Mobile applications (apps) are everywhere. The iOS App Store is currently home to over 2.2 million apps while the Google Play store currently has more than 3.5 million apps in its inventory. The mobile app market is set to grow by 385% from now until 2021 which is incredible, but the instances of mobile ransomware are growing by 415% every year. Don’t let these statistics rain on your parade just yet. There are tools and techniques that organizations can utilize to limit their chances of being affected by nasty malware. Keeping your organization’s mobile app(s) and customers protected against this increase in malware means taking a proactive approach towards penetration (pen) testing. This article aims to provide you, the reader, with a thorough overview on mobile pen testing as well as the types of pen testing methodologies for you to utilize in your organization immediately.
Mobile Penetration Testing
Understanding the ins and outs of how pen tests work and when to conduct one is extremely important. According to cooperative research project conducted by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), 23% of organizations report having a shortage of pen testers with penetration testing ranking fourth on the list of cybersecurity skills that are currently impeding the growth of their organization.
Mobile application penetration testing allows organizations the ability to weed out any imperfections in their network that require immediate patching and/or protection. Organizations that are entering a mobile pen test scenario should focus on being as positive as possible and thinking of the test as an educational experience. The goal isn’t to find the single Easter egg; it’s to find hundreds of Easter eggs from a variety of unique cyber attack vectors:
Common Mobile Application Attack Vectors
|Physical Security||Mobile phones frequently are lost or stolen. Whether it’s a personal device or company-owned, it’s far more likely than even a laptop to end up in unauthorized hands, thus putting all the data accessible via apps on the device at risk.|
|Weaker Authentication||Strong passwords (longer combinations of letters, numbers and special characters) are more difficult to type on mobile devices. Thus, enforcing strong authentication or multi-factor authentication is often more difficult on mobile devices.|
|Direct Access to Data||Traditional client operating systems support multiple users, each with a different environment. On mobile devices, there are as yet no multi-user environments. Anyone entering the correct PIN will have access to the same apps and data.|
|Less Safe Browsing||Smaller mobile form factors mean that some of the information normally displayed in a browser isn’t readily visible to mobile users; e.g., complete URLs. This basically makes a phisher’s life easier by making it harder to see that a site is bogus.|
|Malware||As with any device that connects to the web, mobile devices are under threat from viruses, worms, Trojans, spyware and other malware. New computing environments mean new attack classes. Worms that spread through SMS messages or Bluetooth connections are well-known examples.|
A 2017 survey found that 42% of small businesses currently have a mobile app, and 30% plan to build one in the future. Avoiding the risk of unauthorized breaches or cyber crimes due to mobile app malware integration requires having the environment properly penetration (pen) tested against security vulnerabilities.
One thing to remember is that pen testing web applications is far different than hacking into mobile applications. Mobile pen testing demands the organization implement a different approach and setup than web apps when pen testing. Mobile apps that feature a system that stores sensitive date strictly on the client-side also requires a different security approach to protect them.
Consider choosing a computer with at least 16MB of RAM and at least 100 GB of free hard drive (HD) space (for use in setting up the virtual testing environment). You could utilize emulators on virtual machines or test directly on a computer; whichever is preferable to your pen test team. Emulators have been known to provide penetration testers with more control over their test environments and enable the use of snapshots and gold images to save the state of the device and easily spin up clean instances of the target platform. Their high degree of versatility is immensely useful in allowing the pentesting tool or technique to work against a wide variety of potential targets. In the end, mobile pentesting via the use of emulators provide a team with ease of use and considerable cost-savings.
Then again, emulators can provide imperfect simulations of the mobile environment, thereby making it difficult to replicate the specific functionality onto physical devices. One way to increase the usefulness of a pen test is to perform it on a real device that is platform specific. Thus, an Apple iPhone would be utilized for testing iOS apps and a Google Nexus or Samsung Galaxy S9 would be utilized for pen testing Android apps. This allows your organization to evaluate its security features such as fingerprinting or camera components that users must engage with to use the app. Pen test teams should also assess how the application will behave based on its current operating system (OS).
Black Box Pen Testing
Of the two major types of penetration testing of mobile devices (black and white box), black box testing is more focused on deriving test cases via the use of completely external penetration testing perspectives. These types of penetration testing on mobile devices provide the pentester with little to no knowledge of the app, hence why it is referred to as a “zero-knowledge test.” This allows the pentester to behave in a way that a real attacker might in a hacking situation where the attacker is only privy to publicly available or discoverable information. If the pentester can break into your mobile app via a vulnerability, you bet that a real hacker will be able to do the same. This provides your team with the evidence it needs to pinpoint the specific areas to implement the correct app security controls necessary to effectively protect the mobile app environment. The realistic nature of the results garnered from black box pentesting means that the organization can get a more realistic idea as to what an everyday penetration attacks would do to their organization.
