In Part 1 of this post, I provided an overview of mobile app attack vectors and penetration testing approaches. In this Part 2, I’ll discuss tools, techniques and issues related to the two types of mobile applications: browser-based and native.
So-called hybrid apps are basically browser-based apps in a thin native container—which means they could be vulnerable to all the threats common to HTML5 apps and should be pen-tested accordingly.
Browser-based mobile apps
When pen testing browser-based apps it is always better to use an emulator. This is because the app might not behave identically across Windows, Linux, iOS, etc. For example, the application server may render a different response based on the different User-Agent containers within the various browsers. Thus attack vectors could differ as well based on the User-Agent. Within the emulator, a pen tester can choose different User-Agents and test them in turn.
Native mobile apps are .apk (Android), .ipa (iOS) or .app (Windows) files that contain all the necessary components to perform the desired actions on the chosen platform. Generally they are developed using Objective-C and the Cocoa touch layer on iOS, and Java for Android.
There is a large and growing group of developers who write such applications, which include third-party apps that enhance the features and capabilities of the various devices (e.g., improved smartphone camera apps). Device users generally download native apps via Google Play, Apple’s App Store, or third-party sites.
Native mobile apps are subject to many of the same security vulnerabilities as other computing platforms, though the exploitation techniques and tools might be different. Attack vectors can exploit insecure local data storage on the device, a weak SSL implementation, unintentional data leaks or code injection. We’ve also seen threats spawned by malware embedded in bogus development SDKs.
Nevertheless, native apps are overall probably easier to secure than HTML5 apps. For example, native apps can leverage the device to support two-factor authentication, whereas browser-based mobile apps usually require hardware- or software-based one-time passwords/tokens.
Mobile application security analysis
There are two basic approaches to analyzing mobile apps to identify security flaws: static and dynamic.
In a static analysis approach, the development team must provide the source code or compiled binaries of the application for programmatic analysis. The code is analyzed to ensure security controls are in place in areas like authentication, authorization, session management, data storage and information disclosure. The app (even native apps) should also be tested for web application vulnerabilities because many mobile apps are vulnerable to these.
Dynamic security analysis is the testing and evaluation of a program by executing data in real-time. The main objective of this analysis is to find the security weak spots in a program while it is running. Dynamic analysis is conducted against the app’s backend services and APIs. The types of tests run vary depending on the type of mobile app being tested (native or browser-based).
Dynamic pen test tools communicate with browser-based mobile apps through their web front-end, in order to identify potential security vulnerabilities and architectural weaknesses in the app, without the need for access to source code.
In general, dynamic analysis is performed to check whether the following controls are in place:
- Input/output validation (cross-site scripting, SQL injection, etc.)
- Specific application problems
- Server configuration errors or version issues
In Part 3 of this post I’ll go into more details on specific pen tests to find specific vulnerabilities.
To discuss penetrating testing services for your business-critical mobile applications, contact Pivot Point Security.