Mobile Security and QA Strategy [Mobile Security - Part 1]
Learn how to best manage mobile security.
Join the DZone community and get the full member experience.Join For Free
As we all know, Internet security is among the top risks faced by individuals and businesses today. With the evolution and robust growth of internet-enabled mobile devices across the globe, they have become the number one target for cyber attacks.
Mobile security involves protecting portable devices such as laptops, tablets, smart watches, and phones against cyber threats. Today, the need for protection is more critical because we store a lot of sensitive data like bank details, patients information on these devices.
You may also like: Software Development Lifecycle: QA and Testing.
Why Mobile Security?
Tremendous Amount of Data Is Protected
A lot of data is being stored in our mobile devices and attackers are shifting their focus and efforts to smartphones and tablets, appreciative of the fact that they can possibly steal more money and data from their victims this way.
Cyberattacks on Mobiles Increasing by the Day
Over the last few years, we’ve seen cybercriminals deploy all sorts of effective strategies. Some of the attacks include:
Freak — a security exploit that focuses on a cryptographic weakness in SSL/TLS protocols. This exploit forces browsers to use a markedly weaker form of encryption. This weaker 512-bit key could be broken within seven hours and could be costly for websites. Vulnerable software and devices included Apple's Safari web browser, the default browser in Google's Android operating system, Microsoft's Internet Explorer.
Stagefright — An attacker could exploit this vulnerability by crafting a MMS with an exploit and send it to the victim. To send this MMS, the attackers needs just the victim's mobile number. It depends on what application you use to visualize the MMS, as with regular Messenger, the exploit will be executed only after seeing the MMS without playing the media. Using Hangouts could be even worse, since the device would be compromised almost automatically even before you are able to see the notification.
Wirelurker — Malware designed to target users in China. WireLurker monitors any iOS device connected via USB with an infected macOS computer and installs downloaded third-party applications or automatically generated malicious applications onto the device
Threats Have Evolved to Be More Sophisticated
The main causes of data loss are physical device loss and misuse of apps. Every device contains not only huge amounts of data, but personal identities which can be used to compromise other services. By attacking these devices, hackers can reach and infect more machines and earn more money by exploiting individual users or by selling their details via the black market.
Because of this, many companies neither release nor accept their application to the market its security has not been tested.
QA Strategy for Mobile Security
Let's see just what mobile security testing looks like.
1. Threat Analysis and Modeling
It is a systematic detection, identification, and evaluation of areas or spots of vulnerability of a system. If you are doing a threat modelling, then you need to consider all the aspects that are prone for getting attacked like app architecture, app resources etc.
The logs should not expose any critical info or any user details.
Credentials - this is the most vulnerable area and should be encrypted/protected in such a way that it can't be exposed.
Data - No unwanted/antisocial data should be posted.
The data that we send and receive from the web service needs to be secure to protect it from any attack. The service calls need to be encrypted for security purposes. Otherwise, it will make way for attacks like Freak to occur.
When placing an order on a commercial app, an application connects to net banking, PayPal, or PayTM for money transfers. This needs to be done through a secure connection.
2. Vulnerability Analysis
Here, the app is analyzed for security loopholes, the effectiveness of the countermeasures. The entire team must be ready with all the possible threats, solutions to counter the threats, and a list of bugs or issues from previous releases.
Security Threats for Apps:
Superfluous Data Storage — Storing unwanted data in the app.
Exposed Authentication — Failing to identify the user, failing to maintain the user’s identity, and failing to maintain the user session.
Insecure Communication — Failing to keep a correct SSL session.
Malicious Third-Party Code — Writing a third-party code which is not needed or not removing unnecessary code.
Failure to apply server-side controls — The server should authorize what data needs to be shown in the app?
Client-Side injection — This results in the injection of malicious code in the app like SQL injection.
Lack of data protection in transit — Failure to encrypt the data when sending or receiving via web service etc.
3. Security Threats From Other Sources
From hackers — The world has been experiencing some of the worst and most shocking hacks even after having the highest possible security. There is no specific way to deal with hacks because hacking an app varies from app to app and most importantly the nature of the app. To avoid hacking, try getting into the shoes of a hacker to see what you can’t see as a developer or a QA.
From other devices — In a phone, not all the operations are available to a user like overwriting system files, upgrading OS to a specific version. As a result, people run software that is available in the market to attain full admin access to a phone. Breaking these may lead to installation of extra application or the code used to root/jailbreak itself may have threat of getting hacked. These rooted phones are never tested by manufacturers, so they can behave in unpredictable ways.
From app permissions — The permissions that are given to an app also pose a security threat. The following are the highly prone permissions that are used for hacking by attackers:
- Network-based Location — Hackers use this permission and access the location of the user to launch location-based attack or malware
- View the Wi-Fi state — Almost all apps are given permission to access Wi-Fi, and malware or hackers can use the phone bugs to access Wi-Fi.
- Full Internet Access — All apps need this permission to access the internet. This can be used by hackers to communicate and insert their commands to download malware or malicious apps on the phone automatically (few apps need this permission). Some apps need this permission from the OS to be started as soon as the phone is started or restarted, such as security, battery saving apps, emails apps, etc. Malware uses this to automatically run during every start or restart.
Opinions expressed by DZone contributors are their own.