To minimize the security risks of an application, developers need their apps to stand up to stringent security testing. Fortunately, there are tools available that simplify and even automate these security tests. There are also best practices to guide and inform the testing process.
In this article, I will cover the most common security issues for mobile apps and highlight popular security tests. I will also discuss best practices for security testing in mobile apps and review tools for securing mobile applications in a CI/CD pipeline.
The importance of security testing mobile applications
To understand why security testing is important, I will describe these common issues:
- Improperly secured data storage
- Memory issues arising from using native code
- Use of open source/third-party tools
Improperly secured data storage
If you have not set proper database credentials to your database or if your cookie storage is poorly encrypted, attackers can easily read the contents of these data stores.
Take the instance of a rooted device or a reverse-engineered app. If the attacker can easily gain access to your database because of weak security enforcement measures, your information may be at risk of being compromised.
Memory issues arising from using native code
Even though apps written in C, C++, and Objective-C are way faster, poor coding in these languages can cause memory leaks and buffer overflows. These memory pitfalls can cause problems with the RAM and system-stability issues in the case of Kernel-land processes. Attackers may use these problems to perform other attacks or even cause denial-of-service (DoS) attacks by triggering memory leaks and buffer overflows.
Use the best practices in general C programming and Objective-C to avoid memory leaks. Static code testing (checking for security vulnerabilities in your app before running the code) helps identify such threats earlier. Static code testing tools can pinpoint where memory leaks and buffer overflows may occur.
Use of open source/third-party tools
It is common to find developers using open source libraries and frameworks to streamline code production. Attackers can use these tools to launch attacks on your systems. Worse still, they may have malicious code that launches when used in an app.
One example of an open source vulnerability that led to customer data being leaked is the ParkMobile breach. A third-party software vulnerability compromised the personal information of this popular North American parking application’s 21 million users.
Third-party service vulnerabilities are often the result of misconfiguration. Check Point Research found 100 million users’ private data exposed through improper use of integrations.
A shift-left testing approach is the most efficient way to avoid third-party risks. This approach emphasizes setting up tests at the start of an app’s development lifecycle. Shift-left allows testing for the vulnerability of the open source and third-party tools you intend to use. This will help you identify red flags before it is too late.
Importance of security testing
An attack on your app may be detrimental to your organization. Security testing is important to the development lifecycle because it:
- Makes your app compliant with industry standards.
- Gives your end users a sense of trust in your products (when your app is ISO 27001 certified, for example).
- Helps you detect and understand weaknesses so you can eliminate and prepare for risks such as security breaches.
- Reduces costs related to security incidents, both financially and in terms of reputation.
- Helps you know what to adjust in your app’s ecosystem: third-party code, your code, or your security workforce.
Types of security tests
In this section, I will explore a few types of mobile app security tests:
- Vulnerability scanning
- Penetration testing
- Risk assessment
- Posture assessment
This method uses automated tools to check an app’s ecosystem for areas that can be compromised during an attack. Vulnerability scanners look for known vulnerabilities, particularly in software dependencies.
Vulnerability scanning also detects easily missed loopholes in an app, checking against a record of common vulnerabilities and their characteristics. The matches are then reported to the developers or the quality assurance (QA) team. You can integrate vulnerability scans into a CI pipeline, as I will show later in this article.
Penetration testing simulates attacks to test an app’s security and identify its weaknesses. This differs from vulnerability scanning in that it involves human input (in this case, an ethical hacker). They use several techniques to break into an app and check where attackers may take advantage.
Unlike vulnerability scanning, which can raise false positives, the threats identified by penetration testing are real. These tests can usually provide more detail on the loophole’s precise location.
Risk assessment involves listing all components and people in an app’s ecosystem to identify their individual risks in case of a cyber attack. This helps enforce measures on certain assets within an organization, such as if someone in the IT department decides to help with or instigate an attack.
Posture assessment ascertains the current status of an app’s security, assisting the developers in identifying areas of improvement. It can tell you what information may be compromised during an attack, how it will disrupt business, how long it will take to recover, and what preventative measures to put in place.
