Testing your Mobile App before Publishing

by Tobias McCurry

Smartphones and tablets are ubiquitous—nearly everyone has one. These tiny computers have access to lots of personal information. Having a mobile app can help your company with customer service, ordering, and accessibility, making you more competitive in the market. But designing mobile apps can be tricky. There are many moving parts to consider: APIs, databases, permissions, and logic processing.

And not everyone designing mobile apps gets all this right. In fact, last month the app for the RSA conference was released with a vulnerability in it. The application contained links to databases containing conference attendee information and the logic to decrypt this data. A security researcher was able to decode the database to expose all of the information in the database.

baby

This mobile app was designed for a security conference but, ironically, was not tested before it was released, leaving easily-identified vulnerabilities open to exploit.  Such an oversight is embarrassing to a firm like RSA that sells security solutions and products.  In this particular case, only conference attendee names were compromised.  Frequently the impact of poorly-secured mobile apps is far more serious.

Still, the RSA conference has taught the cyber world a valuable “don’t let this happen to you too” lesson about the importance of pre-deployment security testing.  A penetration test of the mobile application before its roll-out would have identified these issues and enabled RSA to fix them by limiting access to sensitive attendee information or preventing the breach entirely.

The RSA conference lesson also re-enforces the importance of consistently following well-established security principles whenever designing systems that are accessible to the public.  Adhering to following mobile app design principles would have prevented the insecure deficiencies in the app:

  1. Remove hardcoded usernames, passwords, API keys in the application. With mobile applications, everyone gets a copy of the application and everything included in it. That means if it is in the application, it is in everyone hands. (OWASP-2016-M9 see reference below)
  2. Ensure authentication used in the application is secure and transported over secure means. Users authenticate to a server and if that is not secure then users are at risk of having their data stolen. (OWASP-2016-M4)
  3. Ensure server-side functions that the application is using are secured. Mobile applications interact with backend functions. If the backend functions are not tested they could allow access to data that wasn’t intended such as the RSA conference app that was mentioned earlier. (OWASP-2014-M1)

Founded in 2001, SecureIT is a proven leader in enterprise compliance, audit, and security services.  Our certified and experienced staff can mentor your staff on effectively implementing these security design principles or provide mobile application penetration testing services that evaluate the security posture of your mobile applications before they are deployed. This testing service will lower your risk of reputation damage caused by a mobile application launching out the door before its time.

spaceship

SecureIT can help your company identify risks and provide a remediation path to ensure your security risk for mobile applications is lowered.  We’d love to learn more about your mobile application rollout plans. Please contact us and we will pick up the phone to get things started by listening to your security concerns and needs.

References:

https://www.theregister.co.uk/2018/04/20/rsa_security_conference_insecure_mobile_app/

https://twitter.com/svblxyz/status/987120769984495616

https://mashable.com/2018/04/20/rsa-app-data-exposed/#RBZi1LCC7PqI

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks