Strategy for Mobile Application Security Testing:
The mobile network has empowered the users to do almost all their business, financial, social operations etc., and hence almost all the companies have launched their own mobile applications.
These apps are extremely efficient and they ease our day to day transactions. But there’s always a big concern about the data safety and security. The transactions happen on a 3G or 4G network thereby becoming a feast for the hackers. There is a 100% possibility of the personal data being available to hackers, be it your Facebook credentials or your bank account credentials.
The security of these apps becomes very vital for the business of any company. This, in turn, generates the need for security testing of all mobile applications and hence is considered as an important testing that is carried out by testers for an app.
This is extremely important for financial, social and commercial apps. In such cases, the application is neither released nor accepted by the customer if the security testing is not done.
Mobile apps are basically classified into 3 categories:
- Web Apps: These are like the normal web applications that are accessed from a mobile phone built in HTML.
- Native Apps: These are apps native to the device built using the OS features and can run only on that particular OS.
- Hybrid apps: These look like native but they behave like web apps making the best use of both web and native features.
Table of Contents:
Overview of Security Testing
Just like functionality and requirement testing, security testing also needs an in-depth analysis of the app along with a well-defined strategy to carry out the actual testing.
Hence I will be throwing light on the ‘challenges’ and the ‘guidelines’ of security testing in detail in this tutorial.
Under ‘challenges’ we will be covering the following topics:
- Threat analysis and modeling
- Vulnerability analysis
- Topmost security threats for apps
- Security threat from hackers
- Security threat from rooted and jailbroken phones
- Security threat from App permissions
- Is security threat different for Android and iOS apps
Under ‘guidelines’ we will be covering the following topics:
- Manual security testing with sample tests
- Web service security testing
- App (client) security testing
- Automation testing
- Testing for Web, Native and Hybrid apps
Challenges Faced by QAs for Security Testing of a Mobile App
During the initial release of an app, it is very important for a QA to do an in-depth security testing of the app. On a broad level, the knowledge collection of the nature of the app, the OS features and the phone features play a vital role in designing a ‘complete’ testing plan.
There’s a plenty to test and hence it is important to analyze the app and chalk out what all needs to be tested.
Few challenges are mentioned below:
#1) Threat Analysis and Modeling
When performing the threat analysis, we need to study the following points most importantly:
- When an app is downloaded from the Play Store and installed, it may be possible that a log is created for the same. When the app is downloaded and installed, a verification of the Google or the iTunes account is done. Thus a risk of your credentials is landing in the hands of hackers.
- The login credentials of the user (in case of Single Sign-on as well) are stored, hence apps dealing with login credentials also need a threat analysis. As a user, you will not appreciate it if someone uses your account or if you log in and someone else’s information is shown in your account.
- The data shown in the app is the most important threat that needs to be analyzed and secured. Imagine what will happen if you log in to your bank app and a hacker out there hacks it or your account is used to post antisocial post and that in turn can land you in serious trouble.
- The data sent and received from the web service needs to be secure to protect it from an attack. The service calls need to be encrypted for security purposes.
- Interaction with 3rd party apps when placing an order on a commercial app, it connects to net banking or PayPal or PayTM for money transfer and that needs to be done through a secure connection.
#2) Vulnerability Analysis
Ideally, under vulnerability analysis, the app is analyzed for security loopholes, the effectiveness of the counter measures and to check how effective the measures are in reality.
Before performing a vulnerability analysis, make sure that the whole team is ready and prepared with a list of the most important security threats, the solution to handle the threat and in case of a published working app, the list of the experience (bugs or issues found in previous releases).
On a broad level, perform an analysis of the network, phone or OS resources that would be used by the app along with the importance of the resources. Also, analyze what are the most important or high-level threats and how to protect against the same.
If an authentication for accessing the app is done, then is the authentication code written in the logs and is it reusable? Is sensitive information written in phone log files?
#3) Top Most Security Threats for Apps
- Improper Platform Usage: Maltreat of features of the phone or OS like giving app permissions to access contacts, gallery etc., beyond a need.
- Superfluous Data Storage: Storing unwanted data in the app.
- Exposed Authentication: Failing to identify the user, failing to maintain the user’s identity and failing to maintain the user session.
- Insecure Communication: Failing to keep a correct SSL session.
- Malicious Third-Party Code: Writing a third-party code which is not needed or not removing unnecessary code.
- Failure to apply server-side controls: The server should authorize what data needs to be shown in the app?
- Client Side injection: This results in the injection of malicious code in the app.
