Mobile security testing challenges: why the stakes are high

TestFortExpert by TestFortExpert on 11/9/2017

Mobile security testing challenges: why the stakes are high

While the rapid app development gives endless possibilities to its users, it is crucially important to pay attention to mobile security testing because of the hackers thread. In 2017, the number of cyberattacks has doubled compared to the previous year, according to F-secure Lab report.

We asked our testers to share practical tips on how to make mobile security testing really secure. So what are the main challenges to be considered and how to manage them?

Information leak during mobile testing

When the application is on a testing stage, its security system development is still in process. That is why it is easier for hackers to obtain access to an application. It is a perfect opportunity to collect personal information because testers mostly use real users information.

Why not use artificial data?

Generating profiles is time-consuming and complicated, and does not provide the full picture to testers with all possible permutations.

How to protect data during security testing?

  1. Make policies to regulate the use of real information. Documentation of collecting and using real data allows to control the process and assign the responsibility. Make sure you mention the type of tested technology and what exactly you have gathered.
  1. Create a secure testing environment. It means doing regular virus-checking on computers testers work on. If you work on Web security testing, make sure your servers are protected.
  2. Minimize the access to data. Use the exactly needed number of API’s to work with data, not more. Make sure only professional testers work with personal data – an inexperienced team is not an option here.
  3. Use cryptography. Any real letters and numbers should be substituted with other characters. You don’t have to develop your own security testing tools – any existing character generator can be used.

Mobile security breaches

The successful testing has to define and eliminate all possible security breaches (leaks of personal information). If it is not done properly, the user data can be stolen – a little mistake can cost a lot.

Adobe breach case

In 2013, 38 million Adobe accounts were hacked. 150 million usernames and passwords appeared online compromising company’s security. Hackers obtained access to source code of numerous Adobe products. The company paid $1 million due to violating the Customer Records Act.

Adobe breach case - Mobile Security Testing

Leaked users data published on AnonNews

Why did it happen?

In their report, Adobe said that the data was encrypted but not hashed. Adobe used a symmetric cipher, which made it easy for hackers to obtain all the data (with this type of cipher, it is only enough to get the decryption key to get access to all information in the database).

However, if the information had been cryptographically hashed, it would protect each password along – so it would be much harder to get access to 38 million accounts. The disaster could’ve been prevented.

What can you do to make sure such situation will not happen?

  1. Implement automated security systems to check passwords and server security, tests for identifying viruses, spyware, Trojans.
  2. Do penetration testing. To determine whether it is possible to break in your system, you can work with professional hackers. They will try their methods on your application so you can see the vulnerabilities in action.
  3. Use hashing – it provides protection for each piece of data along so it’s impossible for a hacker to obtain the access to the system with one click.

What can business owners do to make sure it will be done?

  1. Hire experienced mobile security testers with approved qualification. Before working with a team, check portfolio, reviews, achievements. Your users’ safety is crucial for business reputation – you don’t want to risk it.
  2. It is more reasonable to use the services of an independent testing team, than the one that developed the application. If the project is new for testers, they can provide a fresh look at the situation. You get a second opinion and the app is double-checked.

Rules for collecting data

Automatization procedures in mobile application testing

Most developers and business owners aim to provide their app users with comfortable automatized solutions (such as registration through Facebook and Gmail or a possibility to interact with social media profile within an application). The idea is good itself and appreciated by users but it requires special software security testing approach.

The world and America, in particular, is now concerned about the security of using social media credentials for authorization. People give access to their personal information without really knowing who are they giving it to.

Microsoft has recently published an explicit study where they explore the mechanisms of using social media credentials for authentication and authorization. The authors have found 8 critical flaws in high-profile ID-providers and described main concerns for users, app-testers and business owners.

8 critical issues in high-profile ID providers from Microsoft report

The Guardian has recently published Tinder study the accurate example of how much personal information an application can contain (in Tinder’s case, it was 800 pages of “deepest, darkest secrets”).

What can it mean for business?

If you connect app profiles to social media credentials, you put yourself at risk of suffering from the massive data leak. Have you heard about DarkNet? It is a number of sites where hackers sell and buy people’s credentials in terrifying numbers.

