Mobile application audits

It seems like there is no topic on which the mobile application has not been made in the entire world. From apps for passing time in the subway to sophisticated banking applications, using which you can transfer large sums of money to another account with a few clicks. We are already used to the fact that most of the financial transactions can be done on the go with the help of our phones. We trust the mobile applications offered by our banks. This is a situation, in which it is worth thinking about the security and vulnerabilities of the applications. Internet security is essential as the recent day experience has shown.

Mobile applications can have vulnerabi lities. The reasons can be diverse: incorrect spelling of code, dangerous coding methods or deliberately entered bad code. Generally, mobile app owners do not have thorough technical knowledge to test how vulnerable their application is, whether it is possible to fix it or it should be completely replaced. To do this, the audit of mobile applications is conducted by experienced companies.

There are two ways to analyse apps (Android, iOS or other platforms):

  • Static analysis, which is performed by using a specific text or string search in the decompiled source code.
  • Dynamic search, which is performed during execution and vulnerabilities are identified in simulation.  

Dynamic analyser tools can be divided into two categories:

  • Tools that can be run from computers and connect to device or emulator (for dynamic analysis)
  • Tools that can be run from the device itself.

Static analysis is an easier method as the usage of the static string search makes it convenient to use. Static analysis is performed on raw or decompiled source code or on compiled (object) code, but the analysis is conducted outside of runtime. Static analysis typically detects vulnerables or unprotected code templates.

Dynamic analysis is an analysis of program execution time. The program is run or simulated to detect flaws during execution. Dynamic analysis can be complicated, especially in the case of mobile platforms.

Dynamic analysis is useful for processing data in a transfer at runtime, such as changing the amount in a transaction request, which is being sent at the payment gateway. Dynamic analysis is useful for detecting encrypted data that can be reverse engineered, in programs, which use custom encryption, in order to prevent the attacker’s abuse.

It should be noted that because of the inability to fully decompile IOS apps, dynamic analysis becomes even more significant in finding sensitive data that could be hard-coded.

Mobile App Security Standards/Checklist

1. Securing the source code:

Creating an application and leaving the source code open to everyone is not logical. In a mobile application most of the source code is typically on the client’s side, including the user interface and business logic, which poses a threat if this code has been available to attackers.

2. Securing the files and the database:

It is crucial to save not only the code, but also the data itself as it can be private information of users, their personal data or payment information. Therefore, you need to make sure that this data is encrypted and secure.

3.Securing Communications

Many companies do not pay enough attention to network security in the process of mobile applications development. It seems to be not as essential as in the web versions. Still, it is not enough to protect data only at the generation and storage points, but it is crucial to take care of network security as well.

4. Consider Data Portability

This is about the usage of user data on diverse platforms, such as using Facebook accounts to sign in to another platform. This allows using the security systems of large companies for one’s own application. In addition, users are more comfortable signing in with an existing account rather than creating a new one.

5. Brace for Reverse Engineering

This may be more specific for Android applications as Android is an open source program, which means that anyone is able to search for source code, make changes to the OS in any way. This is why it is crucial to be acknowledged of the Java-based Android environment as well as the kernel of OS Linux in order to understand how to protect your application from reverse engineering.

6. Perform Input Validation

Checking the entered user data is often neglected for the sake of “speed”, but it allows us to check the data provided by the user in order to prevent data distortion.

7. Use Cryptography wisely

Hacked cryptography is the most common threat to mobile applications, so encrypting data or password hashing does not necessarily mean that the program is secure.

Weak or hacked algorithms should be avoided and it is worth making sure that the program does not use them. These algorithms include MD5, MD4, SHA1, BLOWFISH, RC2 і RC4. Cryptography is a strong security element in mobile applications, and, therefore, it can protect applications and data under proper usage.

8. Perform Penetration Testing

Penetration testing is one of the most significant steps in program protection as it is able to scan a wide range of vulnerabilities. It simulates an attacker's actions in diverse environments and modes.

Top 10 OWASP mobile security vulnerabilities in 2021:

  • Improper Platform Usage : errors or the lack of use of certain mechanisms specific to the mobile platform used. The use of local storage to backup sensitive data instead of using the KeyChain on iOS is a good example.
  • Insecure Data Storage : any problems resulting in a lack of security when storing data.
  • Insecure Communication : all situations where data is transmitted to and from the outside without being properly encrypted, regardless of the protocol or communication channel used.
  • Insecure Authentication : similar to web application auditing, this defect occurs when a user is able to perform actions under the identity of another user.
  • Insufficient Cryptography : this defect occurs mainly when the encryption protocol is poorly implemented, is obsolete, or the encryption key is placed in the application source code.
  • Insecure Authorization : this defect is due to a lack of checks when calling API functions.
  • Client Code Quality : defects identified during the analysis of the application code fall into this category, as well as the lack of code documentation
  • Code Tampering : there are mechanisms to detect if the application code has been modified, which happens especially during the static analysis phase.
  • Reverse Engineering : this defect is reported if the application file provides too much data too easily, without having sought to protect itself from the actions of an attacker.
  • Extraneous Functionality : concerns obsolete features or test functionalities, not visible to a user, but still present in the application code.

Mobile applications audit is a complex process that requires high-level technical knowledge and experience. The security of your application may affect the security of your customers’ personal and payment information, even if it is only about entering card details to purchase game improvements.

Therefore, we strongly recommend that you entrust the mobile application testing to professionals, for instance to us, Embrox.