A few years ago, running a competitive business in this economy meant having online presence aside from a traditional brick and mortar store. Later on, it shifted to providing customers with an interactive and engaging experience. These days, however, it’s all about mobile applications on smartphones and tablets.
There are risks and rewards that come with the advent of mobile applications. While it has made transactions possible from anywhere, it has also made it more important than ever to guard against external attacks on the client’s data and devices. The challenge is to find any vulnerability in your application and to fix them quickly, or risk suffering an attack.
In this post, we’ll be discussing what it takes to protect your mobile application starting from how it’s build to the different ways you can test against threats.
How the shift to mobile affects security
In 2010, Smart Insights reports that the use of mobile devices increased threefold for the third year in a row. Given this, mobile data traffic is likewise expected to continue to increase and will likely overtake traditional usage. Now that more and more people own mobile devices, we are no longer limited to using the internet at home or at work. Now anyone can easily access the internet for web search, shopping or business. It’s easy to see why with all the mobile traffic going on that attackers are now on the prowl.
When it comes to securing a mobile application, it’s not simply about protecting how it works on the device, it’s also defending the network traffic that happens between the application and its back-end server and the components of the server themselves. The standard practice for most organizations and security companies is to secure and test one or two of these components. What they don’t realize is that they need to test the entire application to assess any risks properly. This can be done by dynamic testing and static testing. Dynamic testing works by running the application and reviewing how each component functions from the outside. Static testing is done by seeing how it functions at the code level.
There are different options you can use for testing the components of a mobile application. On the client side, you can use: 1) Client-side fuzzing (dynamic) and 2.) filesystem or memory analysis, binary and code review (static). For the network, you can use traffic analysis (dynamic) while on the server side, you can conduct full dynamic testing of the back end and a full review of the code of the back-end codebase.
Mobile testing options and strategies
When it comes to mobile testing, security testing against real-world risks can only be done by running the application, including the interactions among its various components in the configuration. Otherwise, the testing is purely theoretical. How the different parts of an application work together can create something bigger than how they function separately. As such, attackers take advantage of this behavior, much to the chagrin of the security teams that handle these applications. They attack a full application from both ends so it’s very important that you test your applications the same way.
Dynamic testing by itself isn’t enough. Instead of looking at the external approach and the application’s internal structure as independent and separate from each other, combining them can help you get a better view of how the application will respond. On one hand, findings from dynamic testing can show how an attack can affect the application as it runs from end-to-end. On the other hand, reviews of the code can be done while the application isn’t operational and can pinpoint weak spots in the code.
Read Part Two of this post to learn how a mobile attack can happen through the device or the network.