If it isn't already, security testing should be a required process in application development for all businesses. This necessity holds true for mobile apps, the types of which continue to grow. Users can download mobile applications for a myriad of personal uses -- such as entertainment, finances, communication, etc. -- and business reasons.
From a business perspective, when an organization allows employees to download business-related applications on their personal devices, it grants access to the corporation's internal affairs, such as collaboration tools or customer relationship, human resources and financial management applications. As a result, an organization can unknowingly open itself to security concerns when an employee uses a business application on their personal device. It's sadly too common for mobile apps to violate security standards like those from the Open Web Application Security Project.
Let us evaluate the security risks that are critical in mobile applications, which aspects of these apps require the most intense security testing and how to engineer quality security directly into mobile apps.
Security risks for mobile applications
The pathways and endpoints involved in transmitting data between a mobile device and a server comprise critical security risks. During mobile app development, hackers can exploit inadequate security control on the server side, insecure data storage, data leakage and device-server vulnerabilities. Engineers will need to address these risks.
Other areas of concern for mobile application security include authorization, authentication and session handling. Secure authentication can be an issue for mobile apps as longer passwords are more difficult to deal with on smaller devices. Additionally, if some applications reuse tokens for reauthentication purposes, it leaves the app open to hackers to access the tokens and imitate a valid user.
Another potential threat that mobile app developers need to be aware of is malware. If an app's user accesses a malicious application, the malware can also affect the business via the client server.
Engineering security into mobile applications
When it comes to mobile application security, quality engineering beats quality assurance. It's simply more effective to build security into an application rather than to try to find defects after development. Most critical security issues found in later testing result from developers not paying adequate attention to security during the design phase.
Additionally, mobile app security testing should focus on exposing threats and vulnerabilities not only in the apps, but also in the client-server architecture and the APIs where systems access and transmit data.
Developers should thoroughly test early on during application development and continue through deployment to production -- i.e., shift left and right. Furthermore, teams should perform additional security tests before each version upgrade.
Testing teams should start their quality engineering process with a risk assessment in the design phase. The risk assessments goal is to examine the product's nature, including how the app will be accessed and how data will be stored. Teams can use the information from these risk assessments to develop security baselines and requirements for how to build quality into the application.
A comprehensive test approach to building in quality security includes threat assessment, static and dynamic analysis during development, automated scanning and a penetration test.
Tools for mobile app security testing
It's important a team uses tools specifically geared toward mobile security.
For example, ImmuniWeb Mobile Suite offers coverage for not only mobile apps, but also the apps and servers they connect to. Zed Attack Proxy (ZAP) is widely used in the security testing industry and features the ability to send malicious messages for penetration testing. Micro Focus also provides a comprehensive security testing tool that enables end-to-end testing across many browsers, platforms, networks and servers. Kiuwan is an important tool in security testing because it supports static code analysis and software composition analysis, which allows for teams to implement security testing earlier in the development process.
Security testing for mobile apps is one of the most important aspects of an overall test strategy. It's important that teams begin security testing early in the software development lifecycle so they engineer security into the product. Security test coverage must be end-to-end, covering not only the application itself but also the back-end server and the flow of data.