In the previous blog post, we discussed how attacks on mobile applications can originate from the device it’s installed in or the network it’s running on. But attacks can also come from another attack surface—its server. When mobile applications send data to the website backend, it uses web services. This makes the server-side web infrastructure that hosts the application a prime target for attacks. The best course of action is to perform a web assessment of the mobile application on the server side.
The importance of web assessment
Doing assessments can seem boring and commonsensical. But these days, even with web teams dedicated to supporting mobile applications, a between web application developers and mobile application developers. As it stands, web application security on primary online properties suffers when the developers involved have limited experience with application security concepts. Mobile application developers are usually a separate development team altogether. Coupled with the coding standard variations, the limited knowledge of the security concepts can spell the difference between a secure application or a compromised one.
It won’t be long before mobile computing overtakes traditional computing. So to successful deploy a secure mobile application, it is essential to take a multi-faceted approach that considers the device, the network and the server components. Applications are like ecosystems, so treating them like separate components that have been simply put together won’t be as effective as testing them end-to-end using multiple skill sets and perspectives.
Below are some tips that can help you make sure that your mobile applications go through rigorous testing:
Attackers will test applications when they’re on full running mode. Test your defenses by making sure that dynamic testing is done while the application is running in full configuration.
Allow dynamic and static testing approaches to complement each other and supplement your automated testing with manual testing.
Applications are made up of three tiers: client, network and server components. Similarly, you need to conduct multi-tier testing to be thorough.
A security approach that is both comprehensive and multi-faceted is the best defense against mobile attacks. So be wary of any internal or external mobile security solution that doesn’t see it that way.