Ah, the mobile apps. They have become a crucial part of our lives. We are trusting them with personal data, pictures, texts, photos, e-mails, even bank accounts and Social Security Numbers. But what if, one day, a bad person gains access of all that information? Imagine what could any evildoer transform your life into if granted access to all data stored on your iPhone and Cloud Services? I believe the strike would be devastating, to say the least.
That’s why we, QA engineers, Pen testers and White Hats conduct mobile security testing. But this is becoming more and more challenging as mobile apps become more complex and even the slightest breach may be an entry point for a skilled hacker. The worst part is that these breaches do not have to be in data storages themselves, they may be anywhere in the app and still they will present potential danger. So what would be the appropriate penetration testing process flow?
- Start with defining the policy. The policy is what transforms the strategy into action. You must always pay attention to updating your project’s mobile security policy. This is your key to ensuring data is secured, safe and available only to those people who are authorized to view it. End, as a bonus, responsibility is shared between everybody who is involved in the project.
- Now pay attention to the platform your solution will be running on. Does it have any dangers, or may the platform, when your app is installed be the gateway for potential malware or other hack attempts?
- Then come mobile device ports: UPD and TPC, to be exact. Check the ports, if possible and possible ways of infiltrating your app through them or through wireless networks like 3G or Wi-Fi. Make sure your shoals are up and no evildoer will break through your defenses there.
- One thing lead to another. Do you have third party apps involved in the project? Perhaps hackers may use them to reach your project’s soft belly? Of any other app (malware), installed on a device may do so?
- Check out all app endpoints. Check if earlier releases or versions that are no longer supported may lead hackers to your app through these endpoints.
Surely those are far from all possible activities that may be performed in pen testing sessions. If you wish to read a little bit more check out our posts: