA regulation and the NIS2 directive.
On the one hand, the former seeks to ensure that European financial institutions can resist cyber-attacks and protect the financial information they hold.
On the other hand, the NIS2 directive aims to raise the level of cyber protection for large and medium-sized companies in the European Union operating in economically and socially strategic sectors.
To sum up, these standards generalize the duty of companies to audit the protection of their assets and validate their security policies and mechanisms. This includes, of course, the mobile applications they develop and make available to their customers.
2. Dynamic and static analysis of mobile apps
The cybersecurity professionals who conduct the mobile app audit design the security tests taking into account the objectives we have just outlined. As well as the characteristics, needs and resources of the company that has developed the application.
To perform security testing of mobile applications, professionals must combine both dynamic and static analysis of the apps.
2.1. Dynamic
The dynamic analysis makes it possible to
- Check the connections with the server to find vulnerabilities that criminals can exploit.
- Detect vulnerabilities that may exist on the application side while it is being used. As, for example, printing sensitive information in the system logs.
2.2. Static
While performing a static analysis of an app, two essential aspects can be checked to ensure an optimal level of protection against cyber-attacks:
- That no sensitive information is stored in the binary.
- That it is impossible to evade the security controls put in place by the developers.
Regarding the latter, it should be noted that some of these security controls are dynamic, as they can only be checked when using the app. This is only possible through static analysis since this consists of looking for vulnerabilities with installing the application.
Because of all this, we can argue that it is not enough for the team performing mobile application security testing to perform one or the other analysis. Rather, both are complementary when performing a comprehensive mobile app security audit.
How are these mobile application security tests performed? Using the OWASP methodology. This foundation, focused on building a safer digital world, has developed a standard used by developers and cybersecurity professionals worldwide to validate mobile applications’ security.
3. OWASP MAS: A global standard for verifying mobile app security
The OWASP Mobile Application Security (MAS) project is based on two basic pillars. On the one hand, the Mobile Application Security Verification Standard (MASVS) systematizes the security requirements that mobile apps must meet, depending on the level of protection that the app needs, taking into account the criticality of the information it handles. On the other hand, the Mobile Application Security Testing Guide (MASTG) establishes the tests that must be carried out to validate the MASVS security requirements.
Thus, both pillars complement each other and constitute a globally accepted methodology for testing mobile application security.
This is because MASVS and MASTG are based on industry best practices from around the world, grouping and systematizing them to facilitate their use by developers and auditors.
3.1. MASVS: Security levels and requirements
MASVS is a framework designed to develop secure mobile apps and audit their protection. This framework combines two core elements: security requirements and security verification levels.
3.1.1. Security levels
Thus, MASVS contemplates three levels of security verification:
- L1. Standard security. This is the level of protection recommended for all mobile applications. It encompasses the basic security requirements.
- L2. Defense in depth. This level of protection should be required for mobile applications that handle sensitive data. Think, for example, of banking apps. At this security level, in addition to the basic requirements of L1, other requirements contribute to a more comprehensive and in-depth defense of the applications.
- A. Resistance against reverse engineering and manipulation. This level provides apps with an additional layer of protection that does not overlap with the previous ones. Thus, an app can be subject to an audit that considers the requirements of level 1 and level R but not those of level 2. In addition, this level makes it possible to determine whether applications can successfully cope with specific client-side attacks, such as those that use reverse engineering techniques to seize sensitive data.
Depending on the needs of the company in question, its business model and the information handled by the application, the security levels to be met can be defined.
3.1.2. Security requirements
MASVS structures the multiple security requirements for mobile apps into eight different categories:
- V1. Architecture, design and threat modeling
- V2. Data storage and privacy
- V3. Cryptography
- V4. Authentication and session management
- V5. Communication over the network
- V6. Interaction with the platform
- V7. Code quality and compiler configuration
- V8. Resistance to reverse engineering
Thus, security level 2 contains all the requirements of the first seven categories. Level 1 contains only the basic requirements included in these categories. And level R, on the other hand, corresponds to the requirements grouped in category 8.
What are these requirements like? For example, 4.4, which must be considered in levels 1 and 2, stipulates that the application must ensure that “when the user logs off, the session is also terminated on the server”. 5.6, which is only required at security level 2, states that it must be verified that “the application relies only on up-to-date connectivity and security libraries”.
