As technology progresses and mobile devices become ubiquitous, a remarkably large number of people worldwide are now using smartphones. In fact, current estimates show that 6.8 billion users rely on their phones for an array of activities; but most significantly – 88% is dedicated to app usage!
While the above stats show that the mobile app industry is thriving, it's also a matter of concern. Why? As the number of mobile apps and their users increases, cyber attacks targeting mobile apps are also growing. Hackers are becoming smarter and finding new ways to gain unauthorized access.
Therefore, mobile app developers must take exceptional measures and basic security testing to make mobile apps more secure and resilient to hackers. And one such exceptional measure is mobile app threat modeling.
Despite being decades old, mobile app threat modeling is something only some app development organizations practice. However, it's an effective process and can-do wonders if combined with regular security testing.
In this blog, we'll dive deeper into the concepts of mobile threat modeling and app security testing, from what these processes are, how they help, and the best practices to enhance mobile app security. So, read in full.
Mobile App Threat Modeling
As Microsoft defines,
"Threat modeling is an engineering technique for identifying threats, vulnerabilities, attacks, and countermeasures that could impact an application. Threat modeling helps shape your app's design, meet your organization's security goals, and reduce risk."
In simpler terms, threat modeling is a process that helps companies identify vulnerabilities that an attacker could violate, prioritize, and mitigate them.
While you may think threat modeling sounds similar to regular security testing, it's not. The goals point in the same direction, but the way threat modeling works is unique.
For instance, before development begins, threat modeling helps identify security requirements, pinpoint security threats, and prioritize based on their risk. Whereas other methods, such as pen testing, can only be performed when the app development reaches a particular stage.
Types of Threats That Can Impact Mobile Apps
Here are the common threat types that can make your apps more vulnerable:
1) Data Leakage
Data leakage is a common mobile app security threat wherein hackers access confidential user/business data. This usually happens when the code lacks secure coding practices, encryption, and optimum authentication measures.
Let's say a user enters their name, address, and card information in your app. Hackers can steal and misuse the above information if your app is insecure or lacks basic mobile app security frameworks.
Malware is software or code injected into an application to disrupt an application or gain unauthorized access. Often, hackers reverse engineer popular apps, create a malicious replica of the app and steal the data of millions of customers. This data is then used for illicit purposes and sold in the black market.
3) Poor Encryption
Encryption is the process of encoding data, making it unreadable for anyone who doesn't have the encryption key. This helps conceal confidential information from hackers. However, several developers use poor encryption techniques or don't use encryption at all, especially for in-transit data. And this makes the app susceptible to attacks.
4) Unreliable Third-Party Components
Developers often use several third-party components, such as APIs, libraries, and frameworks, to make development easier. While third-party components do help, they're usually risky, especially if they're coming from unreliable sources. Such features may access confidential information and allow malicious code to run on the users' devices.
How Can Threat Modeling Help Identify and Prioritize Potential Security Risks?
The most important aspect/step of threat modeling is identifying threats and prioritizing the potential security risks. Here's how:
Identifying threats or vulnerabilities is quite complex before the deployment, as there are too many touchpoints and vectors. However, building a cross-functional team that includes testers, developers, architects, system admins, users, etc, can help.
Once the team is ready, you can follow the threat identification models given by Microsoft:
Model 1: According to this model, you can break down potential threats into a threat graph. Take a look at this infographic:
Model 2: In this approach, you must create a list of who may attack an asset in your mobile application. The potential actors would fall into one of these categories:
- Accidental Discovery: This is done by regular users who might make a functional mistake while using the app and might accidentally get access to privileged functionality or information.
- Automated Malware: These are scripts or programs looking for vulnerabilities and reporting them to a central website.
- Curious Attacker: These are regular users or security researchers who, when they notice a vulnerability in an application, try to explore it further.
- Motivated Attacker: This one is a hacker/attacker looking for financial or other types of benefits from the attack.
- Organized crime: This usually involves a team of hackers seeking huge financial gains by cracking banking or eCommerce applications.
You can use one more method besides the two threat modeling example models. And that is: performing a code and configuration review. This method will also help you ensure the necessary controls are in place and work as they should.
Here's what you can consider to perform code and configuration review:
- Input validation
- Cookie Management
- Sensitive Data
- Session Management
- Secure Code Environment
- Exception management
- Auditing and logging
Now that you know how to identify potential threats, let's understand how to prioritize them. While there are numerous methods of threat prioritization, two of the most effective threat model examples for threat prioritization are DREAD and STRIDE.
DREAD: DREAD is a classification framework that helps determine and compare the amount of risk a threat poses. DREAD is also an acronym:
Risk Score = DREAD (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY)
A risk score is a number between 0 (zero risk) to 10 (total destruction or compromise)
- Damage potential: It's about the damage the threat is capable of causing.
- Reproducibility: How easily or repetitively the threat can be exploited.
- Exploitability: The size or frequency of the vector in relation to the threat.
