When it comes to mobile application security, one of the most important factors is secure code, both on the mobile device and the backend web service. Code is more difficult to secure on mobile devices for a variety of reasons: Technology, diverse platforms, privacy concerns, and experience, to name a few. How people use applications and their usage patterns are different on mobile devices. Other factors besides just the mobile application need to be considered, such as remote Web services, platform integration, and device-specific security issues.
The threat sources are also different from traditional web applications. There are multiple perspectives that attackers may take when attempting to compromise mobile applications. One is intercepting traffic in a man-in-the-middle attack (think at a coffee shop). The second is perhaps more likely and dangerous and that is when the attacker has access to the mobile application on the device itself.
SeNet’s mobile application assessment strategy has two different components:
- Static Code Analysis – In this phase the source code of the mobile application is made available to the testing team. A combination of automated tools and manual examination is used to identify weaknesses in the code and security vulnerabilities. This is also considered white-box testing.
- Dynamic Analysis – When mobile applications are used they communicate with a backend web service via application programming interfaces (APIs). In this phase our approach is to examine the application and the APIs, along with the security of the backend web services.
A mobile application security assessment can combine both code review and dynamic analysis, or may just be one component or the other. The primary factor in scoping the task is the client’s objective and time/budget allocated.