May 2, 2023
Table of Contents After introducing 3 Broken Access Control Attacks in our first OWASP Top 10 post, we now move on to
A penetration test or mobile security test for an application is a comprehensive security analysis with all related components.
With the help of the Mobile Security Test analysis, security vulnerabilities are identified by carrying out real attacks using methods and techniques of real ones.
Both manual and automated test procedures are used. In addition to the mobile application, dependencies on endpoints used by the application are also analyzed. Furthermore, the mobile device on which the application is installed and the associated platform (IOS, Android) are also taken into account in the mobile security test in order to obtain a holistic picture of the attack vectors. After all, a secure application in this day and age is not enough. Rather, the environment must also be considered to ensure comprehensive security. The attack vectors are too diverse for this.
In order to be able to cover this volume and all fields, existing, mature and comprehensive test procedures or guides such as the OWASP Mobile Security Testing Guide (MSTG) or the OWASP Mobile Application Security Verification Standard (MASVS) are used at best.
Often, most people are not aware of the security vulnerabilities in applications and how easy it is for hackers to obtain sensitive data. With a mobile security test, vulnerabilities, weaknesses or security holes related to a mobile application can be identified and disclosed.
All the measures carried out in the test procedures are recorded in detail. In a final report, all identified security vulnerabilities are summarized and supplemented by recommendations and solution approaches on a technical level to mitigate or eliminate the problem. The ultimate goal is to improve the app security level and to prevent the worst-case scenario in the event of an attack. Above all, IT departments, responsible parties and executives gain an understanding of risks that can be quickly projected onto business operations and processes.
This makes it possible to better control future developments from a security point of view in order to minimize attack vectors and to incorporate or take them into account during development.
The mobile security test results in an overview of risks and entry gates for attackers or hackers. The result is a catalog of measures or an action plan and includes procedural and organizational measures to eliminate the security gaps found.
This gives the publisher/developer of the mobile application added value, especially with regard to the security of the endpoints used, the mobile platform or the mobile device on which the application is installed. This is because a statement about a secure environment or secure application can only be guaranteed with the help of the Mobile Security Test by means of a far-reaching analysis.
Mobile applications are so special that an automated analysis or scan does not add any value. Manual mobile security tests are essential, especially with regard to a holistic damage picture of the application and environment. After all, this can reveal real-world scenarios by combining and linking multiple complex attacks that an automated test can never cover. Furthermore, all factors that could pose a threat are also included in order to be able to provide the best possible attack vectors.
The Mobile Security Testing Guide is a development of the Open Web Application Security Project. It provides a mature guide and measures for testing all the important components of a mobile application and more, alongside the Web Security Testing Guide (WSTG). Different operating system platforms such as IOS and Android are covered.
In addition, implementations are checked for their security by including reverse engineering procedures (decompilation) that focus on "best practice" and "security by design" in programming. This is followed, among other things, by checks based on manual code analyses in order to uncover configuration weaknesses or other weak points in the programming. Another major component of a mobile security test is the analysis of communication paths.
Proxies tools such as BurpSuite from Portswigger or mitmproxy (framework for man-in-the-middle attacks) are often used here in order to leverage encrypted connections or to manipulate individual connections to requests (intercepting). This provides an indicator of application response and behavior through the given business logic of the application. Permissions are also included in the test design and are handled and analyzed by various modules of the guide to detect misconfigurations of the respective platforms (IOS and Android).
Furthermore, local files that are generated and used by the application are also considered. The Mobile Security Testing Guide thus covers many components and functions of a mobile application that may exist.
The Mobile Security Testing Guide is based on various modules and tests and the associated test depths. In contrast to the slimmed-down test variant of the Mobile Top Ten (OWASP) guide, the Mobile Security Testing Guide (MSTG) is based on more test components, based on the functional scope of a mobile application. This means that all relevant aspects and functions are included in the focus of the test to ensure comprehensive security analyses.
The following components represent an overview based on the test design:
Other topics can be covered in addition:
The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name suggests, a standard for mobile application security and provides topics related to implementation and development in addition to the Mobile Security Testing Guide. It can be used by architects and developers of mobile software who want to develop a secure mobile application, as well as by security testers to ensure the completeness and consistency of test results during the development phase.
Topics or components of the MASVS are:
Based on the scope of the components or conditions of a mobile application to be tested, the penetration tester selects his tools after an initial review to identify the respective attack vectors. In essence, several independently existing tools are used for reverse engineering, mobile platform analysis or communication analysis. Since many attack vectors can be uncovered with reverse engineering techniques, most of these tools are based on developer tools to decompile the installation file of a mobile application with all its components to analyze it in depth afterwards.
The following tools can be applied:
Table of Contents After introducing 3 Broken Access Control Attacks in our first OWASP Top 10 post, we now move on to
The status report of the Federal Office for Information Security (BSI) 2022 shows: IT security in the public sector is increasingly
Interview with Christian Rosenzweig (Johner Institute) - Part 2 In the first part of our interview, we asked basic questions about