- Affected users: If realized, how extensive will the impact of the treat?
- Discoverability: How easy it is to find the threat.
STRIDE: STRIDE is a goal-based approach where you consider the attacker's goals. Just like DREAD, STRIDE is an acronym that outlines six types of threats and security controls to deal with the same. Here's what STRIDE stands for (potential threat vectors):
- Spoofing Identity: This threat action aims at using someone else's username and password to gain access.
- Tampering with Data: It involves modifying or changing the data within the system to fulfill malicious goals.
- Repudiation: A threat action that aims at performing illegal actions in a system.
- Information Disclosure: This threat action exposes the data which is not accessible to the user.
- Denial of Service: This threat aims at making a web-based service unusable.
- Elevation of Privilege: This threat aims at getting unauthorized access to compromise a system.
Steps Involved in Mobile App Threat Modeling
While the steps involved in mobile app threat modeling vary from organization to organization, they can be categorized into these three high-level steps:
Step 1: Decomposing the Application
In this step, you must understand how the app works and interacts with other entities. Here's what this step involves:
- Creating different use cases for the app
- Identifying entry points a potential attacker might use
- Identifying assets that the attacker might want to exploit
- Identifying the access right the application will give to external entities.
Step 2: Identifying and Ranking Threats
This step involves identifying and categorizing the potential threats using the frameworks listed above: DREAD and STRIDE. Doing this will help you understand the potential vulnerabilities, how they'll be exploited, and the damage they might inflict.
Step 3: Determining Countermeasures and Mitigation
Now you need to find countermeasures to mitigate the vulnerabilities you've identified in the previous step. Based on the risk they pose, you can:
- Accept: accept the impact of the threat.
- Eliminate: get rid of the components that make vulnerability possible.
- Mitigate: take the necessary measures to reduce the impact of the threat.
You can refer to OWASP's official website to learn about these steps in detail.
Mobile App Threat Modeling Best Practices
Here's how you can make the most of mobile app threat modeling:1. Define the Scope Clearly: You need to determine the Scope of the analysis with your stakeholders, followed by breaking down the depth of the analysis with the respective teams.
2. Visual Understanding: Create a diagram or any other easy-to-understand visual element that displays the major components of the app that you're threat modeling.
3. Model Attack Possibilities: Accurately identify all software assets, threat agents, and mobile app security controls and create a diagram/model. After that, you can identify potential threats by leveraging methods like STRIDE.
Ask the Right Questions: To determine the potential threats accurately, ask the following questions:
- Can the threat agent reach an asset without passing through security control?
- Can a threat agent defeat a mobile app security control?
- What steps must a threat agent take to defeat a mobile app security control?
4. Track Weak Security Controls: Consider what path the threat agents will follow and track the same. A potential attack could happen if the threat agent reaches the asset without routing through security control. If the threat agent passes through security control, check if the control can stop the threat agent.
5. Continuously Update: You must update your threat model as new mobile app security risks appear yearly. Not updating will make thread modeling ineffective to new threats, which defies the whole purpose.
Mobile App Security Testing
Mobile app security testing evaluates or assesses the application security via SAST scan or DAST scan (more on this later in the blog). Using security testing, developers can identify potential vulnerabilities in their apps and effectively mitigate them, resulting in a more secure and resilient mobile app.
Common Types of Security Testing
Vulnerability testing (VA) is a method that helps identify vulnerabilities in an application. Usually, developers run their app through an automated vulnerability assessment solution that scans the app for vulnerabilities and reports the same. Vulnerability assessment is of two types:
- Static Application Security Testing (SAST): SAST involves analyzing the app's source code and ensuring the implementation of the security controls. This happens when the app is at rest.
- Dynamic Application Security Testing (DAST): DAST analyzes the app during runtime. It's an automated test that approaches the app like an attacker. This, being more detailed, helps uncover server configuration, authentication and authorization issues, and potential data leaks.
Often led by an ethical hacker or a certified security professional, a pen test is a simulated attack performed on the app to find potential vulnerabilities. The security professional approaches/interacts with the app like an actual hacker and uses automated pentesting tools to find exploitable weaknesses and prevent any actual attacks.
Steps Involved in Mobile App Security Testing
While the actual steps in mobile app security testing might vary, here's what security testing typically entails:
- Planning: During this phase, you need to define the scope of testing and choose the testing methods and resources necessary for testing.
- Preparation: Prepare the testing environment, create test cases, and gather information about the app architecture, potential threats, and dependencies.
- Execution: This is when the tests are conducted to identify potential vulnerabilities.
- Analysis: This involves analyzing the test results and identifying the vulnerabilities or threats. During this step, threats are prioritized based on the risk they pose.
- Reporting: This step involves detailed reporting on the test performed. It includes test results, vulnerabilities discovered, their severity, and remediation steps.
- Remediation: This step involves mitigating or addressing the issues by making changes in the code, designing, and implementing additional security measures, etc.
How to Make Mobile App Security Testing More Effective?
