The growing mobility adoption has made data protection even more complex. Therefore, there is a greater need for visibility and control of mobile devices to help ensure compliance and prevent data breaches. There are many potential weak spots in a mobile application that makes mobile app auditing important. Some of them are:
- Insecure Data storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client-Side Injection
- Poor Authentication and Authorization
- Improper Session Handling
- Security Decisions via Untrusted Inputs
- Side Channel Data Leakage
- Broken Cryptography
- Sensitive Information Disclosure
Security associated with mobile applications can often be identified and mitigated through security testing. Mobile Application Security Testing can help enterprise defend against malware and vulnerabilities and deliver secure applications and applications platforms. Some of them are:
1. Static Analysis:
Static Analysis employ automated tools for analysis of the application’s source code. Since this testing is performed during implementation phase of SDLC on smaller segments of code, it detects vulnerabilities at a very early stage and suggests potential remediation. It is also performed during testing phase on the integrated code to verify availability & accountability of the application.
2. Dynamic analysis
This testing performs deep analysis of web applications to establish a deep understanding of the vulnerabilities of a single web application. Unlike source code scanners, a dynamic analysis program doesn’t have access to the source code and therefore detects vulnerabilities by actually performing attacks. Dynamic Analysis is performed during last stages of implementation phase of SDLC and is also performed during testing phase as well as Maintenance/Support phase.
3. Manual Penetration Testing
Penetration testing involves use of various tools and scanners. It helps uncover complex vulnerabilities not detected by automatic scanners. It attempts to exploit the vulnerabilities to determine whether unauthorized access or malicious activity is possible. Penetration testing is conducted on running systems in realistic environment. It is performed during Testing and Maintenance phase after automated scanning is completed and when code base is more stable.
Since no single type of testing is capable of discovering all possible flaws and vulnerabilities in the binary code of an application. Therefore there is a need to perform various testing techniques to uncover a wider range of vulnerabilities.
