While the rapid app development gives endless possibilities to its users, it is crucially important to pay attention to mobile security testing because of the hackers thread. In 2017, the number of cyberattacks has doubled compared to the previous year, according to F-secure Lab report.
We asked our testers to share practical tips on how to make mobile security testing really secure. So what are the main challenges to be considered and how to manage them?
Information leak during mobile testing
When the application is on a testing stage, its security system development is still in process. That is why it is easier for hackers to obtain access to an application. It is a perfect opportunity to collect personal information because testers mostly use real users information.
Why not use artificial data?
Generating profiles is time-consuming and complicated, and does not provide the full picture to testers with all possible permutations.
How to protect data during security testing?
Make policies to regulate the use of real information. Documentation of collecting and using real data allows to control the process and assign the responsibility. Make sure you mention the type of tested technology and what exactly you have gathered.
Create a secure testing environment. It means doing regular virus-checking on computers testers work on. If you work on Web security testing, make sure your servers are protected.
Minimize the access to data. Use the exactly needed number of API’s to work with data, not more. Make sure only professional testers work with personal data - an inexperienced team is not an option here.
Use cryptography. Any real letters and numbers should be substituted with other characters. You don’t have to develop your own security testing tools - any existing character generator can be used.
Mobile security breaches
The successful testing has to define and eliminate all possible security breaches (leaks of personal information). If it is not done properly, the user data can be stolen - a little mistake can cost a lot.
Adobe breach case
In 2013, 38 million Adobe accounts were hacked. 150 million usernames and passwords appeared online compromising company’s security. Hackers obtained access to source code of numerous Adobe products. The company paid $1 million due to violating the Customer Records Act.
Leaked users data published on AnonNews
Why did it happen?
In their report, Adobe said that the data was encrypted but not hashed. Adobe used a symmetric cipher, which made it easy for hackers to obtain all the data (with this type of cipher, it is only enough to get the decryption key to get access to all information in the database).
However, if the information had been cryptographically hashed, it would protect each password along - so it would be much harder to get access to 38 million accounts. The disaster could’ve been prevented.
What can you do to make sure such situation will not happen?
Implement automated security systems to check passwords and server security, tests for identifying viruses, spyware, Trojans.
Do penetration testing. To determine whether it is possible to break in your system, you can work with professional hackers. They will try their methods on your application so you can see the vulnerabilities in action.
Use hashing - it provides protection for each piece of data along so it’s impossible for a hacker to obtain the access to the system with one click.
What can business owners do to make sure it will be done?
Hire experienced mobile security testers with approved qualification. Before working with a team, check portfolio, reviews, achievements. Your users’ safety is crucial for business reputation - you don’t want to risk it.
It is more reasonable to use the services of an independent testing team, than the one that developed the application. If the project is new for testers, they can provide a fresh look at the situation. You get a second opinion and the app is double-checked.
Rules for collecting data
- You can’t lose what you don’t have. Don’t ask users’ credentials where they are not obligatory - refresh your automation token instead.
- Keep your information in the smallest number of places possible.
- Delete the data if it is no longer needed.
- Keep records on who and when accessed the data.
Automatization procedures in mobile application testing
Most developers and business owners aim to provide their app users with comfortable automatized solutions (such as registration through Facebook and Gmail or a possibility to interact with social media profile within an application). The idea is good itself and appreciated by users but it requires special software security testing approach.
The world and America, in particular, is now concerned about the security of using social media credentials for authorization. People give access to their personal information without really knowing who are they giving it to.
Microsoft has recently published an explicit study where they explore the mechanisms of using social media credentials for authentication and authorization. The authors have found 8 critical flaws in high-profile ID-providers and described main concerns for users, app-testers and business owners.
8 critical issues in high-profile ID providers from Microsoft report
The Guardian has recently published Tinder study the accurate example of how much personal information an application can contain (in Tinder’s case, it was 800 pages of “deepest, darkest secrets”).
What can it mean for business?
If you connect app profiles to social media credentials, you put yourself at risk of suffering from the massive data leak. Have you heard about DarkNet? It is a number of sites where hackers sell and buy people’s credentials in terrifying numbers.
You can buy 167 million LinkedIn accounts for $1200
If someone has obtained an access to user’s LinkedIn, Facebook or Twitter profile, your application data is in jeopardy as well. So if an app collects important health or financial information, think twice about linking it to social media.
If you do decide to implement the automated authorization, make sure you have a professional team of testers working on securing users data.
Check codes and parameters during application testing
Code vulnerability is an open door for hackers. Even the smallest mistake can be crucial when it comes to securing users’ personal data. Where to look for possible danger and how to prevent it?
Make sure that UI-elements and SQL short-codes are written the right way. Hidden POST and GET parameters can be a reason for data leakage or streaming of the inappropriate information.
Is there a universal way to make sure it doesn’t happen? The most decent way is to scan your code for vulnerabilities with security testing services (you can use Open Source ones like Grabber or Vega to detect buffer overflows, SQL Injection Flaws).
Here is a list of the most important challenges and activities to consider in mobile security testing. Obviously, there are lots of details you should pay attention to - but these are crucial.
- Ensure secure testing environment. If you work with real data, create a secure testing environment. Implement detailed policies with the description of data use and access. Reduce the number of API’s used for work with personal information
- Use hash function. Cryptography is a safe way to secure each login, password, ID, and any type of personal information and makes it impossible for hackers to access all database at once
- Collect only crucial information. You can’t lose something you have not obtained.
- Pay attention to automated processes. Using social media credentials for authentication is a great way to improve the user experience. However, if your app gets hacked, all information will be leaked. Insecure social media profile puts information in your application in jeopardy.
- Use code scanners to detect vulnerabilities. Defects in code and parameters can cause the leak.
- Resort to professional help.
It is only possible to do secure mobile testing if you have a professional team working on it. If security testing is done right, your company is protected from hackers, information leak and all further problems.
If you want a comprehensive consult for security testing of your project, feel free to contact professional testers are at your service to help.
Created: 10 Nov 2017
LET'S GET STARTED!