Businesses have inevitably gone mobile and no turning back is visible on the horizon. While the newly adopted BYOD movement receives a lot of attention, another security issue associated with risks of using personal mobile devices at work comes up on stage. The next challenge can be fairly called “bring your own application” as many of public app stores are experiencing some serious malware problems.
The answer could be in-house app stores. If to believe gartner, the whole of 25% of businesses are expected to have their in-house corporate app stores no later than 2017. Such a shift will allow companies to more efficiently push out apps, will drive a boost in mobile device management, as well as may offer a secure and automated process equally well-working both for in-house developed apps and curated apps provided by third parties.
No matter where the app comes from, the vital thing is to guarantee its security before circulating.
Generally speaking, one can divide mobile apps into three types:
- Native apps are each written for some specific platform and run only on their supported devices. For example, an iOS app can work only on iPhones.
- Web apps can be accessed by any mobile device since they are built by means of such standards as HTML5 and also housed online effectively. Often a mobile app is just a web app’s shortcut.
- Hybrid apps combine a web-powered user interface and some native app layer around it to grab the best of the both.
More and more companies today are opting for hybrid apps to reach a better coverage of platforms and leverage the devices’ hardware capabilities at the same time. It is estimated that by 2016 more than half of all deployed apps will be hybrid.
As you could expect, each of these app types requires specific testing as in every case you have to come up with the ways to protect data when it travels across the mobile networks. Between what is deployed to the device in reality and the data storage deployed to the server, there’s always some split. Thus, to assist your QA department in testing your app security, a range of specialized software has been designed.
To cover all your bases and ensure the penetration testing to be carried out is really effective, the best choice is engaging some third party organization that has all the necessary expertise. Such specialists will put the app into the test using a real attacker’s approach - without regard for the way of intended system usage, but with only a determination to break it.
Tips on testing potential vulnerabilities
Mobile apps have many potentially weak points and knowing them will help you protect your app security greatly:
- Data storage. Is the data encrypted? Where is it stored? Cloud solutions are popular, but they compromise your data security a lot.
- Data leakage. Find the ways of potential leakages.
- Data flow. Can the audit trail for the data be established? What goes where? How well is the data in transit secured? Who possesses an access to the data?
- Authentication. Where and when are users asked to authenticate? How is the authentication happening? How can you track IDs and passwords in the system?
- Points of entry. Mind that all possible client-side routes to the application are validated.
- Server-side controls. Avoid a full focus on the product’s client side and don’t assume its back side is as secure as you expect.
If to talk about the comprehensive security testing of mobile apps, the tips above are just the top of the iceberg. You have to factor in all the peculiar compliance demands in your industry as meeting the standards for mandates and regulations is vital. Most in-house IT departments aren’t simply ready for the rigorous testing required to pass your app as safe.
You should also remember that to test an app and then forget about it isn’t the right way of doing things. If you are a frequent user of mobile development forums, you must know the new security threats appear all the time, and staying abreast of this situation as well as taking all necessary actions to keep your product protected requires effort.
Created: 24 Sep 2014
LET'S GET STARTED!