Mobile App Security: Testing Checklist for 2017

No matter what purpose you are pursuing while developing a mobile application, your end-product has to provide a solid protection against any possible fraud actions. When there is a break in there will always be a victim. In our case either your customers or your business. One way or another, your company will have to eliminate security holes or even put a project on a hold.

The recent report made by NowSecure shows that almost 25% of all mobile apps have at least one serious vulnerability. Furthermore, using business apps, people are 300% more likely to “share” their login data with third parties.

And do not think that games are the harmless ones. In fact, they are 150% more likely to contain a risky vulnerability than average applications according to NowSecure’s statistics. The company has determined that 35% of all mobile communications are unencrypted and as a result, unsecured. Fortunately, there are the exact ways to avoid mobile data theft. Following our tips will help you make your app protected.

General Application Security Testing Checklist

A multipurpose way to forecast any possible data theft is threat modeling. This is an essential method to determine potential vulnerabilities, rank their risks, and apply as effective countermeasures as possible to reduce those risks or even fully eliminate them.

4 stages of threat modeling:

  1. Creating application decomposition;
  2. Identifying possible threats;
  3. Ranking threat risks;
  4. Determining convenient countermeasures.

However, it is very difficult to foresee all possible threats. This is why we have created a list of points you should check before the release.

Secure Sockets Layer (SSL)

You must implement the secure sockets layer into your project. This point seems obvious but some developers ignore certificates using quick monkey patches instead. Public networks are insecure and cannot guarantee user privacy or data protection. Data encryption is the first step to data safety.

Leaving a Debug Code

Some programmers often leave a debug code in a release. It means this code will be included in the app together with API environments. It makes the whole network infrastructure vulnerable.

User Authentication

Authentication issues usually cause data breaches. Login details have to be highly protected and any authentication attempts must be logged. In the case of repeatedly failed logins, the system has to trigger an account lockout.

Access Control

When a user is authenticated, system access control determines data types that user can either see or modify. It is important to ensure that users do not have the full access to system files in order to avoid possible data breaches caused by third parties who may get such rights in a fraudulent way.

Checklist to Securing Your Mobile Apps on a Base of Android

In this paragraph, we will give step-by-step instructions on how to ensure the security of Android mobile application. One more thing to remember while working with this platform is the necessity to encrypt SQLite databases, especially while storing important data such as login details. There are various tools for this and one of them is SQLCipher. Let’s proceed to the detailed checklist.

Step#1: Penetration Testing for Mobile App Security: Preparing the Environment

If you are a developer, you may skip this step because it describes required settings for the integrated development environment (IDE) called Android Studio.

Setting up Android Studio:

  1. Download and install the Java Development Kit (JDK).
  2. Set the path to the JDK in the newly set JAVA_HOME variable.
  3. Download Android Studio (AS) and then install it.
  4. Create an emulator (Android virtual device – AVD).
  5. Create a virtual device in AS using the menu path Tools-Android-Avd Manager-Create Virtual Device.

After having the virtual device created, set parameters of the device you are using: OS version, RAM etc.

Step #2: Capturing traffic

The proxy tool has to operate as “a man in the middle” to capture traffic from the AVD.

Therefore, you have to do the following:

  1. Export the SSL from your proxy tool.
  2. Save the certificate as proxy.cer.
  3. Run the SSL using the following command: adb push proxy.cer /sdcard/.
  4. Open the root folder of your SD card and proceed to the folder Settings/Security/Install.
  5. Install the SSL on the emulator.
  6. Set the PIN for the AVD.
  7. Set the local interface to 127.0.0.1 in the proxy tool and set the port (four digits).
  8. Run the emulator via the following command: emulator –avd test –no-audio –http-proxy http://127.0.0.1:your 4 digits.

Possible issues:

  • If the emulator crashes use the toggle “-no audio”.
  • If the traffic is not routing use the local host instead of the exact IP address: http://localhost:Portno.
  • If the AVD loads and then immediately crashes follow the path “Tools – Avd Manager – Select Device – View Details” and open the emulator-user.ini file. Then set the parameters: “x=0”; “window.y=0”.

Step #3: Install Necessary Tools

To determine the attack surface, content providers, exploiting activities, and broadcast receivers, you can use the Drozer tool.

Drozer Settings:

  1. Download and install Drozer running the command: “adb install C:/anypath/drozer.apk”.
  2. Open the .exe file and install the necessary components.
  3. Launch Drozer and switch the embedded server on.
  4. Run the command “adb forward tcp:31415 tcp:31415” to initiate the port transfer.
  5. Run the command “C://Drozer> Drozer console connect” to connect the agent to your server.

