Most legacy applications used in the enterprise weren’t designed with a mobile interface in mind. Once businesses introduce mobile devices into the workplace, they have to rethink how business apps will be accessed from those devices, and smoothing over architectural problems with a new front end just won’t do it.
As with most things, a one-size-fits-all approach to mobile app security testing isn’t sufficient, because every mobile app is unique and requires a different level of security.
Doing it right requires that you understand the challenges mobile app security testing brings.
Prettying up problematic software is no way to go about making an app.
Mobile app security testing is critical to meet today’s security threats. A 2013 SANS survey found that organizations are most concerned about:
• Device security
• VPN / access controls for protection of company apps, particularly in BYOD environments
• Security checks throughout the software development lifecycle
• Achieving unified access that supports security policies
Types of Enterprise Apps
There are three basic types of mobile apps: native apps written for a specific platform; web apps created with HTML5 (where the mobile app is basically a shortcut to the web app); and hybrid apps consisting of a web-based interface wrapped with a native app layer so users get the best of both worlds. Companies increasingly use the hybrid approach (with around 50% expected to go this route by 2016 according to Gartner). Each type requires specific testing. Organizations need to think about how to protect data as it is used by apps across mobile networks.
When organizations are not sufficiently worried about hardening code against reverse engineering, they risk someone reverse engineering the code or worse, republishing it where unsuspecting users might think they’re getting the original app when they’re not. Additionally, malware on user devices can mess with the exchange of data, whether in the device storage or while the device is interacting with other apps.
Malware can cause all sorts of problems with the exchange of information.
Say an organization allows remote access to its network, and that connecting device is somehow compromised. That could give an attacker access into the network and any unencrypted apps. Compromised devices can provide remote access – basically a point from which attacks can be launched. Or suppose a user downloads a personal app onto his or her device that requests permissions for access to contacts, email, or data storage. It’s easy to see what a big risk this can pose. Mobile app security testing and a strong BYOD or mobile device policy are both needed to keep apps secure.
Mobile app security testing begins with identifying and repairing bugs and security loopholes. There are many automated tools that can help you fix these issues, but new vulnerabilities pop up all the time. Each and every functionality needs to be tested for security, and your app may need multiple levels of verification and testing. This may involve everything from review of the code through penetration testing. Testing should address the following points, according to NetworkWorld:
• Data flow – where it goes, how it’s protected in transit, and who has access to it
• Data storage – including whether it’s encrypted and where it’s stored
• Possible data leakage to log files or through notifications
• How users are authenticated and authorized, and whether you can track passwords and IDs
• Security controls on the server end
• Possible points of entry on the client side and whether they’re validated
The steps to adequate mobile app security testing are roughly as follows, according to Eran Kinsbruner of APM Digest:
• Definition of supported devices and operating systems
• Identifying key transactions that take place in the app
• Simulation of various network conditions
• Testing effects of server load
• Analysis, fixing of bugs, and optimization
You Can’t Just Test It and Forget It
The thing with mobile app security testing is you can’t simply test your apps and then forget about them. New security threats can emerge at any time. To prevent security problems and make sure your apps remain secure, your team has to stay current on the general security environment.
The security of your network and the devices that use it starts with great IT asset management. Samanage offers unified IT asset management and IT service desk solutions with built in risk detection tools that can help your IT team stay on top of threats. Mobile app security testing is only part of an overall strategy designed to keep your organization’s data secure and uncorrupted.