Full Report
Mobile Course, O RLY? The mobile app market, and app usage, grew 76% in 2014 [1]. From shopping, utilities, productivity and health apps. Flurry, the mobile app analytics firm responsible for the survey, tracked 2.079 trillion app sessions, with a daily session record taking place on December 31st with 8.5 billion sessions as people celebrated New Year’s Eve. We are placing more information online via mobile apps than ever before, but, what does it mean in terms of security?
Analysis Summary
# Best Practices: Mobile Application Security Assessment and Testing
## Overview
These practices are derived from focusing on the security assessment and testing methodology for mobile applications, emphasizing hands-on knowledge required to uncover vulnerabilities across major platforms (Android, iOS, Hybrid Apps). The core goal is to understand what mobile applications do with user data and how to test their security posture rigorously.
## Key Recommendations
### Immediate Actions
1. **Establish Multi-Platform Competency:** Ensure assessment teams have foundational knowledge to test applications across the most common platforms: Android and iOS.
2. **Focus on Practical Exploitation:** Prioritize hands-on testing methodologies over purely theoretical approaches when developing security test cases.
3. **Review Data Handling:** Immediately begin auditing what data applications access, store, and transmit to identify potential privacy leaks or insecure data practices.
### Short-term Improvements (1-3 months)
1. **Implement Core Skills Training:** Conduct internal "Journeyman Level" training focused on the core skills required to perform security testing on Android and iOS platforms.
2. **Incorporate Hybrid App Testing:** Integrate testing methodologies for emerging technologies like Cordova and PhoneGap into the standard security review process.
3. **Document Real-World Scenarios:** Develop practical exercises and test cases inspired by real-world application vulnerabilities encountered during past assessments for use in training and testing.
### Long-term Strategy (3+ months)
1. **Develop Generic Methodology:** Formalize a mobile application testing methodology that is generic enough to be applied reliably across *any* mobile platform encountered (including future or niche operating systems).
2. **Deep Dive into OPSEC Failures:** Institute a process to analyze Command and Control (C&C) operations and similar infrastructure associated with malware/spyware to understand attacker Operational Security (OPSEC) hygiene and potential detection vectors.
3. **Continuous Platform Updates:** Allocate resources to continuously update testing skills and tools to keep pace with platform changes in Android and iOS security features.
## Implementation Guidance
### For Small Organizations
- **Focus on Core Platforms:** Concentrate initial assessment efforts exclusively on the primary application platform(s) used (e.g., if only iOS is supported, focus testing depth there).
- **Leverage Community Tools:** Utilize publicly available, well-regarded tools and scripts to supplement limited internal expertise for initial security checks.
### For Medium Organizations
- **Cross-Train Developers and Testers:** Mandate security testing awareness for both development staff and dedicated QA personnel to embed security early in the SDLC.
- **Adopt Platform-Specific Tools:** Invest time in acquiring and mastering platform-specific assessment tools necessary for deep-dive analysis (e.g., platform-specific hooking/instrumentation frameworks).
### For Large Enterprises
- **Formalize the Methodology:** Document and strictly enforce the "tried and tested approach" for mobile security assessment recognized internally and leveraged across different product lines.
- **Establish Dedicated Red Teams:** Create a dedicated team, staffed by personnel with strong Linux and networking foundations, specifically tasked with hands-on, practical exploitation exercises against high-risk applications.
- **Incorporate Reverse Engineering Focus:** Move beyond superficial testing to include capabilities for complex reverse engineering required to fully understand proprietary application logic and communication protocols.
## Configuration Examples
*The provided context describes training content focused on *how* to test (practical exploitation, platform specifics) rather than providing specific configuration settings for hardening applications (e.g., specific manifest flags, secure storage calls). Therefore, configuration examples are not directly extractable.*
## Compliance Alignment
The emphasis on rigorous, hands-on assessment and understanding how data is handled aligns with the principles found in:
- **OWASP Mobile Security Testing Guide (MSTG):** The practical, platform-agnostic methodology taught directly reflects MSTG principles.
- **NIST SP 800-160 (Systems Security Engineering):** Focus on integrating security early and ensuring robust testing aligns with engineering standards.
- **ISO/IEC 27001 (Information Security Management):** The requirement to understand risks associated with increased data transmission (as mentioned in the context) directly maps to A.12 (Operations Security) and A.14 (System Acquisition, Development, and Maintenance).
## Common Pitfalls to Avoid
- **Sticking to Theoretical Assessments:** Avoid relying solely on high-level compliance checklists; actively perform hands-on exploitation to gain real insight into vulnerabilities.
- **Ignoring Hybrid Apps:** Do not assume that frameworks like Cordova or PhoneGap introduce sufficient security by default; these complex structures require dedicated testing protocols.
- **Underestimating Platform Diversity:** Do not limit testing scope to just Android and iOS; maintain readiness to assess Windows Phone or other rising platforms if supported by the business.
## Resources
- **Mobile Application Analytics Providers (e.g., Flurry):** Use reports from analytics firms to quantify the scale of usage and prioritize which applications require the deepest security review based on user traffic volume.
- **Black Hat Resources:** Leverage materials from advanced security training courses (like the Journeyman level course mentioned) to build practical, exploitation-focused knowledge.