Skip to content

Why Mobile application security testing?

The primary purpose of security testing is to identify and mitigate vulnerabilities and weaknesses in software applications and systems to safeguard them against threats and attacks.

Knowing that 66.8%* of company services are consumed via mobile applications, testing the security of these apps and establishing a security strategy becomes evident.

While companies might be tempted to cover their mobile application security testing using generic tools used for Web applications or source code, the approach will quickly show its limits due to the mobile unique attack surface (Intents, URL Schemes, Permissions, Cross App Interaction, Shared Preferences …), specific classes of vulnerabilities, the OS characteristics, and the number of available frameworks used to develop mobile applications (Native, Flutter, Xamarin, React Native, Cordova, Ionic …).

Mobile App Security Testing (MAST) should understand the mobile space and fully cover its attack surface in the data stored in the device, the data transported to the backend, and the backend vulnerabilities. It should cover the native, hybrid, and web-based mobile applications since each framework has its logic to access and interact with the hardware that might cause a real risk if not understood correctly.

Task hijacking is one of the multiple attacks that had a high impact on mobile applications due to a specific Android behavior that leads a user to leak sensitive data to a malicious application while interacting with a normal application.

Banking malware extensively exploited task hijacking in 2019 (45% increase in 2020), enabling attackers to intercept sensitive user data and credentials during online banking sessions.

Also, mobile applications rely heavily on third-party dependencies; thus, analyzing those dependencies is mandatory to avoid weakening the application security due to a vulnerable dependency. For example Dio one of the most used Dart packages suffered from multiple High severity issues.

The process of Mobile Application Security Testing can be executed manually or through the utilization of automated tools that employ a diverse range of techniques.

  • Source:

How to test mobile application security?

Penetration testing

Penetration testing is a proactive and methodical security assessment process conducted by a third-party entity, often towards the later stages of the Software Development Life Cycle (SDLC). Testers use automated tools and manual techniques to identify the target application's vulnerabilities, misconfigurations, and weaknesses.

Pentesting is commonly employed to fulfill regulatory mandates and is often tailored to specific objectives within a restricted time frame.

While effective, it is a costly,time-intensive process and only captures a restricted view at one point. The duration of a mobile application pentesting is typically one to four weeks, depending on the application complexity, the testing depth, and the scope of the pentest.

App developers aim to release updates to the application's store every 3 to 6 weeks. Conducting pentests at infrequent intervals does not align with the development teams' velocity, and vulnerabilities can be introduced between the pentest period.

Automated mobile application security testing

Automated mobile application security testing relies on various tools to analyze the software and identify potential vulnerabilities.

Automated tools seamlessly integrate into the software development life cycle (SDLC) and fit into the Continuous Integration and Continuous Delivery (CI/CD) pipeline.

These tools offer a cost-effective solution, enabling the development team to conduct regular, fast, efficient security assessments, promptly addressing any detected issues. They provide comprehensive coverage of the application code and can uncover a wide array of security findings, ensuring a robust defense against potential threats.

Automated mobile application security testing is scalable, allowing the development teams with many applications or high development velocity to test their changes without affecting their development process.

96% of the companies implementing automated mobile application security testing meet their security requirements for the store or the compliance in time, and 83%* confirmed meeting their SLOs to fix high and medium findings.

*Source Gartner

One big drawback of automated mobile application security testing tools is the amount of False positive findings they report. This is why checking the False positive ratio and policy is important to avoid flooding developers with useless findings.

Bug Bounty

Crowd-sourced app security testing (bug bounty programs) presents an additional avenue for mobile application security testing.

The bug bounty programs can open the security tests to various testers with different experience levels. Depending on the program's popularity and reputation, the coverage can be exhaustive and continuous since it remains active during the entire program period, and the tester can have different approaches to identify security flaws.

The bug bounty programs can serve as valuable supplements to existing security protocols but should not serve as outright replacements for an internal security process since testing the security of the application must start from the design phase until the release; otherwise, the fixing process will become inefficient, and attackers can benefit from the lack of security testing and exploit those vulnerabilities.

One significant challenge is the potential for an influx of incorrect or low-quality reports from participants. This can lead to substantial back-and-forth communication between the organization and the researchers, consuming time and resources. Sorting through numerous false positives or vague reports can be frustrating and may delay the resolution of legitimate security issues.

