A mobile app security testing checklist is the first stop in combating the near universal low standard of mobile app security. No one’s to blame, writing secure code is hard with the competing expectations of innovative User Interfaces, continuous Operating System updates, API changes, new devices and lots of networks (3G, 4G, WiFi, VPN).
The demand to release new features each week on an agile cycle, refactoring, code churn and a focus on the parts of the app that the user sees has made mobile app security testing a low priority.
In mobile it’s necessary to remember that you are shipping a binary of all your code that’s available to all users, including gated features such as premium or admin access. There are a few solutions to this problem such as using obfuscators, enterprise distribution, or WebViews, however, we recommend following a mobile app security testing checklist.
The mobile app security testing checklist
A platform agnostic high level mobile app security testing checklist will help stop companies being victims of the most critical and exploitable errors. These should be the first port of call for anyone concerned about whether their mobile app is secure. We also recommend taking a look at the links in the article below for a comprehensive list of client, server side, and SSL checks.
1. SSL
SSL is essential, it has to be implemented. Public networks are well known to be insecure and any good developer owes it to their users to encrypt their data and protect their privacy. Many developers will ignore SSL certificates or hostname errors in their code with a quick monkey patch. This will be left in and renders the SSL useless. To understand how to use SSL securely consider the errors a penetration tester would look for in this checklist.
2. Debug code
Many developers leave their debug code in production. This will still get compiled into the app along with any API environments left in. This makes it easy for your web and network infrastructure to be attacked. See the OWASP page on debug code.
3. Console.log in production code
When console.log is left in production code this escalates exploits on Android in particular since on some version other apps will be read it. The worst example of this we’ve seen was a Fintech app that logged to Android on every REST call. This included plaintext passwords, CCVs, and addresses. This kind of error would be game over if it fell into the wrong hands and also causes PCI compliance issues. The key here is to use remote logging, not system logs.
4. WebViews
WebViews in apps are often sandboxed properly, however, this is web code, so the same rules(XSS, CSRF) apply. An XSS attack will allow session hijacking and access to the rest of the app.
5. App files
This is more applicable to Android, however, it is necessary to remember to encrypt SQLite databases, more so when storing sensitive data. SQLCipher, which supports Open Source projects is good for this.
iOS app security testing checklist
Here’s a platform specific checklist for iOS app security testing.
1. The Keychain
Use the encrypted format in Keychain to store sensitive information. In the event of physical access it’s easy to dump the keychain data.
2. Data Protection
Use Data Protection classes appropriate to how sensitive the data is e.g. NSFileProtectionComplete 3. When storing data use custom encryption and the built in API, this will protect your
app even if the API is compromised.
4. Temporary data
Device forensics are often used to recover deleted data, make sure to overwrite temporary data before deleting it.
6. iTunes backup
The iTunes back up will often compromise app security so make sure that important files such as plist & sqlite are stored in Library/caches.
7. Xcode
Keep Xcode up to date, building the app with the most recent release will ensure that only the newest SSL Ciphers are supported.
To minimise attack vectors and potential loss of revenue stop the app running on Jailbroken devices with code that will detect rooting and that will detect debuggers to stop reverse engineering of your code.
Android app security testing checklist
Here’s a platform specific checklist for Android app security testing, looking at the protection of sensitive data, client side code, and the protection of data in transit.
1. This one is worth repeating:
Stop including sensitive data in system logs and disable debug logging in production builds.
2. Webview on Android
Avoid storing sensitive data in the WebView cache. Set up cache control headers on the server-side and make sure the app clears its cache after receiving sensitive responses.
4. App backup
Disable app backup. Backups can potentially allow an attacker to view or modify the application’s locally-stored data without having root access to the device.
5. Reverse engineering
Obfuscate the binary before release to protect the from reverse engineering attacks. Android apps are far more open to reverse engineering,
6. App screenshots
Set the “FLAG_SECURE” attribute or “android:excludeFromRecents” flag to stop app exposing sensitive data via the automatic Android screenshot.
If this mobile app security checklist has got your attention and you want to know more about secure mobile development take at look this OWASP mobile app security checklist and these OWASP resources.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security .