Security testing for mobile apps is never enough, and by extension, never complete. In some of our earlier blogs, we emphasized the importance of static analysis tools like Appknox for uncovering vulnerabilities in the code. While static analyzers are a godsend, there are things they can't measure – intentional or unintentional access compromise. The point is, code that looks safe may not actually be, even if it follows the world's best security standards. How can you be sure that the developer didn't overlook something subtle that is now baked into the app as an embarrassing vulnerability? Say hello to Dynamic Application Security Testing.
So what is Dynamic Application Security Testing?
As the name implies, this type of security testing focuses on the dynamic or runtime characteristics of the app.
Here are some examples:
1) Encryption: Instead of checking that a strong encryption algorithm is used, dynamic testing actually tries to break through the encryption and verify that it's indeed working. Since much depends on the version of the software library used, this is indeed the better way of testing the employed encryption.
2) Memory: Static analysis can provide next to no clue about how memory is being used and managed in an app. By contrast, dynamic testing will catch on if there are portions of RAM that can be easily exploited. Or perhaps there are cases where your app is exposing critical system resources that it shouldn't.
3) Permissions: Can some malicious code interact with your app and gain superuser permissions on a rooted device? Dynamic testing is the only way to figure this out.
4) Performance: The performance of an app is not clear until it is actually run. How much CPU and RAM it ends up consuming can only be covered in dynamic testing. This is also important for benchmarking against the competition and industry average.
5) Backend code injection: One very important aspect of security is backend security. Some known attacks exploit the implicit trust that a backend has on the communicating app. In some cases, attackers are able to hijack authorization tokens and cause trouble. Such scenarios lie in the domain of dynamic application testing.
There are countless other scenarios that dynamic security testing covers: is the app hackable through Bluetooth? Can it be compromised at startup time? What matters is that you choose the right service or product that offers maximum protection.
Does all this mean static analysis is just a facade that should be avoided? Not at all. Static analysis remains a key preliminary check. In fact, static and dynamic analysis form a complement – static analysis makes assertions about the state of an app's security, and dynamic analysis verifies (or contradicts) to build on the outcome. We suggest a healthy mix of the two to ensure app security!
Find out how the Appknox Dynamic Application Security Testing can take your app’s security to the next level.