Assessing the Security of Mobile Applications (Part 1) - Planning

by [Published on 25 March 2015 / Last Updated on 25 March 2015]

In this article series we will consider and cover ways in which the organisation can assess mobile applications to improve security when mobile devices are used for corporate function.

If you would like to read the other parts in this article series please go to:

The use of mobile devices for everyday business within organisations is now commonplace. BYOD or organisation supplied devices or both readily used to undertake business tasks.

The rate at which applications are released and mass produced offer a varied difference in the levels of security combined with the inexperience many development organisations have in mobile device security makes this area a ticking time bomb.

Applications running on mobile devices, processing and accessing corporate data has opened some organisations up to further potential security risk.

Introduction

Organisations are embracing mobile computing, but with this movement come the risks of attack and breach if they do not approach security of data and access to company resources in a secure manner.

It’s not only the device that requires securing but also the applications and data installed processed, stored and produced on the devices (often not enough attention is paid to these), the applications have the capability to open doors to potential security risk.

Many organisations are unaware of the extent of risk presented by applications; rather looking at the application functionality above their security and this is a mistake.

Applications are readily available and so easy to have installed and running in no time at all. Unfortunately over three quarters of these applications at present and throughout 2015 will fail the elementary security tests.

Organisations assume that these applications are developed with security in mind and that by default they will be secure however the majority will infringe on organisation security policy and have no security assertion at all. This assumption is down to the inexperience of organisations on mobile security and the immaturity of mobile testing strategies in conjunction with the speed of development and very good application advertising with regards to functionality.

App developers can reach millions of users rapidly yet many of them do not have the experience, budget or incentive to undertake the necessary security testing to ensure that the software is safe to use. The applications enter the market with security flaws leaving the application and the organisations devices and networks compromised.

It's essential that organisations ensure that effective mobile application security testing is undertaken especially when majority of organisations support BYOD and utilise inexpensive third-party applications for improved business function. Organisations need to look beyond functionality and focus on the much-needed security of applications.

An app assessing procedure should be included as part of the organisation's overall security strategy.

This article series will cover three sections in the app assessment procedure including:

  • Planning
  • Testing of applications
  • Application approval or rejection

Vulnerability types posed through mobile device applications

The range of vulnerabilities and weaknesses organisations find them susceptible to through applications running on mobile devices is immense. Some more common than others, some pose more of a severe risk to organisations than others and affecting the organisations in differing ways.

The vulnerabilities will always be changing and new vulnerabilities will continue to be exposed. Some of the potential vulnerabilities we try to mitigate through app testing, may include the following.

  1. Vulnerabilities brought about by incorrect permissions (over-granting, under-granting, implicitly granted, created in the code)
  2. Exposed communications both internal and external (Bluetooth, GPS, NFC, etc.) communications (internally, apps can collect data and inject new information. Externally, left open to exposure or attack)
  3. Dangerous functionality (unintended functions can be performed causing unforeseen output, resource collapse and denial of service etc.)
  4. Application collusion (apps able to retrieve unintended data)
  5. Obfuscation (functionality hidden from the user, external libraries, reflective calls and packed code)
  6. Traditional software vulnerabilities (all traditional Java associated vulnerabilities)
  7. Privacy issues and vulnerabilities

Application assurance processes to mitigate security risk

Planning

Organisations should ensure that application assurance processes are undertaken. Whereby applications are vetted to ensure that they are free from vulnerabilities and that the app will function as intended. The procedure should include application-testing concluding in application rejection or approval.

Performing a risk assessment will assist in determining the impact the mobile application will have on the organisations computing, network, data and resources.

Step One:

Determine a set of security requirements unique to your organisations by considering the following

  • The conditions under which the app will be utilised and when the app should not be used (the environment that it will be deployed in)
  • How the data accessed by the app will be secured
  • How the wireless infrastructure functions and how it is secured
  • Are critical assets located on the mobile device or not
  • The acceptable level of risk allowed for the app
  • Determine the security requirements that is needed by the app, this will allow the organisations to clearly see if the requirement is met or violated when the testing takes place
  • Are there any app vulnerabilities that may be mitigated by other security controls that are already part of the organisations mobile device architecture or through the security controls of the mobile device itself
  • Evaluate your existing mobile device management solution to understand and confirm which security requirements are already covered by this solution
  • Determine security and privacy requirements specific to the organisations
  • Determine the users permitted to use the app
  • What level of testing has already been undertaken
  • What type of attacks are of concern to the organisation (consider the information or operations if compromised and the effect it would have on the people involved and the organisation and business function)

Step Two:

Define the limitations of the app testing process.

A procedure undertaken to assess applications will without a doubt have a positive effect on the organisations security posture however no process can guarantee to reveal all the potential weaknesses. Organisations need to be aware of the limitations.

  • Understand what the assessment process will and will not provide with regard to the security outcome
  • Manual human assessment should not be underestimated, it is an essential part of the process
  • Do not rely solely on automation with regards to your assessments, human interaction is needed to see the comprehensive behaviour of the app in diverse contexts
  • The quality of your assessments is proportional to obtaining the correct combinations of multiples of automated testing tools with human interaction and security expertise
  • Avoid using a single testing tool or process as each tool will have their confines, utilise multiple tools and processes for the best results
  • Educate employees on the limitations of the app testing process

Step Three:

Organise a team to take responsibility and consider the budget available for the app testing process.

  • Get the appropriate people involved with the required expertise (mobile security, software security and information assurance expertise are a necessity)
  • Costs should be budgeted for and should not be an deliberation

Conclusion

In this first article in the series we covered the initial steps involved when undertaking application testing within your organisation. This involved the planning prior to app assessment.

These initial steps are important to assist in getting the process off on the correct footing and should not be undervalued. As the well-known quote by B Franklin beautifully depicts “If you fail to plan, you are planning to fail”.

A well-devised risk analysis will enable you to address and determine many of the security unknowns necessary as part of the planning process and before a testing strategy can be continued. Spending the time and effort on the planning stage and taking a thorough approach will ensure that time is not wasted later on and the app testing process is likely to run a lot smoother.

With a proper app vetting process established, organisations can continue to benefit from the utilisation of mobile applications, they can continue to achieve the unparalleled connectivity levels, the speed and ease of sharing information, the boosted mobility and therefore improved functionality within business while limiting the potential security risk.

Look out for the articles to follow in this series where we will continue to discuss the testing process of applications to improve your security posture when utilising mobile devices within your organisations.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.