How do you do mobile application security testing for iOS and Android?

Posted by Nitin Kumar
6
Aug 31, 2021
430 Views
Image
Mobile apps are easily the most vulnerable user-facing platforms to hacking and data breaches. This holds true for both iOS and Android. If you run your business or provide valuable financial information to your clients via apps, you need to ensure that you follow a checklist.

Testing your mobile application security systems should include the following:

  • A review of mobile application architecture
  • Exposure risk of sensitive information
  • Communication channel protection
  • Authentication procedures
  • Session Management
  • Input Validation
  • Handling of errors & exceptions
  • Unauthorized access
  • Permissions for GPS, Camera, Messaging, and so on
  • Malicious code/Backdoors
  • DoS
  • Use of Standard Libraries
  • Correct configuration
  • Analyzing phone memory
  • Protocols in use
  • Exposed application interfaces
  • OWASP Top-10 vulnerabilities relevant to your industry

Note that some of these approaches may require you to use an external white box or black box penetration testing consultant.

Open source tools such as QARK, ImmuniWeb MobileSuite, ZED Attack Proxy, and Android Debug Bridge work well for automated, quick, and cheap testing. But they will miss out on issues with authorization and flaws in business logic. The second is better addressed by Manual Penetration Testing.
Comments
avatar
Please sign in to add comment.