So often, mobile devices are assumed to be the causes of security incidents or breaches, but mobile applications usually serve as the attack vector. In 2018, one in 36 mobile devices had high risk apps installed. There were 2,328 variants of mobile malware. Only about 50% of mobile apps were running on the newest, major iOS version and 19% for Android. Mobile applications and their risks aren’t something you can avoid. What does this mean for your business? You need to defends the mobile applications you have built from hackers and cyber threats. Are you performing penetration testing on your mobile applications to validate your security efforts? Let’s discuss the risks associated with mobile applications and how KirkpatrickPrice’s penetration testing methodologies are effective for securing your business.
Why Test Mobile Applications?
Mobile applications provide a large surface area of attack and are often a weak link in a company’s security posture. Does your app connect with backend servers? How is information stored on the device? Is there a chance information may be hardcoded into the program code? So many things can go wrong with iOS or Android mobile applications, which is why organizations must protect them through penetration testing. During 2018, Symantec blocked an average of 10,573 malicious mobile apps per day. Do you want to be considered a high risk app?
According to OWASP’s Mobile Security Project, the 10 most critical security risks to mobile applications are the following:
- Improper Platform Usage
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Insufficient Cryptography
- Insecure Authorization
- Client Code Quality
- Code Tampering
- Reverse Engineering
- Extraneous Functionality
To complement these critical security risks, OWASP and ENISA collaborated to set a joint set of mobile controls and design principles determined to be best practice, which include:
- Identify and Protect Sensitive Data on Mobile Devices
- Handle Password Credentials Securely on Mobile Devices
- Ensure Sensitive Data is Protected in Transit
- Implement User Authentication, Authorization, and Session Management Correctly
- Keep the Backend APIs (Services) and the Platform (Server) Secure
- Secure Data Integration with Third-Party Services and Applications
- Pay Specific Attention to the Collection and Storage of Consent for the Collection and Use of the User’s Data
- Implement Controls to Prevent Unauthorized Access to Paid-For Resources
- Ensure Secure Distribution/Provisioning of Mobile Applications
- Carefully Check Any Runtime Interpretation of Code for Errors
Has your organization analyzed the security of your iOS or Android mobile applications against these 10 risks? Have you built mobile applications that align with these mobile controls and design principles?
Timehop is a perfect example of how mobile applications can impact our day-to-day lives and how, when a breach happens, it can truly scare users. Timehop is a memory-sharing app enabling users to distribute posts from the past by connecting to their social networks and photo storage apps. In 2018, the app experienced a breach where up to 21 million users were impacted. Because of Timehop’s connection to users’ social networks, the company had to be very clear about what happened and the types of data that were breached. Timehop came straight out and admitted that the breach was due to a lack of appropriate MFA on access credentials, which resulted in network intrusion. In their security incident report, Timehop went above and beyond the norm in order to be as transparent as possible. Timehop’s incident response approach was extremely transparent and accessible, one of the most thorough that we’ve seen – and we think it’s because they recognized the impact mobile applications have on users’ lives.
How is Penetration Testing Performed on Mobile Applications?
We find that many mobile security analysts are lacking in the knowledge and expertise they need to thoroughly test a mobile application. With all the types of technology available to organizations across different industries, there is a lot of ground to cover and a lot of expertise required to properly perform penetration testing on mobile applications. At KirkpatrickPrice, our approach is in-depth, and we dig deep to try and find any issues that may exist.
Effective penetration testing on iOS or Android mobile applications requires a diligent effort to find weaknesses, just like a hacker would. KirkpatrickPrice methodologies are unique and efficient because they do not rely on static techniques and assessment methods. Our penetration testing methodology is derived from various sources including the OSSTMM, Information Systems Audit Standards, CERT/CC, the SANS Institute, NIST, and OWASP.
What is mobile application penetration testing and how could it secure your organization? If you want to avoid the consequences of a compromised mobile application while working with an expert ethical hacker, contact us today.