A penetration test or mobile security test for an application is a comprehensive security analysis with all related components.
With the help of the analysis as part of the mobile security test, security gaps are identified by carrying out real attacks using real methods and techniques.
Both manual and automated testing procedures are used. In addition to the mobile application, dependencies on endpoints used by the application are also analyzed. In addition, the mobile device on which the application is installed and the associated platform (IOS, Android) are taken into account in the mobile security test in order to obtain a holistic picture of the attack vectors. Because safe use is not enough these days. Rather, the environment must also be considered to ensure comprehensive security. The attack vectors are too diverse for that.
In order to be able to cover this volume and all fields, it is best to rely on existing, mature and comprehensive test procedures or guidelines such as the OWASP Mobile Security Testing Guide (MSTG) or the OWASP Mobile Application Security Verification Standard (MASVS).
Most people are often not aware of the security gaps in applications and how easy it is for hackers to get sensitive data. A mobile security test can be used to identify and disclose vulnerabilities, vulnerabilities or security gaps in relation to a mobile application.
All test procedures carried out are recorded precisely. In a final report, all identified security gaps are summarized and supplemented with recommendations and solutions at a technical level to reduce the damage or resolve the problem. The ultimate goal is to improve the app security level and prevent an emergency in the event of an attack. Above all, IT departments, managers and managers gain an understanding of risks that can be quickly projected onto business operations and processes.
This allows future developments to be better controlled from a security perspective in order to minimize attack vectors and incorporate them into the development or take them into account.
The mobile security test results in an overview of risks and entry points for attackers or hackers. The result is a catalog of measures or an action plan and includes procedural and organizational measures to eliminate the security gaps found.
This gives the publisher/developer of the mobile application added value, especially in terms of the security of the endpoints used, the mobile platform or the mobile device on which the application is installed. Only through extensive analysis can a statement about a secure environment or secure application be guaranteed using the mobile security test.
Mobile applications are so special that an automated analysis or scan does not add any value. Manual mobile security tests are essential, especially with regard to a holistic damage picture of the application and environment. Ultimately, real-world scenarios can be revealed by combining and connecting multiple complex attacks that an automated check can never cover. Furthermore, all factors that could pose a threat are also taken into account in order to be able to provide the best possible attack vectors.
The Mobile Security Testing Guide is a development of the Open Web Application Security Project. In addition to the Web Security Testing Guide (WSTG), it offers a sophisticated guide and measures for testing all important components of a mobile application and more. Different operating system platforms such as IOS and Android are covered.
In addition, implementations are checked for security by incorporating reverse engineering procedures (decompilation), which focus on “best practice” and “security by design” in programming. This is followed, among other things, by tests based on manual code analyzes in order to uncover configuration weaknesses or other weak points in the programming. Another major component of a mobile security test is the analysis of communication channels.
Proxies tools such as BurpSuite from Portswigger or mitmproxy (framework for Man in the middle attacks) used to bypass encrypted connections or to manipulate individual connections to requests (intercepting). This gives you an indicator of the reaction and behavior of the application through the given business logic of the application. Permissions are also included in the test design and are handled and analyzed through various modules of the guide in order to uncover misconfigurations of the respective platforms (IOS and Android).
Furthermore, local files created and used by the application are also considered. The Mobile Security Testing Guide therefore covers many components and functions of a mobile application that can pass.
The Mobile Security Testing Guide is based on various modules and tests and the associated test depths. In contrast to the slimmed-down test version of the Mobile Top Ten (OWASP) guide, the Mobile Security Testing Guide (MSTG) is based on more test components based on the functionality of a mobile application. This means that all relevant aspects and functions are included in the focus of the test in order to ensure comprehensive security analyses.
The following components provide an overview based on the test design:
Other topics can also be covered:
The OWASP Mobile Application Security Verification Standard (MASVS), as the name suggests, is a standard for mobile application security and, in addition to the Mobile Security Testing Guide, provides topics related to implementation and development. It can be used by architects and mobile software developers who want to develop a secure mobile application, as well as by security testers to ensure the completeness and consistency of test results during the development phase.
Topics or components of the MASVS are:
Based on the scope of the components or circumstances of a mobile application to be checked, the penetration tester its tools after an initial examination in order to show the respective attack vectors. At its core, several independently existing tools are used for reverse engineering, mobile platform analysis or communication analysis. Since many attack vectors can be uncovered using reverse engineering techniques, most of these tools rely on developer tools to decompile a mobile application's installation file with all its components in order to then analyze it in depth.
The following tools can be used:
