The advancement of mobile technologies, coupled with the lack of security knowledge and awareness among users, has led to an increasing number of attacks focused on exploiting vulnerabilities in mobile applications. This is why the security of these applications has taken on fundamental importance to protect user data. Conducting security audits has become an essential phase in the development cycle of any application.
In recent years, the use of cell phones has increased sharply and statistics indicate that global mobile data traffic will grow by 573.24% between 2017 and 20221. Sending messages through social networks, checking email, surfing the Internet, using GPS, shopping, controlling home automation, or making bank transfers are all actions that can be performed from a mobile device. The use of mobile devices is replacing the use of computers and laptops. So much so, that it is estimated that almost 80% of internet usage in 2018 was via mobile2.
There are three potential attack vectors in mobile technology: the operating system, the network and the applications. Threats to operating systems are further divided into threats to Android devices and threats to iOS devices. Each of these operating systems has vulnerabilities that can be exploited locally or remotely. In terms of network threats, attackers can use malware or social engineering to route all traffic from a device through a controlled proxy, being able to inspect all data sent through the proxy. Finally, applications represent another attack vector in mobile technology due to the lack of security in them, or the installation of applications with malware, which pose an undeniable risk to users.
Of these three attack vectors, applications are the fastest growing, being the target of most attackers. In addition to all this, the number of applications is increasing year by year and with it, the number of downloads, with a forecast of 160 billion downloads in 20233. Additionally, to date, developers have prioritized the functionality and usability of applications over their security, resulting in applications that can be used to perform various operations but with large security gaps.
Lack of awareness among users is another key point exploited by attackers. Maintaining default passwords or setting insecure passwords and settings allows attackers to bypass application security layers to infect devices or steal user data.
For all these reasons, security audits are essential to develop secure applications and reduce both the probability of receiving an attack and the impact of a successful attack. Organizations are gradually becoming aware of this and more and more applications are being subjected to security audits.
But what does a security audit of a mobile application consist of?
Mobile application audits provide insight into the security status of an application and its level of risk. Security auditors analyze the mobile application in order to detect vulnerabilities and propose solutions to correct them.
There are six main areas into which a mobile security audit is divided4:
- Local data storage: Protecting sensitive data such as user credentials and sensitive information stored both locally and in the cloud is crucial in mobile security, where loss or theft of a device is more common than for other devices.
- Communications with endpoints: A basic requirement of mobile applications is to establish encrypted communication channels via TLS to exchange information over the network.
- Authentication and authorization: Security auditors should be aware of the advantages and disadvantages of different authentication frameworks and architectures.
- Interaction with the mobile platform: Interaction between applications and operating systems must be done securely, granting the minimum permissions to the system to access certain APIs.
- Code quality: Although mobile applications are not as vulnerable to Cross-Site Scripting attacks, programmers should follow a good practice guide to develop secure code.
- Anti-tampering and reverse engineering mechanisms: Although it is advisable to implement code obfuscation mechanisms, they should not replace other security mechanisms.
Types of mobile security audits
In a mobile application audit, as in a web application audit, there are two types: static and dynamic.
- In static security audits, a review of the application code is performed without the application code being executed. Through the installation packages of the applications (APK for Android and IPA for iOS) an unpacking and decompiling of the application is performed in order to access the source code and configuration files of the application. Security auditors analyze both code and configuration files for insecure functions and settings, user names and passwords, and any information that could be used by an attacker.
- In dynamic security audits, the running application is analyzed. These tests analyze the traffic generated, the security of data transmission, the application’s data storage or how the application interacts with the device.
It is recommended that in a security audit of a mobile application both static and dynamic tests are performed, since sometimes the results of static and dynamic tests differ, so performing both allows auditors to have more complete and reliable results.
Main threats
The most widely known and used methodology for performing mobile application security audits is the OWASP Mobile Security Project methodology, and in particular, the OWASP Mobile Security Testing Guide Version 1, OWASP Mobile Application Security Verification Standard Version 1 and OWASP Mobile Top 10 – 2016. The latter proposes the 10 most important security risks facing mobile applications5:
Code | Risk |
M1 | Inappropriate use of the platform |
M2 | Insecure data storage |
M3 | Insecure communication |
M4 | Insecure authentication |
M5 | Insufficient cryptography |
M6 | Insecure authorization |
M7 | Code quality |
M8 | Modification of the code |
M9 | Reverse engineering |
M10 | Superfluous functionality |
Conclusion
An application should be seen as a triangle with three vertices: functionality, usability and security, with each vertex directly influencing the other two. This is why functionality or usability should not be prioritized, as it would compromise the security of the application. Audits of mobile applications play a fundamental role in their security, as they allow vulnerabilities to be discovered so that developers can implement the appropriate measures to keep the application’s security at an acceptable level of risk.
References
1 – https://techjury.net/stats-about/mobile-vs-desktop-usage/
2 – https://www.statista.com/statistics/271405/global-mobile-data-traffic-forecast/
3 – https://www.statista.com/statistics/1010716/apple-app-store-google-play-app-downloads-forecast/
4 – https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide
5 – https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
Jaime Caraza Luis