Mobile application security testing techniques

Mobile application security testing relies on various techniques, often categorized as static analysis, dynamic analysis,

interactive/behavioral analysis, and API/Backend testing, with the understanding that these techniques are not mutually exclusive and may overlap.

Static analysis

Static analysis constitutes a testing methodology that analyzes the application's source or binary code and additional resources to identify particular security concerns.

This is accomplished through diverse analysis techniques capable of automated examination without executing the app's code:

  • Configuration Checks: Configuration checks for insecure settings. These settings include the platform parameters like AndroidManifest.xml, Info.plist settings, Cordova Framework parameters, the network's configuration, etc.
  • 3rd Party Dependencies: Fingerprint the application dependencies to identify the ones with known vulnerabilities. The dependencies might be declared directly as a plugin or compiled within the application. OpenSSL dependency is a common use case in mobile applications where it might be shipped with a vulnerable version.
  • Hardcoded Secrets: Extract all the sensitive information, such as passwords, API keys, or cryptographic keys, that are directly embedded into the source code of a mobile application. Cloud provider's keys or SSH private certificates are a common critical finding in mobile applications
  • Taint Analysis: used to identify and track the flow of sensitive information (taint) within a mobile app's code and its interactions with external entities like user inputs system resources, or network communications. This analysis is critical for identifying potential security vulnerabilities related to data leakage, injection attacks, or improper handling of sensitive data.

Dynamic analysis

Dynamic analysis is a testing approach that monitors the application's behavior on a real device or an emulator/simulator/VM. This method proves particularly valuable for uncovering vulnerabilities that exclusively manifest when the app is actively running, such as instances where the app interacts with a server. While the application is running, Dynamic Analysis monitors all the interactions with the filesystem (storage, database), Interprocess communications, memory accesses, and the network to identify security flaws regarding sensitive data, session management, authentication, authorization process, and data transmission analysis. According to Google statistics, 20% of mobile applications still communicate using clear text traffic, and 41% have an incorrect or insecure TLS configuration.

Interactive/behavioral analysis

In addition to dynamic Analysis, behavioral testing assesses the application's behavior while actively running the tests. It uses instrumentation to track and analyze how the data flows within the apps and flags all the dangerous patterns that call a vulnerable module or use a dangerous argument.

Multiple techniques exist for mobile application instrumentation, and it is up to the mobile application security tester to choose the right way to instrument the application depending on its framework (Native OS vs. JavaScript vs. .NET vs. Flutter).

The interaction with the device can be manual or fully automated, though automation is preferred, and the tests should maximize the coverage of the application to validate the maximum paths in the code.

API/Backend analysis

API/Backend analysis is essential to mobile application security testing. It focuses on scanning the APIs, backends and external communications. This analysis assesses the security of the data exchange and the backend servers communicating with the device. The purpose of the backend analysis:

  • Check the security flaws on the backend servers. Multiple companies may rely on other tools to assess this part since the backend is usually common between mobile and web applications. However, it is important to validate it from the device view since some hypotheses might be enforced by the web browser but not within the mobile application. For example on a website accessed through a web browser, the same-origin policy is enforced, which restricts web content to interact only with the backend servers of the same domain. This means that JavaScript running in a web page can't directly access or manipulate data from a different domain. The policy provides a security layer to prevent cross-site scripting (XSS) attacks and data breaches. However, in the context of mobile applications, this hypothesis doesn't always apply. Mobile apps have more flexible ways to share and access data. For instance, they can use Native JavaScript interfaces, custom URL schemes, or specific APIs that allow them to bypass the same-origin policy restrictions. This flexibility can be advantageous for app functionality but also introduces potential security risks.

  • Check the privacy of the data sent from the application since the applications rely heavily on third parties for advertisement, analytics, monitoring, etc. The data extracted from the user's device can be too intrusive and might be illegal. A common use case is analytics libraries collecting the device IDs, the device locations and the IPs which are considered as Personally Identifiable Information (PII) and multiple privacy legislation protect against those practices.

Types of tools for automated mobile application security testing

Open source testing tools

Open-source tools offer a valuable point for initiating mobile app security testing. Their cost-effectiveness, transparency, and collaborative development empower organizations to support their digital defenses effectively. These tools, nurtured by a global community of cybersecurity profiles, offer versatility and customization, covering a broad spectrum of security testing needs.