You can buy 167 million LinkedIn accounts for $1200

If someone has obtained an access to user’s LinkedIn, Facebook or Twitter profile, your application data is in jeopardy as well. So if an app collects important health or financial information, think twice about linking it to social media.

If you do decide to implement the automated authorization, make sure you have a professional team of testers working on securing users data.

Check codes and parameters during application testing

Code vulnerability is an open door for hackers. Even the smallest mistake can be crucial when it comes to securing users’ personal data. Where to look for possible danger and how to prevent it?

Make sure that UI-elements and SQL short-codes are written the right way. Hidden POST and GET parameters can be a reason for data leakage or streaming of the inappropriate information.

Is there a universal way to make sure it doesn’t happen? The most decent way is to scan your code for vulnerabilities with security testing services (you can use Open Source ones like Grabber or Vega to detect buffer overflows, SQL Injection Flaws).


Here is a list of the most important challenges and activities to consider in mobile security testing. Obviously, there are lots of details you should pay attention to – but these are crucial.

It is only possible to do secure mobile testing if you have a professional team working on it. If security testing is done right, your company is protected from hackers, information leak and all further problems.

If you want a comprehensive consult for security testing of your project, feel free to contact professional testers are at your service to help.

Check out our related articles:

Web App Security Testing

Security Testing Techniques

Mobile security testing: challenges, cases practical experience

5 Effective Tools for Low-Cost Penetration Testing

Critical Defects In Military Software

We Work With

Having one outside team deal with every aspect of quality assurance on your software project saves you time and money on creating an in-house QA department. We have dedicated testing engineers with years of experience, and here is what they can help you with.

Software is everywhere around us, and it’s essential for your testing team to be familiar with all the various types and platforms software can come with. In 21+ years, our QA team has tested every type of software there is, and here are some of their specialties.

There are dozens of different types of testing, but it takes a team of experts to know which ones are relevant to your software project and how to include them in the testing strategy the right way. These are just some of the testing types our QA engineers excel in.

The success of a software project depends, among other things, on whether it’s the right fit for the industry it’s in. And that is true not just for the development stage, but also for QA. Different industry have different software requirements, and our team knows all about them.

Icon Manual Testing

Maximum precision and attention to detail for a spotless result.

Icon Testing Automation

We’ll automate thousands of tests for all-encompassing coverage.

Icon Testing Outsourcing

Outsource your testing needs to a team of experts with relevant skills.

Icon Testing Consulting

Overhaul your QA processes to achieve even more testing efficiency.

Icon QA

Thorough Quality Assurance for a project of any scale or complexity.

Icon API Testing

Verify the correct operation of as many APIs as your project needs.

Icon IoT Testing

Stay ahead of the growing Internet of Things market with timely testing.

Icon Web App Testing

Reach out to even more customers with a high-quality web application.

Icon Mobile App Testing

Help users fall in love with your mobile app with our texting expertise.


Make sure your CRM/ERP system meets the needs of the stakeholders.

Icon Desktop Application Testing

We’ll check the stability, compatibility, and more of your desktop solution.

Icon Functional Testing

Is your app doing everything it’s supposed to? We’ll help you find out!

Icon Compatibility

Check how your solution works on different devices, platforms, and more.

Icon Usability

Find out if your software solution provides an engaging user experience.

Icon UI

Make sure your application’s UI logic works for all categories of users.

Icon Regression

We’ll verify the integrity of your application after recent code changes.

Icon Online Streaming & Entertainment

Stay on top of the media industry with a technically flawless solution.

Icon eCommerce & Retail

Does your store meet customer needs? We’ll help you know for sure!

Icon HR & Recruiting

Streamline HR processes with a solution that works like a clock

Icon Healthcare

Test the functionality, stability, scalability of your app and more.

Icon Fintech & Banking

Give your users what they want: a powerful, secure fintech product.

We use cookies to ensure your best experience. By continuing to browse this site, you accept the use of cookies and "third-party" cookies. For more information or to refuse consent to some cookies, please see our Privacy Policy and Cookie Policy