We've said before that mobile app security is a winnable battle. At least on some critical fronts. But this doesn't seem to be the experience of some companies, who insist that it's too vast and complicated. It is this perspective that we wish to challenge here. Sure, it's vast (okay, it's enormous, all right?) but you don't get it under control by attacking it all at once. If you heed our advice, we'd say you should target a small subset of mobile security testing techniques, focusing on getting only that small area under control. Once that is done, you tackle the next level of challenges, and so on.
Yes, we know what you're going to ask. How to determine which is an easy first set of challenges, and how to tackle them? This is what we're going to take up next.
Checklist, checklist, checklist
When automobiles are manufactured and tested, do you think they do off the top of their mind? Not at all! The testing process is highly rigorous, following through a long list of to-dos that test each and every part of the automobile. In the same way, your mobile security testing efforts need a "Ten Commandments" to adhere to.
Now, here's the important part: when you're just starting out in security, you shouldn't try to make this list the best in the world. Instead, focus on common sense items that are easy to achieve. Some examples are: 1) Are we using TLS? 2) Are we using a modern encryption algorithm? 3) Are we encrypting user data stored on the device?
Code analysis is one of the best ways of uncovering security flaws. That's simply because almost all the security vulnerabilities are created at the code-level. So how do you uncover the sins of the code? We suggest two ways: static analyzers and manual reviewers. In static analyzers, tools like Appknox can automatically analyze your code and point out known mistakes that you're committing.
However solely relying on a tool for everything is not enough. The code should also be reviewed by experienced developers or ethical hackers, who can then point out areas where the code is weaker than the industry average. Not sure where to find ethical hackers who can do the job? Turn to services like Appknox!
Cloud-based security solutions
One very effective mobile security testing shortcut is to use cloud-based security solutions. By leveraging the power of flexible infrastructure, these solutions are able to replicate the needed environment for security testing. As a result, they are better able to perform mobile security testing in a near-ideal scenario and give you detailed reports.
Before we leave this point, we must mention that cloud-based solutions are not a passing technology fad. Consider that in order to be broken, a mobile device needs to be attacked is several different ways and from thousands of points simultaneously. It is plainly impossible to simulate this manually but is as simple as pressing a button in a cloud-based solution.
Security is elusive, and mobile app security is the most elusive of them all. But by starting small, making sure that the solutions you envisioned are easy, and being disciplined, you'll be far better placed than rivals.