Below are simple instructions on how to use Mobile App Security Test for your Android and IOS applications.
Android Applications
All you need is a valid APK archive for the application. APK's can either be compiled from the application source code, or, if already in Google Play market, downloaded via F-Droid or androidappsapk.co.
Please follow the steps below to test Android APK:
Click on "Choose file" button and select the APK, file upload will start immediately.
Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.
iOS Applications
All you need is a valid IPA archive for the application compiled as a Simulator App (see below).
Please follow the steps below to test iOS IPA:
Click on "Choose file" button and select the IPA, file upload will start immediately.
Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.
How to compile your iOS app as a Simulator App:
1. Run XCode and open your project; 2. Right-click your Project Name and select "Show in Finder."; 3. Right-click YourProject.xcodeproj and navigate to "Open With > Terminal"; 4. Run "cd .." - your current working directory is now your project's main directory; 5. Determine which iPhone Simulator you can build to by running "xcodebuild -showsdks"; 6. Build your app with the "xcodebuild -arch x86_64 -sdk iphonesimulator{version}" command; 7. Go to build/Release-iphonesimulator and zip file YourProject.app;
ImmuniWeb Community Edition - Mobile App Security Test
The Mobile App Security Test is a free online tool to perform security and privacy tests of Android and iOS mobile apps:
The service can test mobile applications for the following platforms:
It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10 , and provides a user-friendly report with the discovered issues.
We provide the following automated tests of the mobile application:
Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® MobileSuite .
SAST
Mobile App Security Test performs Static Application Security Testing (SAST) to detect the following weaknesses and vulnerabilities:
DAST
Mobile App Security Test performs Dynamic Application Security Testing (DAST) to detect the following weaknesses and vulnerabilities:
Behavioral
Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some sensitive or privacy-related functions:
Software Composition Analysis
The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.
External Communications and Outgoing Traffic
Specific SAST test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).
Mobile Application Outgoing Traffic
Specific DAST test provides a comprehensive list of all HTTP/S requests sent by the mobile application without interaction with user.
Free API
ImmuniWeb Community Edition provides a free API for the Mobile App Security Test. It shares the number of tests performed via web interface:
Mobile security testing shall include security testing of the mobile app (e.g. iOS or Android), mobile application backend (e.g. web services or APIs that send or receive data from the app), and the encryption between them. The eventual goal of mobile security testing is to ensure that the mobile ecosystem is secure, private and respond to the enacted regulatory standards such as PCI DSS or GDPR. Mobile security testing may be both manual (mobile penetration testing) and automated (mobile vulnerability scanning).
Q
What are mobile security threats?
A
Mobile security threats lay in the mobile app, its backend and may also involve insufficient or missing encryption between them. Most of the security threats and known privacy weaknesses of the mobile app (e.g. iOS or Android ones are comprehensively covered by OWASP Mobile Top 10 list) require some specific conditions in order to be exploited (e.g. presence of attacker in the same network as the victim, theft of a device, or a pre-installed malware app on the victim’s device) and thus few of them may be considered critical issues.
The vulnerability laying in the mobile app backend (e.g. micro services and APIs that get or send data to the mobile app) may contain critical security vulnerabilities allowing the attacker, for example, to get the entire database of all users who use the mobile app. The range of such vulnerabilities is pretty broad and is well described by SANS Top 25 list of vulnerabilities. Finally, missing or weak encryption of the data sent by the mobile app to its backend may lead to a compromise of an individual user if attacker has access to the network by which the data transits.
Q
What are mobile security vulnerabilities?
A
Most of the mobile security vulnerabilities are described by OWASP Mobile Top 10 list. They include various weaknesses and misconfigurations of the mobile app, both iOS and Android ones, that under certain circumstances may allow attacker to compromise the mobile app’s data security, the mobile device or even the entire mobile infrastructure that serves all users of the mobile app.
For example, a hardcoded password or API key may jeopardize all users of the mobile app at once, while missing or insecurely configured HTTPS data encryption between the mobile app and its backend (e.g. web services or APIs that send or receive data from the app) will likely impact only a specific user if attacker has access to the network by which the data is sent over. You may test mobile security vulnerabilities impacting your iOS and Android mobile app by using free online mobile scanner provided as a part of ImmuniWeb Community Edition.
