How do you know if your Mobile Application is secure? What is a Mobile Application Security testing and how you can execute it? Read this article to find out.
Why do we need to conduct Mobile Application Security Testing?
Several security risks are associated with Native Mobile Applications and it goes without saying that lack of Security testing may lead to potential data breach and can expose a company’s technology. In most cases this turns out to be the first step for hacker’s attack.
Mobile application security testing is carried out keeping the intentions of a malicious user in mind. It is important to consider all possible ways by which a hacker can attack the system and get access to all the information. It is also important to understand the nature of the application and the kind of data it handles. While executing security testing we should to:
- Interact with mobile application and understand it’s basic functionality and how it exchanges data and where it is stored.
- Decrypt the encrypted sections of the mobile app.
- Decompile and check the source code and find weak points present in it.
- Gather information gained from reverse engineering to carry out dynamic analysis and penetration testing.
- Evaluate the security controls that are used within an application.
It is important to know the loop holes in order to plan mobile Security testing. We would like to ensure, that we conduct testing to prevent major potential vulnerabilities, such as:
- Exposed Application source code
- Hackers get access to user accounts
- Client side injection
- Reveal security sensitive data
Source code protection
Source code protection is very important. If a hacker is able to expose the source code, then the damage can be far beyond imagination. It can lead to great security risks as the hacker will be able to use the keys. It would become easier for him to discover if there is any other application that is using the same API to intrusion. This can lead to loss of security sensitive data and may affect company reputation. Since, Android Applications are more likely to be decompiled, we put great stress on verification of source code in order to ensure that it is obfuscated.
In order to ensure source code protection it is important to follow a Reverse Engineering approach explained below:
- Download Application from Google Play Store to your device
- Get Application package — apk file. We can do that with this app
- Download apktool from this link
- Rename downloaded file to apktool.jar
- Download wrapper script for Mac OS from this link
- Save it as apktool
- Move apktool.jar and apktool to /usr/local/bin/ directory
- Go to apk file directory
- Execute apktool d APK_NAME.apk to decompile
- Execute apktool b APK_NAME to recompile
After decompilation, we need to check whether the source code is obfuscated or not. It is also important to ensure that the API Keys, web services endpoints and other security sensitive data are not exposed. If an application does not have a code protection, it is an indication that it can be easily hacked and anybody can easily modify source code and then recompile it. This is a security risk.
Accessing Application Database
To perform this test the device needs to be Rooted. In order to prevent potential security issues, developers should implement Root detection mechanism and should not allow users to use any application on the Rooted device. This would be the first test. However, if we are able to use the application on a Rooted device, we will attempt to access database as explained below:
- Open terminal and connect your test device
- adb shell
- cd data/data
After we have successfully exported Application to the local database, we validate whether the security sensitive data is exposed or not.
Accessing Application logs to get sensitive data
Another powerful test is conducted to ensure that logs don’t expose web services endpoints and other sensitive data. Let’s try to do that:
- Open terminal and connect your test device
- adb logcat
- You can try to filter Application logs adb logcat | grep -i “APP_NAME”
Intercepting Network Calls
If an Application does not have SSL Pinning implemented, we can read and intercept API requests and responses .In this case we need to validate that no security sensitive data has been sent. Another test scenario involves paying attention to intercepting responses, requests and changing their values.
We use this tool for this test as it is the best to uncover major security bugs. You will learn more techniques and best practices in the coming tutorials.
This tutorial provides explanation of basic Android Security Testing techniques and security risks. I would recommend you to first execute the testing techniques mentioned here on the oldest supported Android Version as some of the Android security features are not implemented on the older versions.
Stay tuned for more tutorials and Happy Testing 🙂