Here's how you can make the most of mobile app security testing:
1) Use Automation
In addition to manual testing, you should also leverage automation testing, i.e., the use of automated tools. Take Appknox, for example. Using Appknox, you can perform automated vulnerability assessments, including DAST, SAST, API security testing, and more, with better accuracy without spending much time and effort. This way, you can save time and perform tests more frequently, making your app more resilient.
2) Hire Dedicated Experts
Security testing, especially mobile app penetration testing, is a skill-based task that requires a dedicated expert if you seek the best results. So, build a team of qualified experts to improve the effectiveness of security testing.
3) Scrutinize 3rd party Code
Open source or 3rd party components make development easy, but they're equally risky. So, when conducting security tests or looking for Mobile app security risks, scrutinize 3rd party components as well.
4) Include Abuse Cases
Developers must consider different ways an attacker might abuse or exploit a feature or app. This way, developers can implement the required security controls before anything happens.
5) Don't Ignore SAST
Most companies opt for DAST and pen testing while ignoring SAST. However, pen testing and DAST happen way ahead in the SDLC, making bug fixing a hassle (as bugs found later are harder to fix). Including SAST early in the SDLC can help you detect code issues in real time, saving you a lot of time and hassle.
5 Best Practices for Mobile App Security
Here's a list of best practices you must follow to minimize Mobile app security risks:
1) Secure the Source Code
The source code is usually available on the client's device. And if the device is hacked, the hackers can access your source code and steal business logic. Therefore, you should focus on securing the source code. And for this, you can opt for methods such as code obfuscation. It makes the code meaningless and extremely hard for the hacker to understand.
2) Implement Data Encryption
In addition to securing your code, you must encrypt all the data. While you should always refrain from storing crucial data on the client's device, if you do so, make sure to encrypt it. The same goes for the data traversing to and from the server. This way, hackers won't be able to decipher even if they access the app.
3) Isolate App Data
During development, you must ensure that your app data is isolated from other apps on the user's device. This will prevent any other apps from accessing confidential information and thus reduce instances of data leaks.
4) Ensure Safe Communication
Make sure the data is secure when it's being transmitted. Developers can implement code that checks the validity of certificates and offers access to valid users only. Also, secure protocols such as TLS and GTTPS SSL should be implemented for added security.
5) Regularly Monitor and Maintain the App
One of the most critical security best practices is to monitor and maintain the app regularly. Monitoring helps developers take the required steps should anything mysterious happens and avoid escalation. Maintaining the app involves updating it and applying security patches to fight new vulnerabilities as they arise, which keeps the app secure for longer.
Challenges and Future Trends in Mobile App Security
Everything these days fits in the palm of a hand. From making payments, booking flights, restaurants, and hospital appointments to paying bills, one can do everything on a mobile device. Our living and eating habits have altered with the trends of instant delivery and the rise of ghost kitchens and with that comes the risk of mobile app security. However, as the use cases are increasing, mobile apps are becoming more complex, making it hard to implement adequate mobile app security frameworks.
In addition to app complexity, threats or vulnerabilities are also rising. Hackers are becoming smarter and finding new methods to gain access or perform data breaches. However, developers can get the upper hand by staying ahead of the latest security trends, such as:
- Leveraging AI and ML in Security Testing
- Integrating Multi-Factor Authentication (MFA)
- Updating Security OTA (Over the Air)
- Proactive security, i.e., including cyber security as a part of the SDLC and not an add-on.
By staying up-to-date and informed about the latest developments in the industry, developers can implement the necessary measures and ensure better security.
Mobile App Threat Modeling and Security Testing: A Perfect Combination
Where threat modeling is performed during the design phase of the SDLC and helps fix design flaws that lead to security issues, security testing helps deal with bugs (that cause a security threat) before the app goes into production. Ideally, this combination helps perform an end-to-end test on the mobile app and make it as secure as possible.
However, while combining mobile app threat modeling and security testing does help boost security, it should be an ongoing process. With the rapidly evolving mobile app landscape, risks are evolving too. Therefore, developers must be vigilant and make the necessary changes/updates to enhance security as and when required.
How To Do Threat Modeling?
You can leverage threat modeling to uncover potential threats or vulnerabilities in your mobile app or system. To do threat modeling, you must identify potential threats, analyze their impact, and determine how likely that threat can occur. This way, you can find and mitigate issues based on priority and make your app more secure.
How To Create a Threat Model?
To create a threat model, you need to identify the assets (app, data) that need protection and what they need protection from, i.e., potential threats. After that, you can analyze the impact of those threats, determine their likelihood of occurrence and deal with them effectively.
What Are the Steps of Threat Modeling?
While the higher level threat modeling involves three steps (decomposing the app, identifying and prioritizing the threats, and mitigation), you can break the process further for ease of implementation:
- Define the scope
- Create a data flow diagram
- Identify threats
- Analyze their impact
- Prioritize them
- Choose countermeasures
- Review and update the model as and when required