Now you can proceed to setting up the another useful tool to ensure security for mobile applications of yours.

APKtool

This tool is aimed at testing such issues as tamper checks, app logic bypass, pinning bypass, etc. To launch the tool, follow the list:

  1. Download APKtool.
  2. Install APKtool using the instructions.
  3. Run the command: “adb install c:\your-application-path\your-application-name.apk”.

The “Man in the Middle” Proxy

In this paragraph, we will describe how to capture the traffic with Wi-Fi and an Android device.

The to-do list:

  1. Connect your smartphone and computer to the Wi-Fi.
  2. Proceed to “Settings-Wi-Fi”, press, and hold the clickable network name.
  3. Select “Modify Network Config” in the appeared menu, proceed to “Advanced Settings”, and set the “Proxy Settings” as “Manual”.
  4. Set the proxy hostname (your IP address) and the post (four digits).
  5. Set the Proxy interface as “ALL” and set the same port as before.

Now, the proxy has to capture the SSL traffic.

Step #4: Reviewing the Manifest File

The Androidmanifest.xml file is usually used for packaging an Android binary. This file keeps such data as intents, services, permissions, broadcasts, etc. In fact, this is a typical configuration file.

Getting the Access

Changing the binary extension from .apk to .zip will allow to get the manifest file. Use APKtool to convert it into a readable format by disassembling the binary with the command: “Apktool d pathtothebinary\binaryname”.

Reviewing Elements

Then review the following elements:

  1. Check the package name uniqueness.
  2. Check whether your application requests unnecessary permissions (use the attribute “android:protectionLevel” for determination).
  3. Check the value of the “View account statement activity” (it has to be set as false – “android:exported=”false”).
  4. Check the values of the backup and debugging attributes (the necessary values are: “android:debuggable=”false” and “android:allowBackup=”false”).
  5. Set the value “24” for the attribute “android:mindSdkVersion”.

These are all actions required for accurate review. If you need to check how secure your iPhone app is we have prepared the corresponding to-do list.

iOS Mobile Application Testing Checklist

We are not going to list all potential malicious actions you can face while working on your app because the list can become actually endless. However, our tips will help you ensure the security of your application.

Static Code Review

Follow the list to review your static code:

  1. Does your system use NSLog? If it does, the NSLog has to be used only in a debug build.
  2. All URLs have to be secure (HTTPS).
  3. Check whether any local file path is not hardcoded.
  4. Check the dependencies for the latest patches and versions.
  5. Ensure no using of any private API.
  6. Check whether there are no private keys embedded in the code.
  7. Review the code: there has to be no unreachable or a dead one.
  8. Review the correctness of entitlements.
  9. Ensure the absence of the direct branch to “useCredential:forAuthentiationChallenge” in the following method “connection:willSendRequestForAuthenticationChallenge”.
  10. Ensure your app uses IDFV and IDFA.
  11. Check the correctness of provisioning profile/certificate configuration for application signing.
  12. There have to be checks against SQL injections.

Log Data Review

Follow the list to review the runtime of log data:

  1. Logging has to be applied only to a file.
  2. Log files have to be deleted regularly.
  3. Log rotation has to be implemented.
  4. Ensure the absence of sensitive data in the log.

Network Review

Follow the list to review the network runtime:

  1. Check whether a server has a countermeasure against a crime and a breach attack.
  2. A client app has to utilize certificate pinning and have a countermeasure against a breach attack.
  3. Review the correctness of the caching policy.

Authentication Security Testing Checklist

Follow the list to review the authentication process:

  1. Your application has to utilize third-party custom authentication.
  2. Check whether the login user interface masks a password and it has to be uncopyable.
  3. Remember that passwords have to be stored in the keychain.
  4. In case of breached logging in, there must be a possibility to add a CAPTCHA or trigger a 2FA.

Local Storage Review

Follow these tips to review the local storage principles:

  1. Your application has to use local storage.

  2. Any kind of sensitive data has to be encrypted.

  3. The storage has to be cleaned up regularly.

Data Sharing Review

Follow these tips to review data sharing security:

  1. Ensure using a shared keystore for common settings.
  2. Deep URLs and any kind of incoming data have to be validated.
  3. Ensure no sensitive information sending to a third-party application.
  4. Ensure the correctness of group IDs configuration.

IT mobile app security specialists are the people who usually are responsible for guaranteeing the protection of enterprise customers corporate IT assets. However, hiring expensive human resources can be an unliftable load for most CTOs, especially for startup owners.

That is why following our tips will help you save your money and make your application protected from most malicious actions. In case you need any assistance with making your mobile project secure, do not hesitate to contact our team. We will be more than happy to help you!

Comments