Saturday, 7 September 2013

Mobile App Pen Testing - 2

Types of Mobile Applications

  1. Browser Based Application
    • It is always better to use emulator for such applications from a testing point of view as application may not behave in a Windows/Linus/Any-Other-OS as it may in emulator. One example: Application server may render the response based on the User-Agent.
    • This application uses JavaScript, CSS and HTML – 5 technologies.
    • Browser based application is prone to threats like SQL injection, Cross Site Scripting, Authentication checks, Parameter tempering, Authorization checks, Transport layer security.
  2. Native Applications
    • These are the .apk(Android),.ipa(iOS), .app(Windows) files, a variant of JAR file, containing all the necessary components coded to perform the desired actions. There are a large group of developers who write such applications, which includes third party applications as well to enhance the feature and the functionality of the various devices. These applications can either be downloaded /installed through Google Play, Appstore, or through the third party sites.

    • These applications are developed using Objective-C and Cocoa touch API for iOS, and Java for Android.
    • Security issues related to native applications are further discussed in the penetration section.

Mobile Applications Analysis

  1. Static Analysis
    • Source code provided from development team or compiled binary of application is analysed to identify programmatic examples of security flaws.
    • This code is analysed for testing security controls like Authentication, Authorization, Session management, Data storage, Information disclosure, Web application vulnerabilities.
  2. Dynamic Analysis
    • Dynamic analysis is the testing and evaluation of a program by executing data in real-time. The main objective of this analysis is to find to find security errors in a program while it is running.
    • Dynamic analysis is conducted against the backend services and APIs and the type of tests varies depending on mobile application type.
    • Communicates with a web application through the web front-end in order to identify potential security vulnerabilities and architectural weaknesses in the web application, doesn't have access to source code.
    • Dynamic analysis is performed to check the following controls: 
      • Input/output validation: (Cross-site scripting, SQL Injection, etc.).
      • Specific application problems.
      • Server configuration mistakes/errors/version.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)