Mobile App Security Testing -2
7 likes1,434 views
This document provides an agenda for mobile app security testing. It discusses topics like mobile OS versions, the mobile app SDLC, testing techniques, vulnerabilities, and security tools. Testing approaches include black box testing, code review, penetration testing and security assessments. Real devices are preferred over emulators due to limitations like missing features and network behavior issues. Common vulnerabilities discussed are cross-site scripting, SQL injection, and client-side injection. Popular security tools mentioned are ZAP, IBM AppScan, HP Fortify, and VeraCode. A three-tiered approach of testing the client, network and server layers is recommended for building secure mobile apps.
![1. CROSS SITE SCRIPT EXECUTION
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through
breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.
EXAMPLE QUERIES:
1. <script>alert('XSS')</script>
2. <script>alert(document.cookie);</script>
3. http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>
2. <script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
Persistent Cross Site Scripting
By exploiting this vulnerability, an attacket can:
● Hijack your account
● Spread web worms
● Access your browser history and clipboard contents
● Remotely control your browser](https://image.slidesharecdn.com/d9661317-a038-4b6c-ba3a-de7625ba7a05-150804095535-lva1-app6892/85/Mobile-App-Security-Testing-2-19-320.jpg)
![Mobile Application Security Testing Tools:
1. OWASP Zed Attack Proxy (ZAP) Tool [Open Source]
2. IBM Security AppScan [Paid Service] IBM AppScan Pricing
3. HP Fortify [Paid Service] How to buy
4. VeraCode [Paid Service] How to buy
Few more:
1. Introspy [Open source]
2. Core Impact Pro 2014 R 1.1 [Paid Service]
3. Appthority [Paid Service]](https://image.slidesharecdn.com/d9661317-a038-4b6c-ba3a-de7625ba7a05-150804095535-lva1-app6892/85/Mobile-App-Security-Testing-2-23-320.jpg)
Mobile App Security Testing -2
- 1. Mobile App Security Testing 2
- 2. 1. What is Mobile OS Platform latest versions 2. What is Mobile App SDLC & Mobile App Security SDLC? 3. What is Mobile App STLC & Mobile App Security STLC? 4. What is Mobile Apps Development view & Testing view? 5. What is the testing difference in the Mobile Web & Mobile Native Apps 6. What are the Testing Techniques to Deal with Vulnerabilities? 7. What is Real Device Vs Emulator Testing? 8. What is top Mobile Apps Vulnerabilities? 9. What is Client side injection? 10. What are the Security Testing Tools? 11. What are the Mobile Application Security Testing Tools? AGENDA
- 4. Android OS version names
- 7. Mobile Apps Testing Life cycle
- 9. Mobile Web Vs Native Apps
- 11. Mobile Apps Testing Techniques to Deal with Vulnerabilities • Black box/Dynamic Testing- Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually. • Code Review- It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hard coded passwords and secret keys, weak algorithm usage and hard coded keys and data storage definitions. • Penetration Testing- For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks. • Mobile Application Security Assessment- It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them. Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.
- 12. Real Device Vs Emulator Testing: Real Testing Device: Testing on real device allows you to run your mobile applications and checks its functionality. Real device testing assures you that your application will work smoothly in customer handsets. Emulators: Emulator is a software program that allows your mobile to imitate the features of another computer or mobile software you want them to imitate by installing them to your computer or Mobile.
- 13. Mobile App Security Testing on Major Platforms Emulators 1. iPad Peek 2. iPhone Tester 3. Mobile Phone Emulator 4. Responsivepx 5. Screenfly 6. Mobi ready tool More: http://www.mobilexweb.com/emulators Open source Mobile device Online emulators:
- 15. Drawbacks of using Emulators in case of Mobile App Testing Testing on emulators can be a tempting, cost effective option to purchasing devices but miss out on issues: ● Device specific features ● Human interaction issues. ● Multi-touch issues ● Bandwidth and loading sequence ● Wireless network behavior – Wifi and GSM signal drops ● Device interrupts and multitasking ● Data retention during signal drops
- 17. Top Mobile apps vulnerabilities
- 18. CLIENT - SIDE INJECTION Client side injection can be done with the following ways. 1. Cross Site Scripting testing can be done using following Scripting Languages ● Javascript ● VBScript ● HTML ● Dart ● ActionScript (used to create animated interactive web applications for Adobe Flash Player using Adobe Flash Pro) 2. SQL INJECTION ● SQL Injection can be done with SQL Scripts/Wildcards.
- 19. 1. CROSS SITE SCRIPT EXECUTION Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. EXAMPLE QUERIES: 1. <script>alert('XSS')</script> 2. <script>alert(document.cookie);</script> 3. http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> 2. <script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real- xssattackexamples.com/";}</script> Persistent Cross Site Scripting By exploiting this vulnerability, an attacket can: ● Hijack your account ● Spread web worms ● Access your browser history and clipboard contents ● Remotely control your browser
- 20. 2. SQL INJECTION QUERIES SELECT * FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" Reference link: SQL Injection video
- 21. Taking a three-tier approach – testing and comparing results across all three layers of the mobile application: client, network, and server will result in building, managing and successfully securing your mobile applications. Successful Mobile Application Security
- 22. Web Security Testing Tools: Top 10 – Best Security Tool of the year 2013
- 23. Mobile Application Security Testing Tools: 1. OWASP Zed Attack Proxy (ZAP) Tool [Open Source] 2. IBM Security AppScan [Paid Service] IBM AppScan Pricing 3. HP Fortify [Paid Service] How to buy 4. VeraCode [Paid Service] How to buy Few more: 1. Introspy [Open source] 2. Core Impact Pro 2014 R 1.1 [Paid Service] 3. Appthority [Paid Service]
- 26. 2. IBM Security AppScan: ● AppScan to scan mobile applications with three different models: − Using an emulator for both iOS and Android − Configuring an actual mobile device for both Android and iOS − Scanning mobile web applications by setting up a mobile user agent Methods to scan and test mobile applications
- 29. Why IBM Security AppScan?
- 30. 3. HP Fortify: ● Scan, assess and report on the security of Mobile applications ● 2 ways to coordinate application, information and network security
- 32. 4. VeraCode