This is surely a tough question, but how do you test against security threats you don’t know exist in your mobile app? Testing for something that you don’t know about sounds impossible, but luckily there are lots of things to do with today’s tools that can expose those threats and mitigate your burden. Those zero-day attacks – as named after the fact that vulnerability is there on “day zero” of its awareness – do happen and are the reality for today’s mobile apps. And you need to defend yourself – and especially your app – against those!
Nevertheless, in all forms of attacks, the access into your app is enabled by a vulnerability in the code – either in your software or in third-party component. As majority of today’s mobile apps consist of some sort of third-party code and libraries, the developers aren’t necessarily aware of liabilities and security threats that those components bring in with them. However, using open source components as part of your app is recommended and well-accepted development practice as it offloads the task of developing code for non-core functions in your mobile app or game.
Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability. In this blog, we’ll take a look at some definitions of the security threats with mobile apps. Not all of those are related to actual security threats but also to liabilities that the use of third-party components cause to developers.
Known and Unknown Vulnerabilities
There are two types of vulnerabilities: known and unknown. Known vulnerabilities have already been found and reported. The best way to keep up with known vulnerabilities is to subscribe to regular security updates from comprehensive vulnerability databases. These databases contain all reported vulnerabilities, leaving you to simply determine, which security issues are applicable to you. Unknown vulnerabilities are vulnerabilities that have not yet been found. Especially new technologies and proprietary code extensions are frequently infested with unknown vulnerabilities. However, unknown vulnerabilities also cause problems in other technologies too.
Security Checklist for Mobile App Developer
Here are some things to check while developing your app and definitely before publishing your app at app stores:
- Be very proactive in the context of robustness and security testing! More you test for security the better will be your app for users. And this is not manual process you need to go through. More about this here.
- Get familiar with all used third-party software packages and libraries. You should have a good overview and understanding of how those third-party components work, what security threats come with those, and how those threats will impact on users of your application.
- What are the binding software licenses in third-party code. At the end of the day, it is your responsibility as a developer to ensure you can ship third-party code as a part of your app and how it might impact on your application. In some cases, you would need to expose your code base and that is probably not something devs like to do.
- Real vulnerabilities in third-party components that could be security risks in your application. Hackers are good at finding vulnerabilities and they can put significant effort in to expose security flaws in your app. When building your mobile app, think like a hacker – in controlled manner – and make sure there is no vulnerabilities in your app!
- Remember! Those many of those open source and third-party components constantly evolve. You should be fully aware of what are the new vulnerabilities, and threats brought in with the updated version of those open source components. When you develop your app it is important to stay up-to-date with this type of information!
Android Example: Data, The Root Cause to Problems
The most common security concern for a mobile application is whether the data that you save on the device is accessible to other apps. By default, files that you create on internal storage are accessible only to your app. This protection is implemented by Android and is sufficient for most applications. Files created on external storage, such as SD-cards, are globally readable and writable. Because external storage can be removed by the user and also modified by any application, you should not store sensitive information using external storage. Android also provided content providers that offer a structured storage mechanism that can be limited to your own application or exported to allow access by other applications.
How to Test Security and Vulnerability of Android and iOS Apps?
With the help of Testdroid and Codenomicon Appcheck, you can improve your development and testing process to ensure only the most secure and robust mobile app or game for the whole mobile ecosystem. You can also watch our dedicated webinar recording, in which we will guide you how to do security testing step by step.
More about professional security testing – also to other things that mobile apps – can be found at Codenomicon’s website.
Happy Security Testing!