- Lack of data protection in transit: Failure to encrypt the data when sending or receiving via web service etc.
#4) Security Threat from Hackers
The world has experienced some of the worst and shocking hacks even after having the highest possible security.
In 2016 December, E-Sports Entertainment Association (ESEA), the largest video gaming warned its players for a security breach when they found that sensitive information like name, email id, address, phone number, login credentials, Xbox ID etc., had been leaked.
There is no specific way to deal with hacks because hacking an app varies from app to app and most importantly the nature of the app. Hence to avoid hacking try getting into the shoes of a hacker to see what you can’t see as a developer or a QA.
(Note: Click on below image for an enlarged view)
#5) Security Threat from Rooted and Jailbroken Phones
Here the first term is applicable to Android and the second term is applicable to iOS. In a phone, not all the operations are available to a user like overwriting system files, upgrading OS to a version that is not normally available for that phone and some operations need admin access to the phone.
Hence people run software that is available in the market to attain full admin access to the phone.
The security threats that rooting or jailbreaking poses is:
#1) The installation of some extra applications on the phone.
#2) The code used to root or jailbreak may have unsafe code in itself, posing a threat of getting hacked.
#3) These rooted phones are never tested by the manufacturers and hence they can behave in unpredictable ways.
#4) Also, some banking apps disable the features for rooted phones.
#5) I remember one incident when we were testing on a Galaxy S phone which was rooted and had Ice-cream Sandwich installed on it (although the last version released for this phone model was Gingerbread) and while testing our app we found that the login authentication code was getting logged in the log file of the app.
This bug never reproduced on any other device but only on the rooted phone. And it took us a week to fix it.
#6) Security Threat from App Permissions
The permissions that are given to an app also pose a security threat.
Following are the highly prone permissions that are used for hacking by attackers:
- Network-based Location: Apps like location or check in etc., need permission to access the network location. Hackers use this permission and access the location of the user to launch location-based attack or malware.
- View the Wi-Fi state: Almost all the apps are given permission to access the Wi-Fi and malware or hackers use the phone bugs to access the Wi-Fi credentials.
- Retrieving Running Apps: Apps like battery saver, security apps etc., use the permission to access the currently running apps, and the hackers use this running apps permission to kill the security apps or access the information of the other running apps.
- Full Internet Access: All apps need this permission to access the internet which is used by hackers to communicate and insert their commands to download the malware or malicious apps on the phone.
- Automatically start on boot: Some apps need this permission from the OS to be started as soon as the phone is started or restarted like security apps, battery saving apps, emails apps etc. Malware uses this to automatically run during every start or restart.
#7) Is Security Threat different for Android and iOS
While analyzing the security threat for an app, QAs have to think even about the difference in Android and iOS in terms of the security features. The answer to the question is that yes, the security threat is different for Android and iOS.
iOS is less susceptible to security threat when compared to Android. The only reason behind this is the closed system of Apple, it has very strict rules for app distribution on the iTunes store. Thus the risk of malware or malicious apps reaching the iStore is reduced.
On the contrary, Android is an open system with no strict rules or regulations of posting the app on the Google Play store. Unlike Apple, the apps are not verified before being posted.
In simple words, it would take a perfectly designed iOS malware to cause damage as much as 100 Android malware.
Strategy for Security Testing
Once the above analysis is completed for your app, as a QA you now need to chalk down the strategy for the testing execution.
Given below are few pointers on finalizing the strategy for testing:
#1) Nature of the app: If you are working on an app which deals with money transactions, then you need to concentrate more on the security aspects than the functional aspects of the app. But if your app is like a logistics or educational or social media one, then it may not need an intensive security testing.
If you are creating an app where you are performing money transactions or redirecting to bank websites for money transfer then you need to test each and every functionality of the app. Hence, based on the nature and purpose of your app, you can decide how much security testing is required.
#2) Time required for testing: Depending on the total time allocated for testing you need to decide on how much time can be dedicated to security testing. If you think you need more time than allocated then talk to your BA and manager ASAP.
Based on the time allocated prioritize your testing efforts accordingly.
#3) Efforts needed for testing: Security testing is quite complex when compared to the functionality or UI or other testing types as there are hardly any project guidelines given for it.
As per my experience, the best practice is to have at most 2 QAs perform the testing rather than all. Hence the efforts required for this testing need to be communicated well and agreed upon by the team.
#4) Knowledge transfer: Most of the times, we need to spend extra time on study of the code or web service or tools in order to understand the security aspects (and related testing) of the app. Hence this needs extra time which should be accounted in the project plan.