White Box Pen Testing
White box pen testing differs from black box pen tests in that the pentester has full knowledge of the mobile app environment. The organization may divulge specifics pertaining to the mobile app’s source code, documentations, diagrams, or more to the pentester, thus giving them a purpose in their testing. Since this type of pen testing is the opposite of the black box variety, it isn’t too much of a reach to refer to it as “full-knowledge testing.” Essentially, penetration testers in a white box pen testing scenario are given a map with various “stops” to make along the way, thus making the test much more efficient and cost-effective. As such, the improvements that a white box pen test crave to reveal pertain to stopping internal attackers from using knowledge of the network to gain access to sensitive authorization data (SAD) or information that could possibly lead to the company go belly-up.
Mobile Penetration Testing Methodology
A recent study done on the state of the mobile app security found that a staggering 84% of mobile app users believe that their mobile health and finance apps are adequately secure. This number may sound reassuring to mobile app developers, but these numbers may fall drastically if word were to get out if a series of mobile data vulnerabilities were found in these industries. Conducting pentests allows organizations to gain essential knowledge of vulnerabilities in their source code that may lead to data bottlenecks in the future. Securing loopholes and filling up attack vectors before releasing a mobile app is a great way to ensure it is sustainable through its future lifecycle.
A mobile pentest that is completed before the app is released allows the development team to address issues before they get to a breach that pertains to a flaw in the network. Before you begin with implementing the mobile pen test methodology, ensure that you have a more than capable pentester that can effectively document all vulnerabilities and communicate key solutions to you team. Once the results come in from the mobile pentest, your team needs to act quickly to fill the gaps in security before a breach occurs. Here are the main parts of a mobile pentest that you should prepare for.
Once your organization makes the wise choice to have a pentest performed on your mobile application(s) it is essential that you prepare accordingly. The first step is to ensure that every step of the process is clearly defined for the benefit of both the pentester and the client. This way expectations are set and maintained between both parties always. The preparation stage for the organization entails that they formulate a data classification policy that labels sensitive data and gives the pentester a centralized document that they can refer to during the pentest. The role of the pentester, on the other hand, is to investigate the organization and utilize all public sources of information possible to better understand their intended target.
Mobile Attack Staging
Once the pentesting environment and the pentester are prepared, the pentester will conduct the first wave of client attacks. These attacks are staged according to the types of files that the pentester has pre-identified as being their primary goal. The pentester will utilize specific methods to obtain mobile app server access to the client-server tier architecture. The primary function of these initial attacks is to investigate network traffic and layer protection via analyzing code and debugging the source code. Once that task is complete, the pentester will determine the specific follow up attacks that will help them find insecure files that have less than adequate access controls. Through utilizing methods such as SQL injections, application fuzzing, and parameter tampering, the pentester can identify vulnerabilities that may possibly reveal API keys that have been secured in an inaccessible folder. Once the pentester penetrates the network architecture without any privileged rights, their main goal is to gain administrator level access and maintain access to the network which essentially gives the pentester the keys to the kingdom.
Along every step of the way, the pentester documents anything and everything that is pertinent to the goals specified in the preparation phase of the mobile pen test. Once the test is completed, the pentester reports on all key vulnerabilities they identified via the series of attacks that they staged. If there is a mobile security flaw in the client’s environment, the pentester must clearly communicate what the issue is and provide documentation as to what the client must do to replicate the findings and test potential solutions. If malicious activity is detected in the environment while the test is occurring that is outside the scope of the planned compromise that the pentester agreed to partake in, then the pentester needs to adequately prove that they were not responsible for that exploit. The final report that the pentester turns in to the client should also include the context of each vulnerability in a prioritized list filled with recommendations for fixing the discovered loopholes.
The fact remains that 85% of companies say that their organization is at moderate risk when it comes to mobile threats while 74% say the risk has gone up over the past year. The best way to decrease these figures is for businesses to focus on closing vulnerabilities and data loopholes in their mobile applications via a penetration (pen) test. Following the methodology for sourcing a qualified pentester and performing the due diligence in preparing a mobile pen test will allow the organization to reap the benefits of having a less risky mobile network architecture that better services its bottom line. For more information on penetration testing and other cybersecurity solutions, contact RSI Security today to schedule a consultation.