If you had a cent for every time an app violated an important security testing guideline, you'd collect millions of dollars every day. What makes mobile app security such a slippery slope? Part of the reason is the sheer magnitude of the task – so many things can go wrong in an app that the very idea of defending everything is overwhelming. But there's another equally important aspect, too – the human element. Under business pressures, it's very tempting to throw good practices out of the window, and the results are shameful. While the human element is only in the organization's and individual's control, we can still learn some effective strategies to improve mobile security testing.
Let's look at 10 such techniques to improve mobile security testing
#1 Use static analyzers
Many of the security problems in mobile apps originate in sloppy coding: the developer failed to use a secure protocol or used a vulnerable encryption algorithm. Such problems were impossible to find in the early days of app development, but now we have static code analyzers that can catch them in a snap. Take a look at Appknox, which makes this process simple and enjoyable.
#2 Stay up to date
Staying up to date is not just for getting to know the latest trends or looking stylish when you are participating in discussions. We emphasize staying up to date because the mobile security landscape keeps changing in unexpected ways, not all of them being progressive. For instance, Tapjacking is an old exploit in Android, which was routed in Version 6.0. Unfortunately, it made a comeback in many devices when 6.0.1 was introduced and without extra developer vigilance, was creating problems. Stay up to date, then, and learn what's happening.
#3 Use cloud-based testing
Comprehensive mobile security testing involves testing the app on multiple devices and with multiple OS versions. In the case of Android, the calculations can soon shoot through the roof – imagine trying to test for all of, say, 10 screen sizes with 15 Android releases. This is where cloud-based testing saves the day. Cloud testing tools automate the process of device spawning, testing and reporting, so you spend as little time on it as needed. Another plus factor is speed – because you are not limited by hardware, the entire testing pipeline is traversed wickedly fast!
#4 Always test "in the wild"
Planned and automated testing has its place, but nothing beats testing the app in a real world scenario. For instance, you might never account for Bluejacking in your testing plans, but a field test has a very high probability of bringing it up. Or maybe your app is leaving data unencrypted under certain conditions – these are scenarios that will never arise in your code lab.
#5 Secure your backend
When we talk about mobile security testing, the backend never enters the picture. Yet it's every bit as important as the app itself. Sometimes the app is tight on security, but communication between it and the backend is the weak link. If this part isn't watertight, attackers can read the data being sent, as well, harm your systems through URL Manipulation. When formulating a testing strategy for your mobile apps, make sure backend communication hijacking takes a prominent place.
#6 Anticipate vulnerable dependencies
Sometimes your app depends on another core service that might be buggy. For instance, if the Play service of the particular Android version you're targeting is buggy, then your app will be compromised in the process. This measure is admittedly hard to keep up with, but keeping up to date with the latest Android happenings can arm you.
#7 Secure all storage
Storing anything in plain text files on the device is an open invitation to trouble. As far as your app development is concerned, don't rely on plain files for even storing temporary data, as snooping files in Android can be done easily by a malicious app. Make sure that all of your storage is encrypted, and that user data is properly backed up on the cloud to cover the cases of the device being stolen or lost.
#8 Perform regular code audits
While static analyzers are helpful, they can't catch everything. As such, code audits should be the first priority for the apps you develop. Create a strong mandate within the organization that developers will review each other's code, especially keeping security in mind. If the developers feel that they might not be up to their security game, strongly consider getting an outsider to audit the code and help your team learn.
#9 Push updates sooner than later
As an app developer, you might think that pushing an update as soon as you discover and fix a security flaw might lead to bad user experience. You might be worried that pushing, say, 10 updates in a month will annoy your users. This mindset is harmful. The end users are used to installing application updates, and they'll appreciate if you let them know that this update fixes a critical security gap. As always, do the right things first and believe in the wisdom of the masses.
#10 Go easy on shiny new toys
The final piece of advice applies to developers who are very enthusiastic about their craft and jump on the next best thing they encounter. While increasing productivity is a very valid objective, they must realize that newer libraries and tools are much more likely to be compromised. And it's not just a case of "but everyone's using it!" too, because there's no telling how many edge cases exist in the new library. We'd say stick to the stuff that works and that you can rely on.
Mobile app security is an ongoing battle, and it begins with mindset. We hope that these ten tips have given you a perspective of how interconnected things are, and how you can get started to improve your mobile app testing.