Mobile App Security Testing Is Also Essential Mohit Sharma | Developer Advocate | MongoDB | @codeWithMohit 

Some number first 

6,300,000,000 Total number of smartphone 2021 statista.com 

7,500,000,000 Total number of smartphone 2026 statista.com 

statista.com 

That’s lots of money 

checkpoint.com Google Play Core Library, an app’s runtime interface with the Google Play Store also suffered from a persistent code execution vulnerability. 8% of all Google Play Applications had been compromised by this. Google app, Android, 5 billion install. Had a bug that let a malicious app on phone gain extensive permissions on your device *wired.com 

OWASP ● Top 10 Mobile Risk ● Mobile Security Testing Guide Be aware 

● Android Intent ● Platform permission ● Misuse of TouchID, KeyChain Misuse of a platform feature or failure to use platform security controls. Improper Platform Usage 

Improper Platform Usage https://support.citrix.com/article/CTX214006 

Improper Platform Usage Mitigation Android:allowBackup • Backup of the application and its data into the cloud should be disabled Android:debuggable • Debugging features of the application should be disabled Android:installLocation • The application should be installed in the internal, more secure, memory Dangerous permissions • The application should not require dangerous permissions, as defined by Android, e.g. allow to make phone calls 

An adversary that has attained a lost/stolen mobile device; malware or a other repackaged app acting on the adversary’s behalf that executes on the mobile device. ● SQL databases; ● Log files; ● XML data stores or manifest files; ● Binary data stores; ● SD card Insecure Data Storage 

Insecure Data Storage 

Insecure Data Storage ● Save minimalistic data ● Don’t save data in plain text ● Always review information that is logged Mitigation 

Insecure Communication When the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire. 

Insecure Communication Misafe smartwatches ● attackers can easily eavesdrop on children’s conversations; track them; screw with the geofencing so that parents don’t receive notices when their children wander off; 

Insecure Communication Don’t override Android & iOS default network settings. Mitigation Disable SSL pinning. Use Trusted CA only. 

Insecure Authentication Relates to Authentication of end-users and bad session management. In mobile apps unlike in web apps, users are not always online. Hence mobile apps must be able to identify the user and maintain its identification along its session, when both online and offline. 

Insecure Authentication ● Grab Android app ● Ola Android app 

Insecure Authentication Mitigation ● The application should have an inactivity timeout. ● Authentication with newly added fingerprints should be temporarily disabled, provide PIN to enable fingerprints. 

Insufficient Cryptography Cryptography was attempted, but insufficient in some way. For example developer might have used an outdated cryptographic algorithm or written a custom vulnerable algorithm. 

Insufficient Cryptography ● Ola Android app ● Using weak encryption methods. ● Same key used for multiple purpose. 

Insufficient Cryptography Mitigation ● Follow industry standards crypto ● Create different key for different purpose. ● Regular rotation of keys, by means of force update. 

Insecure Authorization This category covers issues related to authorization such as forced browsing, privilege escalation, Insecure Direct Object Reference (IDOR) vulnerabilities, etc. 

Insecure Authorization Viper smart start Pandora 

Insecure Authorization Extensive Testing with various roles Mitigation Code & Access-log review by developer 

Code Quality Expose vulnerabilities like ● buffer overflows ● format string vulnerabilities, ● various other code-level mistakes that allow code to be executed on mobile devices. WhatsApp 

Code Tempering Prevent an attacker from tampering the code on the telephone Mitigation The application should refuse to run on a rooted device • On a rooted device, users can manipulate the code of the application. 

Reverse Engineering An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools. 

Reverse Engineering The code should be obfuscated • When the code is obfuscated, it is much more difficult to understand the logic of the code • This makes it more difficult to manipulate the code or to find potential vulnerabilities • Decompile the code and assess its readability Mitigation 

Tools 1. https://github.com/linkedin/qark 2. https://github.com/facebook/mariana-trench/ 3. https://labs.f-secure.com/tools/drozer/ 

Reference 1. https://owasp.org/www-project-mobile-top-10/ 2. https://10alert.com/owasp-mobile-top-10-securi ty-risks-explained-with-real-world-examples/ 3. https://figi.itu.int/wp-content/uploads/2021/06/ Delphine-Peter_-DFS-Audit-of-DFS-apps.pdf 4. https://owasp.org/www-project-mobile-security -testing-guide/ 5. https://allabouttesting.org/owasp-mobile-top-10 -brief-overview/ 

Mohit Sharma | Developer Advocate | MongoDB | @codeWithMohit Thank you !!