Q
What is OWASP Top 10?
A
OWASP is a non-profit organization dedicated to application security and driven by open community of security professionals from almost all countries around the globe. OWASP Top 10 is a list of most popular web application vulnerabilities which is updated every three years. OWASP Mobile Top 10 is a list of most common mobile application weaknesses that is also regularly updated. There are some controversies around these lists related to inclusion or exclusion of some specific types of vulnerabilities. Therefore, it’s recommended to enhance OWASP Top 10 testing a more inclusive list of security flaws such as SANS Top 25 for example.
Q
How to test mobile application security?
A
Mobile application shall be tested for security, privacy and compliance threats that may endanger not just the individual user of mobile app but the entire ecosystem of the mobile application such as external databases storing data from all users of the application. The most popular ways of mobile application security testing are static (SAST), dynamic (DAST) and interactive (IAST) testing. SAST usually involves access to the application source code, or runs fuzzing of the binary under certain circumstances. DAST implies fuzzing and scanning of a running mobile application by interacting with various built-in features and capacities of the app.
While IAST is a sort of combination of SAST and DAST enhanced with various correlating mechanisms. To verify whether the mobile application security is weakened by vulnerable third-party or native libraries, it is also recommended to run Software Composition Analysis (SCA) testing of the app. You may launch all these tests on your iOS or Android app by using free online mobile scanner by ImmuniWeb Community Edition.
Q
How good is iOS security?
A
iOS is deservingly considered to be a secure operating system for mobile devices. It is a proprietary, closed-source system by Apple. Its closeness makes external vulnerability research time-consuming and complicated. Importantly, all mobile apps available in Apple Store are rigorously vetoed and regularly monitored by Apple security professionals to remove malicious apps or apps that may jeopardize user privacy.
Moreover, Apple’s security ecosystem also involves proprietary security mechanisms embedded into its hardware, making some attack vectors against the devices unfeasible on all levels. Therefore, compared to other modern mobile vendors, Apple’s consolidated approach to device security effectively advances iOS operating system among other mobile operating systems. To preserve iOS security avoid jailbreaking your device unless you have a clear a specific goal to do so, and you understand all the risks you get from a jailbroken device.
Q
How to check iOS security?
A
iOS is considered to be a secure, proprietary system maintained and continuously improved by Apple. To ensure that your installation of iOS is secure, first make sure that your device is up2date. Apple regularly releases security and reliability patches, and installing them in a timely manner is essential for your device security.
Then make sure all of the installed mobile applications are likewise up2date, and consider removing those apps that you don’t use to minimize exposure of your device to app-specific vulnerabilities. Finally, make sure you have 8-digit or stronger device PIN code, or even a pass phrase, to make data extraction attacks harder for an attacker when your device is stolen or lost.
Q
How to test Android security?
A
Given the variety of Android versions maintained by different vendors, and the openness of the app ecosystem, Android security largely depends on the device and specific branch and version of Android operating system that you have. It is essential to ensure that your Android device is up2date, that vendor timely releases security updates and enables smooth mechanism to automatically install newly available security updates.
Once you are confident that your device operating system is up2date, revise carefully installed applications you have and especially their permissions. This is because it is common for malicious developers to request many intrusive permissions to be granted by non tech-savvy users, and additionally older versions of Android have insecure mechanisms of permission management by granting a permanent permission to application (upon its installation) to access your camera or SMS for example. Finally, avoid rooting your Android device unless you have a specific goal to do so, and understand the security and privacy risks it may bring.
Q
What is SAST and DAST?
A
SAST stands for Static Application Security Testing. It implies access to the source code, or sometimes a binary, of the application for testing. DAST is Dynamic Application Security Testing and involves fuzzing and scanning or a running application to interact with its features and functionalities while the application runs.
Both methods have different pros and cons, and it is recommended to combine them in order to attain highest vulnerability coverage and ensure holistic security testing. You may run both SAST and DAST security testing of your mobile app via free online security test by ImmuniWeb Community Edition.
