Full Report
December sees SensePost presenting Hacking by Numbers: Mobile at BlackHat West Coast Trainings. This course was first presented at BlackHat Vegas 2013 and 44Con 2013, growing in popularity and content with each iteration. For more information continue reading below or visit https://blackhat.com/wc-13/training/Hacking-by-Numbers-Mobile.html. The mobile environment has seen immense growth and has subsequently seen organisations racing to be the first to market with the next best app. The rapid increase in mobile popularity and the speed at which developers are forced to produce new applications has resulted in an ecosystem full of security vulnerabilities. As more organisations are moving from web applications to mobile applications, penetration testers are required to adapt their testing methodology to keep pace with the changing platforms. Mobile applications developers have been lulled into a false sense of security due to the belief that “the platform will take care of the security”. The Hacking by Numbers: Mobile course aims to help both penetration testers and mobile applications developers to find and understand common security vulnerabilities on a wide range of mobile platforms. The course teaches a mobile application security testing methodology that can easily be applied to mobile applications on Android, iOS, Blackberry and Windows Mobile.
Analysis Summary
As a cybersecurity best practices consultant, I have analyzed the context provided, which emphasizes the common security vulnerabilities arising from the rapid development cycle in the mobile application ecosystem and the need for a standardized security testing methodology across platforms (Android, iOS, Blackberry, Windows Mobile).
The recommendations below are derived by synthesizing the security domains explicitly mentioned as being covered in the advanced training curriculum ("Hacking by Numbers: Mobile").
# Best Practices: Comprehensive Mobile Application Security Testing and Development
## Overview
These practices address the security vulnerabilities prevalent in the rapidly growing mobile application ecosystem, which developers often neglect due to over-reliance on platform security features. They focus on establishing a rigorous security testing methodology applicable across major mobile platforms (Android, iOS, BlackBerry, Windows Mobile) covering application analysis, communication security, and data handling.
## Key Recommendations
### Immediate Actions
1. **Establish a Mobile Security Baseline:** Immediately document a foundational set of security requirements based on the core security domains listed (Authentication, Authorization, Data Validation, Session Management, Transport Security).
2. **Implement Traffic Interception Awareness:** Mandate basic training (or documentation) for all development and QA teams on how to use interception proxies (e.g., capturing traffic via tools like Burp Suite equivalent) to verify that communication is not inadvertently exposing data in transit.
3. **Audit Sensitive File Handling:** Perform an immediate review of applications to identify all locations where sensitive application data (secrets, tokens, PII) is stored on the local device, ensuring these files are secured, encrypted, and not stored in publicly accessible application directories.
### Short-term Improvements (1-3 months)
1. **Integrate Static Analysis Tools:** Implement automated Static Application Security Testing (SAST) tools into the Continuous Integration/Continuous Delivery (CI/CD) pipeline to identify obvious vulnerabilities related to insecure code construction before deployment.
2. **Develop Platform Security Checklists:** Create standardized security checklists tailored for Android and iOS platforms covering critical areas like Data Validation, proper use of platform encryption APIs, and secure storage mechanisms.
3. **Mandate Developer Training on Platform Security:** Require mobile developers to undergo training specifically focused on platform-specific security controls, moving them past the belief that "the platform will take care of the security."
### Long-term Strategy (3+ months)
1. **Formalize Mobile Penetration Testing Methodology:** Adopt and institutionalize a formal mobile application security testing methodology (similar to the one taught in the course) that includes Decompilation, Runtime Analysis, and Modification testing phases for all major releases.
2. **Establish a Dedicated Mobile Security Lab:** Build and maintain a controlled mobile penetration testing lab environment (physical devices and emulators) to facilitate repeatable, hands-on security testing exercises.
3. **Strengthen Transport Layer Security (TLS) Implementation:** Go beyond basic HTTPS usage by implementing certificate pinning or other robust mechanisms to mitigate Man-in-the-Middle (MITM) risks across all application communication channels.