Based on these pointers you can finalize your strategy for testing.
Guidelines for Security Testing of a Mobile App
The guidelines for Security Testing of a Mobile App includes the below pointers.
1) Manual Security Testing with Sample Tests:
Testing the security aspect of an app can be done manually and via automation too. I have done both and I believe that security testing is a little complex one, hence it is better if you could use automation tools. Manual security testing is little time-consuming.
Before starting the manual testing on the app, make sure that all your security related test cases are ready, reviewed and have 100% coverage. I would recommend having your test cases reviewed at least by the BA of your project.
Create test cases based on the (above) ‘challenges’ and cover everything right from the phone model to the OS version, whatever and however is impacting the security of your app.
Creating testbed for security testing especially for the mobile app is tricky hence if you have expertise in cloud testing, you can use that as well.
I worked on a logistics app for which we had to do security testing after the app was stabilized. The app was to track the drivers and the deliveries they were performing on a given day. Not just the app side but we also did security testing for the REST web service.
The deliveries done were of expensive items like treadmills, washing machines, TVs etc., and hence there was a great security concern.
Following are some sample tests that we carried out on our app:
- Verify if the data specific to a driver is shown after login.
- Check if the data is shown specific to those drivers when more than 1 drivers log in to their respective phones.
- Verify if the updates sent by a driver by a status of delivery, etc., are updated in the portal only for that specific driver and not all.
- Verify if the drivers are shown data as per their access rights.
- Verify if, after a specific period of time, the driver’s session expires and he is asked to re-login.
- Verify if only verified (registered on the company website) drivers are allowed to log in.
- Verify if the drivers are not allowed to send fake GPS location from their phone. To test such functionality, you can create a dummy DDMS file and give a fake location.
- Verify if all the app log files do not store the authentication token, be it the app’s or the phone’s or operating system’s log file.
2) Web Service Security Testing
Along with functionality, data format and the different methods like GET, POST, PUT etc., security testing is also equally important. This can be done both manually and by automation.
Initially, when the app is not ready, it is difficult but equally important to test the web services. And even at the very initial stage when all the web services are not ready, it is not advisable to use automation tool.
Hence I would suggest to take help from the developers and have them create a dummy web page for web service testing. Once all your web services are ready and stable then avoid manual testing. Updating the web service’s input manually as per every test case is a very time consuming one, hence it is better to use automation tools.
I used soapUI Pro for web service testing, it was a paid tool with few cool features for all REST web service methods.
Following are some web service related security tests that I have carried out:
- Verify if the authentication token of login is encrypted.
- Verify if the authentication token is created only if the driver details sent to the web service are valid.
- Verify if after a token is created, receiving or sending data via the other entire web services (except authentication) is not done without a token.
- Verify whether after a period of time if the same token is used for a web service, a proper error is shown for token expiration or not.
- Verify that when an altered token is sent to the web service, no data transactions are done etc.
3) App (client) Security Testing
This is usually done on the actual app that is installed on your phone. It is prudent to perform security testing with more than one user session running in parallel.
App side testing is not only done against the app purpose but also the phone model and OS-specific features that would be impacting the security of the information. Based on the challenges mentioned above, you can create matrices for your testing. Also, perform a basic round of testing of all use cases on a rooted or jailbroken phone.
Security enhancements vary with the OS version and hence try to test on all supported OS versions.
4) Automation Tools
Testers find it discouraging to perform security testing on a mobile app as the app is targeted for a plethora of devices and OS. Hence using tools helps a lot in not only saving their precious time but also their efforts can be put to other users while the tests run automatically in the background.
Also be sure that there is bandwidth available to learn and use the tool. The security tools may not necessarily be used for another testing hence use of the tool should be approved by the manager or the product owner.
Following is a list of the most trending security testing tools that are available for mobile apps:
- OWA SP Zed Attack Proxy Project
- Android Debug Bridge
- iPad File Explorer
- Clang Static Analyzer
- QARK
- Smart Phone Dumb Apps
5) Testing for the Web, Native and Hybrid Apps
Security testing varies for the web, native and hybrid app accordingly as the code and the app architecture is completely different for all the 3 types.
Conclusion
Security testing of mobile apps is a real challenge that requires a lot of knowledge gathering and study. When compared to desktop apps or web apps, it is vast and tricky.
Hence it is very important to think from the point of a hacker and then analyze your app. 60% of the efforts are spent in finding the threat prone functionalities of your app and then testing becomes a little easy.
In our upcoming tutorial, we will discuss more on Automation Tools for Testing Android Applications.