Data security gets a bad rap. What with massive data breaches plaguing news headlines every few months and the number of affected people increasing each year, you’d think that security experts don’t stand up against the hackers and malware of today. But there’s a piece missing to this story.
Most data breaches are a result of not upgrading the security systems until after a breach happens. It’s a tale heard in the security sector time and time again. A massive data breach is reported, a data security firm is hired to mitigate further issues, and millions of Americans are left to settle up with their exposed data.
To avoid this, proper security auditing and mobile penetration testing are two ways companies can adequately secure their operations. And when it comes to companies with a mobile app, mobile pen testing is particularly crucial.
Businesses and Their Mobile App
Nowadays, companies are pushed to build their own apps. It doesn’t matter if they’re a restaurant, a clothing store, or if they’re in the business of killing cockroaches; if you want to build customer support and brand awareness, you need an app.
The trend continues upward, with 42% of small businesses now claiming that they have their own mobile app. These apps typically offer discounts and special deals, allow customers to build up points, and earn free products — all this in exchange for one vital piece of information: the consumer’s credit card.
With this data comes a responsibility from companies to ensure they have the most up-to-date security system in place. But how can a company guarantee this?
Enter: Mobile Penetration Testing
To determine the strength of a mobile app’s security, you can perform what’s known as mobile penetration testing — or the more provocative sounding “ethical hacking.” This allows testers to analyze a program or security system and determine the weak points.
There are five stages to mobile penetration testing:
- Exploration mode
- Deep dive into the source code
- Staging an attack
- Revealing vulnerabilities
- Fixing and securing
Stage 1: Exploration Mode
In the preliminary stage, the tester will investigate the application or program from both the client-side and server-side. It involves determining all the information possible about the mobile application platform to determine what is available for everybody to see. This is a replication of research a genuine hacker or malware creator would perform.
Exploration mode includes all of the following:
- Open-Source Intelligence – Going by the acronym OSINT, open-source intelligence is the process of discovering what code and information are available about the platform online. This could be known bugs, forums where people discuss the platform, leaked source code, and even information that’s available on the dark web.
- The Platform – The tester will also familiarize themselves with the platform, determining all entryways and areas of importance. For example, if there’s a purchasing platform on the site, knowing whether the data will be collected on a third-party site or within the application itself will reveal what vital information can be obtained by a data breach.
- Security Considerations – What third-party platforms does the application communicate with? How does the application interact with anti-malware software and firewalls? Are there possibilities for jailbreaking? These are all security considerations that will be determined when exploring the application.
- Collected User Information – The tester will also determine what user information is collected on the site. That could include cookies, browser history, financial information, login information, and other sensitive data.
When a company experiences a data breach, the exploration stage is of vital importance. It reveals exactly how the hacker gained access to the site and recreates the experience to determine necessary security provisions. Once the initial discovery is completed, the next step is to perform deep analysis.
Stage 2: Deep Dive into the Source Code
Depending on if this is a black box test or a white box test (discussed below), the next stage for pen testers is to access the source code of the program. This allows them to see behind the curtains and look at the program for what it really is. Not only does it reveal the access points that are available externally to the users, but it shows the hidden access points — the ones that typically have less security surrounding them.
The source code allows the tester to:
- Analyze the program pre- and post-installment – Code can appear secure from a theoretical standpoint. Only once the program is active are you able to determine its practical security. The tester will check the local files and run an archive analysis to determine that there are no modifications or vulnerabilities once the application is installed onto a mobile device.
- Dynamic Assessment – While the application runs on a device, the tester will be able to observe the flow of network traffic between the program and the server.
- Create a threat map – By assessing all avenues of access, the tester can then create a threat map of the program that includes all possibilities:
- Vectors or communication links between a coding database and a remote server
- The unauthorized recording of traffic while the communication link is active
- Sniffing network traffic between the app and the backend of the server
Stage 3: Staging an Attack
With the entire program’s model now understood by the tester, they can leverage their knowledge of the system to stage an attack. The purpose of this is to understand the various degrees of exposure. In some cases, an area is weak to being infiltrated but doesn’t lead to any accessible data. Other cases prove that a small error in the code leaves a company vulnerable to all types of malware.
There are many different attack methods available to the tester, including:
- SQL Injections – When a string of code is injected into an entry field and executed, this is known as a Structured Query Language (SQL) injection. To understand how this can be detrimental to a mobile application, imagine inputting a malicious SQL statement that tells the program to copy all database content to an accessible file.
- Fuzzing – When data is inputted into a system, there are valid and invalid inputs. With invalid inputs, an automated response is set to occur within the system. Fuzzing is automation software that inputs large varieties of data in an attempt to find crash sequences, memory leaks, or other unexpected responses by the program. This provides weak points for potential hacking.
- Web Parameter Tampering – With parameter tampering, the idea is to modify the web’s uniform resource locator (or URL) to gain access to otherwise closed information. This could include changing permissions, credentials, the price of a product, and more.