## Implementation Guidance
### For Small Organizations
- **Focus Tooling:** Utilize free or low-cost SAST tools combined with rigorous manual review focusing primarily on Authentication, Authorization, and Data Validation components, as these offer the fastest security gains.
- **Outsource Specialized Testing:** Contract experienced penetration testers (like those familiar with advanced mobile methodologies) biennially to perform comprehensive runtime and binary analysis that in-house staff might lack the expertise for.
### For Medium Organizations
- **Build Secure Code Reviews:** Integrate security experts into the peer-review process specifically to check application source code for weaknesses in Session Management and Data Validation logic.
- **Automate Binary Analysis Prep:** Begin preparing environments for advanced exercises, specifically practicing application decompilation and static analysis techniques on internal codebases to understand potential intellectual property risks, as well as security flaws.
### For Large Enterprises
- **Establish a Mobile Security Center of Excellence (CoE):** Form a dedicated team responsible for creating reusable security libraries, defining secure coding standards, and administering sophisticated runtime analysis tools across numerous development teams.
- **Mandatory Deep Dive Training:** Enroll key development and security staff in advanced adversary-focused training covering runtime modification and memory state analysis to understand sophisticated post-exploitation attack vectors.
## Configuration Examples
*Note: As the article describes a course structure rather than specific code, these are derived from the domain topics:*
| Security Domain | Configuration Best Practice Goal | Actionable Setting Principle |
| :--- | :--- | :--- |
| **Data Validation** | Ensure all input is treated as untrusted. | Implement strict allow-lists (whitelists) for expected data types, lengths, and character sets on both client and server sides. |
| **Transport Security** | Prevent unauthorized eavesdropping/MITM attacks. | Enforce TLS 1.2+ across all endpoints; implement certificate pinning validated against expected application hashes. |
| **Session Management**| Ensure server-side control over user context. | Use short-lived, opaque tokens managed server-side; invalidate sessions immediately upon user logout or explicit revocation. |
| **Information Disclosure**| Reduce the attack surface exposed by the application binary. | Ensure that sensitive configuration files, API keys, and internal logic markers are obfuscated and not hardcoded into the binary resources. |
## Compliance Alignment
The security domains covered align directly with foundational controls recognized in major security frameworks:
- **OWASP Mobile Application Security Verification Standard (MASVS):** The topics closely map to specific sections like Authentication, Data Storage, and Interchange security controls.
- **NIST SP 800-163 (Application Security Review):** Focuses on the structured testing methodologies required for application code and runtime.
- **ISO/IEC 27001 (A.14 Domain):** Specifically addresses secure development policies, system acquisition, and application security testing requirements.
## Common Pitfalls to Avoid
1. **False Sense of Platform Security:** Developers must avoid the assumption that underlying OS security features (like sandboxing) are sufficient. The application layer requires explicit, layered security controls.
2. **Ignoring Runtime Vulnerabilities:** Focusing only on static analysis (code review) ignores vulnerabilities that only manifest when the application is running, such as insecure handling of memory state or dynamically loaded code.
3. **Platform Siloing:** Developing separate, non-standardized security practices for Android versus iOS. A unified methodology (as taught in the course) ensures consistent security posture regardless of the target platform.
4. **Weak Data Validation:** Assuming the client-side framework handles all data integrity checks, leading to vulnerabilities when the client validation is bypassed by an attacker.
## Resources
- **Methodology Focus:** Adopt and institutionalize a rigorous, structured **Mobile Application Security Testing Methodology** that includes Static, Dynamic, and Binary Analysis phases.
- **Tools (Conceptual):** Leverage tooling for **Interception and Analysis of Network Traffic** (probes for communication security) and tools supporting **Decompilation and Static Analysis** (probes for binary security).
- **Training Reference:** The structure and content covered by advanced security training focusing on **Android, iOS, RIM, and Windows 8 Platform Security**.