3.2. MASTG: Techniques and tools for mobile application security testing
The requirements formulated in MASVS are of great value so that developers and auditors can notice all important elements when protecting a mobile application or checking its security level. However, their interrelationship with MASTG is the keystone of OWASP’s mobile application security testing methodology. Since each requirement is complemented by the processes, techniques and tools that must be used to verify compliance or non-compliance with that security requirement.
In addition, the MASTG guide includes specific cases that facilitate the design and implementation of a mobile application security audit.
4. Addressing the main mobile application security risks
When performing mobile application security testing, it is essential to consider the main risks and threats facing the security systems that protect them.
In recent years, cyber-attacks have been on the rise, both in number and terms of their complexity. Malware, ransomware, reverse engineering techniques… The tactics and tools criminals use are becoming increasingly sophisticated and often hybridize different techniques. For example, attacks that combine phishing with malware.
Moreover, if we add to this dangerous context the fact that mobile apps have become basic tools in our daily lives and that more and more companies are developing apps, we find a scenario full of risks.
Therefore, a team of professionals with extensive experience in cybersecurity auditing must carry out mobile application security testing. They must also have accurate and constantly updated knowledge of the risks facing:
- Mobile apps.
- Companies.
- Users.
5. Identify, detect and recommend. The benefits of performing mobile application security testing
Following the OWASP methodology and combining static and dynamic analysis, conducting a mobile application audit allows cybersecurity experts to obtain a comprehensive overview of the app’s vulnerabilities. As well as the level of efficiency of the implemented security measures.
Thus, by performing mobile application security tests, professionals can identify and detect existing weaknesses and obtain the necessary information to propose recommendations to help remedy them.
5.1. Identify
A comprehensive mobile application audit serves to identify the following:
- Vulnerabilities in the application’s authentication mechanisms.
- Bad practices in the use of Webviews.
- Bad practices in network connections.
- Evasion of restrictions in the context of the application.
5.2. Detect
Likewise, mobile application security testing is of great help in detecting:
- The storage of sensitive information in the context of the application.
- Vulnerable IPC mechanisms in Android systems.
- Inappropriate use of encryption algorithms in the keychain/keystore.
Beyond these actions, the professionals performing the app security audit can perform penetration tests on the backend of the applications.
5.3. Recommend
As we pointed out at the beginning of this article, one of the keys to mobile application security testing is that, based on the information gathered during the audit, a series of recommendations can be established to mitigate the weaknesses detected in the apps.
Thus, cybersecurity professionals not only point out the requirements that are not met, according to the OWASP methodology but also propose a series of detailed recommendations to remedy the vulnerabilities and improve the app’s protection against cyberattacks.
If, in addition, mobile application security testing is carried out regularly, it is possible to observe the level of compliance with the recommendations and to point out new actions to remedy any remaining deficiencies or to respond to new threats.
6. Google MASA: Strengthening the Android App Ecosystem
The growing concern for the security of mobile apps is visible through the regulatory effort carried out in the European Union. Through the App Defense Alliance, Google has launched the Mobile Application Security Assessment (MASA).
What is Google MASA, and how does it work?
- What is Google MASA? An initiative that seeks to ensure that apps available on the Play Store have an optimal level of protection against cyber threats.
- How does it work? Google awards a badge to apps that undergo a security audit to verify their security level.
- What requirements must apps meet? The requirements are included in level 1 of the OWASP MASVS standard, which we explained earlier.
- How are the requirements checked? By running mobile application security tests using the techniques, tools and processes described in the MASTG guide.
- How does Google know that the app meets OWASP requirements? The authorized laboratory performs the tests and sends a validation report directly to Google.
- How do users know that an app is secure? The Google MASA badge will appear in the security section of the applications that have joined this initiative.
In this way, Google seeks to strengthen the Android app ecosystem, encourage companies to secure their apps and build trust in users who download apps from the Play Store. And mobile app security testing is the cornerstone of this initiative.
In short, European regulatory gear, the emergence of Google MASA and, above all, the increasing cyber-attacks on apps and mobile devices have made mobile app security testing an essential cybersecurity service for companies with mobile apps.
The stakes are too high to forgo strengthening app security. Cell phones are devices full of opportunities for individuals and companies. But to enjoy them without risk, it is essential to ensure the security of mobile apps.