Technical skills and awareness of IT possibilities have reached a very high level. There are plenty of opportunities for developers to create great applications. However, hackers have enormous power as well and they use the “holes” in the apps to their benefit in order to extort money or data.
Have you ever wondered how valuable your data is and how you “sell” yourself on the Internet? Many times, if you have to choose between a free or paid application, you choose the first option. This way you create the opportunity for your data to be collected.
The OWASP (Open Web Application Security Project) organisation offers many helpful projects and tools, which can be used during development and testing. The “Top 10 Mobile Risks” is a list, which contains the most important areas of application security
However, how can a person who has no access to the application code or no knowledge of penetration testing verify the basic points of application security?
The security of the application should be ensured by the developers during the implementation phase and verified during a review conducted by another developer in static tests. There are also certain other ways to check security by testers in dynamic tests.
Now, let’s take a look at mobile apps designed for iPhones and iPads.
Insecure Data Storage
Devices collect a vast amount of data during app usage. It’s crucial to find out which data points are saved and whether they are encrypted correctly.
Many apps need to save user credentials and keys to make it easier to use the application, to collect information about the session, to make the app up-to-date with the state of the backend, or to simply store the user’s preferences. The data is stored in files. In iOS apps, the following folders should be checked:
- Library/Application Support/
Data in the Keyboard Cache
All of the data entered by the user can be saved in the Keyboard dictionary and stored in a directory/private/var/mobile/Library/Keyboard/.
The test should check if any sensitive data is stored in the file: dynamic-text.dat.
Communication With the Server
Most mobile apps are connected to the Internet so communication should be secure in order to avoid risking exposure. Sensitive data should be sent via security channels and all requests should be sent using the SSL socket or HTTPS (instead of HTTP).
It is very important to verify logs when a user enters any sensitive data into the app as well as to check whether it is visible in the logs or sent to a server as unencrypted strings.
There are a few areas, which should be verified to check the authentication.
Firstly, verify whether users are correctly authenticated by the server. Try different login/password combinations and check whether the server returns an appropriate error.
After a few login failures, the account should be blocked (but this should be specified in the requirements).
Changing the Password
Secondly, regarding the change and reset password options, make sure that after the users change their password, they are automatically logged out by the server and can’t access the data before they enter a new one.
The next point is to verify if the session had been terminated. This can be executed in two ways: after logging out and after a session timeout. Next, try to send a request to the server using the token or session ID of the previous session to check if the error has returned.
One Time Passwords
If multi-factor authentication is in place and the user needs to enter a code received via SMS, check if the code is random or can be guessed somehow.
If the app is configured to receive push notifications, it is important to check if the content of the message doesn’t contain any sensitive data, which shouldn’t be visible to everyone. If the app is in the background and the user is logged out, after tapping on the notification, he should be redirected to the login page and have no access to the data without logging in.
The authorisation checks user access. The test should verify whether the user has access to appropriate content. In addition, you can try to lower the authorisation level to verify whether a part of the app will become unavailable after you have done so.
It is important to check whether any of the files or available settings can be edited or manipulated by anyone with the user’s permissions.
Improper Platform Usage
The tester should verify whether the permissions and access controls in the app are correct and whether or not the application requests unnecessary access permissions.
Security is a crucial area of mobile applications. As you can see, it can be verified on the foundation level without any special knowledge. Start to test the basic elements during your everyday work activities to try to find any potential security loopholes. There are many tools, which can automate the verification process. You can also just check your skills as a white-hat hacker – that would be the next step on your journey to committing yourself to conducting penetration testing.