Posture and risk assessment work hand in hand, and they may also incorporate other types of security testing. All these have a common goal, to help you identify security loopholes, prevent an attack, and mitigate it.
Best practices for security testing in mobile apps
In this section, we will look at the benefits of best practices for securing and testing the security of mobile apps. These are
- Supply chain tests
- Use of SAST, DAST, and IAST techniques
- Authentication and authentication testing
- Encryption testing
Supply chain tests
Attackers may not attack your app’s main code directly, but they may use third-party code. Open source and untrustworthy third-party tools, as discussed in the security issues section, fall under this category. One way to prevent these attacks is by shift-left testing, again previously discussed. More specifically, you can perform static code testing, which can be easily achieved by static application security testing (SAST) tools. As we will see in the next section, these tools can help detect security risks.
Supply chain tests prevent security risks that occur when your app has started being used by end users. Supply chain risks can easily be missed or overlooked while conducting tests using other methods.
Use of SAST, DAST, and IAST techniques
SAST refers to testing the application code for vulnerabilities before running it into an app. Tools such as Klocwork and Checkmarx are useful for achieving SAST.
Dynamic application security testing (DAST) focuses on a running app. DAST scan apps to check for any loopholes that may lead to security risks. An example of a DAST tool for mobile is HCL AppScan.
Interactive application security testing (IAST) blends the features of SAST and DAST, thereby maximizing the advantages and minimizing the tradeoffs. IAST helps in catching vulnerabilities in the source code and during runtime.
You can use these three techniques to help you easily identify points where issues such as memory leaks and buffer overflows may occur, improper input validation, and more. Check out SAST vs DAST: what they are and when to use them for more on these techniques.
Authentication and authentication testing
Weak authentication and authorization allow attackers to gain higher privileges and do things that may take down the system or collect users’ credit user data. DAST can help ensure a user isn’t logged into an app when they are not supposed to or have access to what they shouldn’t have access to.
Take, for instance, a shared directory. Can users with student rights access answer files that can only be accessed by a user with teacher rights? Can a user bypass a security question check? Such questions should be in your mind while doing the tests.
Strong encryption algorithms will give attackers a hard time accessing an app and gaining vital information. Note that setting encryption on authorization alone is not enough. As developers, we may forget or ignore setting it in layers that our apps use and may contain sensitive information. For instance, the transport layer of the OSI model. Attackers may use the transport layer to perform eavesdropping, leak communication information, and more.
To ensure your application follows the best practices for encryption, use SAST to ensure you have set strong encryption mechanisms.
Using continuous integration for your tests
Despite its importance, security testing is not always given priority in many development teams. Many developers focus more on delivering the main goal of an app. There are many vulnerabilities to test for in an app that you may not all catch manually. If developers find that security testing wastes their time, they tend to skip it.
To prevent this, you can use test automation by setting up security test tools in a CI/CD pipeline. These tools can be used to give back meaningful data on vulnerabilities in the app to developers who, in turn, work on them. The developers can focus on the delivery of the app while at the same time fixing vulnerabilities.
Tools for securing mobile applications in your CI/CD pipeline
To integrate tests into your mobile application’s CI/CD pipeline, you can use CircleCI’s mobile testing tool.
It is easy to set up and manage your tests on this platform, thanks to orbs. An orb is a reusable YAML configuration that helps automate repetitive processes. Using orbs makes for easy project set up. You can easily use trusted third-party security testing providers in CircleCI pipelines.
Some useful orbs, which shareable packages of CircleCI configuration, include NowSecure and Genymotion.
The broad user base for mobile applications makes them more attractive to attackers. And, security issues like improper configuration of third-party applications can make them more vulnerable.
Now that you have an understanding of security tests like vulnerability scanning and posture assessment, and the importance of following best practices, you can ensure your apps — and your users’ personal data — are protected.
Contact CircleCI to learn more about adding security testing to your mobile app’s CI/CD pipeline.