Once a system weakness is identified and access is granted, the next step is to acquire administrator access. This is done through a process of privilege escalation.
There is a hierarchy within any coding structure. Not all coders will have access to the entire structure and thus cannot push code live whenever they choose. Similarly, on the user end, systems will have hierarchies for who can access what. A typical user will only have access to the program’s basic functionality, whereas the programming team will have access to deeper resources.
Thus, to acquire sensitive information, the tester needs to perform privilege escalation to gain full access to the system. The idea is to take full reign of the system by tapping into the highest form of privilege (which is typically known as administrator access).
From here, accessing hidden folders, revealing user information, and gaining API keys are all possible.
Stage 4: Revealing Vulnerabilities
With the attack on the program a success, it’s time to evaluate the vulnerabilities and what can be done about them. The tester will report back to the company what information they were able to access and by what methods. They will also provide recommendations on how best to remedy the situation and to gain further control of their system.
This is typically done through a rating system, identifying different access points from “very weak” to “very strong.”
Stage 5: Fixing and Securing
- Root Fixes – First and foremost, the code that allowed the penetration tester to access the system needs to be addressed. For this, the tester can work with the original code to identify what went wrong and why they were able to access the system.
- Mobile Security Architecture – Even when a bug in the system allows access, this shouldn’t mean that all keys are handed over. With mobile security architecture, the idea is to program failsafe operations that prevent sensitive information from being disclosed even when a bug enters the system. Proper architecture also allows all the coding information to be ordered and understood from a glance, minimizing the chance that holes in the system exist.
- Routine Audit – Of course, mobile technology is constantly advancing, which means both security systems and malware are competing to one-up the other. To ensure that no entry points are leaving your system vulnerable, routine audits and penetration testing should be administered.
White Box vs Black Box Penetration Testing
White Box Testing
Otherwise known as glass box or clear box testing, WBT is a technique where the tester has access to all information sources the company has to offer. This includes source code, design architecture, and infrastructure details that would help identify weak areas. The idea is to offer the tester as much information as they need to determine how best to infiltrate.
Benefits of White Box Testing
Because the tester has an all-access pass, white box testing is suited for:
- The complete and thorough testing of the entire application
- Identifying weak code or poorly designed structures of code
- Deep evaluation of security, reaching areas that black box testing can’t find
Black Box Testing
When a company provides no information about the application, the penetration tester is performing a black-box test. This is identical to how a real hacker would try to infiltrate the system.
Benefits of Black Box Testing
As opposed to white box testing, BBT is beneficial for:
- Realistic simulations of an actual cyber attack
- Takes less time to evaluate the application
- Typically cheaper than a white box testing
When to Use Mobile Penetration Testing
Mobile penetration testing is a method companies can employ to identify weak areas of their mobile application. Companies should utilize this during various life stages of their apps.
- Brand new app – Before bringing your mobile app to the market, it’s essential to go through a routine mobile penetrating test. This will spot unseen errors in the source code, which may otherwise go unnoticed until the system crashes. Established businesses that are revealing a mobile app as an extension of their services should utilize this service to not lose their customer base’s trust.
- Change in mobile architecture – As your app grows and becomes more advanced, chances are, the architecture will also change. When large structural changes are implemented, use mobile pen testing to identify weak areas of the new code.
- Including an additional third-party vendor into mobile layout – When allowing third-party vendors to access your application, this opens up new network communication channels. To ensure that they are secure, you can run a pen test.
- Comply with industry security standards and regulations – Certain industries have specific security regulations attached to mobile app data. Use penetration testing to ensure you comply with the standards.
- Audit Your System – Confirm that your system is up-to-date and your users’ information is secure with a routine audit and mobile penetration testing.
Secure Your Users’ Data and Trust
With large-scale data breaches frequently reaching the news, consumers are becoming acutely aware of how much sensitive data can be exposed. People place their trust in companies when they sign up for mobile applications or input their credit card information online. And when a breach happens, people are quick to lose trust in a company, which can be nearly impossible to regain.
To secure your users’ data and to ensure that their trust is in good hands, consider mobile penetration testing to identify flaws in your system. With RSI Security, you can audit your mobile app’s security and implement proper mobile architecture to prevent future data breaches.
Wired. Equifax Officially Has No Excuse. https://www.wired.com/story/equifax-breach-no-excuse/
Tech Jury. 51 Jaw Dropping App Usage Statistics & Trends, 2019 [Infographic]. https://techjury.net/stats-about/app-usage/
OWASP. SQL Injection. https://www.owasp.org/index.php/SQL_Injection
GeeksforGeeks. Differences between Black Box Testing vs White Box Testing. https://www.geeksforgeeks.org/differences-between-black-box-testing-vs-white-box-testing/
Marketing Tech. What are the real effects of data breaches on consumer trust? https://www.marketingtechnews.net/news/2019/mar/22/what-are-real-effects-data-breaches-consumer-trust/