While open-source security testing tools offer numerous advantages, it's essential to acknowledge potential drawbacks. These may include:

  • Limited Support: Open-source tools may not provide the same level of customer support as commercial counterparts. Users often rely on community forums and documentation for assistance.
  • Steep Learning Curve: Some open source tools can be complex to set up and use, requiring a significant learning curve for users.
  • Lack of Enterprise Features: Commercial tools may offer advanced features and integration options tailored for enterprise environments, which open source tools may not provide.
  • Variable Quality: The quality of open source tools can vary widely, and not all may be suitable for critical security assessments.
  • Maintenance Challenges: Organizations must ensure that open-source tools are regularly updated and patched to address security vulnerabilities.
  • Manual work: Open-source tools for mobile application security testing tend to require a lot of manual work to prepare the testing environment and the device and to run the tests.
  • Legal and Licensing Issues: Users must know licensing terms and potential legal considerations when using open-source tools.

Source code analysis tools

Multiple companies rely on source code analysis to cover their mobile application security testing. Source code analysis tool provides a deep and thorough examination of the application's source code, allowing for the early detection of potential vulnerabilities and security weaknesses. They can identify issues such as insecure data storage, improper input validation, and weak authentication mechanisms, helping developers address these concerns before deploying the app. Additionally, source code analysis tools often integrate with development environments, making it convenient for developers to incorporate security checks into their workflow. However, these tools may not catch all vulnerabilities, especially those related to runtime behaviors or third-party dependencies. To maximize the benefits of source code analysis tools, organizations should combine them with other testing techniques, such as dynamic analysis and API analysis testing, for comprehensive mobile application security testing.

Mobile-specific application security testing tools

To cover the unique attack surface of mobile applications and to ensure the support of the OS and the framework characteristics. Opting for a specialized mobile application security scanner that runs the three main types of analysis on the application during its development and release lifecycle is recommended. Mobile application security scanners offer a user-friendly interface accessible to both security experts and developers. They can quickly scan mobile apps for various known vulnerabilities, helping organizations identify and remediate issues efficiently. They offer a seamless integration with the CI/CD pipelines to reduce usage friction. Additionally, they typically provide regular updates to address emerging threats, keeping applications protected against evolving security risks. However, the scanners may not uncover unique or customized vulnerabilities specific to an application, and they can produce false negatives, missing certain security issues. The cost of these tools can also be a drawback, particularly for smaller organizations.

How can Ostorlab help you implement an efficient Mobile Application Security Testing methodology?

Ostorlab can play a pivotal role in implementing an efficient Mobile Application Security Testing methodology by offering a comprehensive suite of features and services tailored to the unique needs of mobile app security.

  • Specialization in Mobile App Security: Ostorlab specializes in mobile app security, focusing on the challenges of mobile platforms. This specialization ensures the features and services are finely tuned to address mobile-centric threats.

  • Automated Security Testing: Ostorlab provides automated security testing capabilities, allowing organizations to integrate security assessments into their development pipelines seamlessly. This automation ensures that security checks are consistently applied throughout the software development lifecycle (SDLC).

  • Fast and Actionable Insights: Ostorlab's tools offer rapid mobile app security assessment, providing actionable insights and recommendations. This speed and clarity enable development teams to promptly identify and address security vulnerabilities.

  • Integration with SDLC: Ostorlab facilitates direct integration with the SDLC, ensuring that security testing becomes an integral part of the development process. This integration minimizes disruptions to developers' workflows.

  • Continuous Monitoring: Ostorlab enables continuous monitoring of an app's security profile. This capability allows teams to track changes in security status between different builds, quickly pinpointing and remediating vulnerabilities introduced during development.

  • Comprehensive Coverage: Ostorlab's solutions cover a wide range of security testing techniques, ensuring a thorough examination of mobile apps for potential vulnerabilities.

  • Ease of Use: Ostorlab's user-friendly interface and tools make it accessible to security experts and developers, fostering collaboration and efficient security testing.

  • High-quality support: The Ostorlab support team is available to help, fix, and advise for all the issues and requests that users can have during any mobile application development phase.

By leveraging Ostorlab's expertise and tools, organizations can establish a robust Mobile Application Security Testing methodology that safeguards their mobile apps against evolving threats while seamlessly integrating with their development processes.