2. 1. What is Mobile OS Platform latest versions
2. What is Mobile App SDLC & Mobile App Security SDLC?
3. What is Mobile App STLC & Mobile App Security STLC?
4. What is Mobile Apps Development view & Testing view?
5. What is the testing difference in the Mobile Web & Mobile Native Apps
6. What are the Testing Techniques to Deal with Vulnerabilities?
7. What is Real Device Vs Emulator Testing?
8. What is top Mobile Apps Vulnerabilities?
9. What is Client side injection?
10. What are the Security Testing Tools?
11. What are the Mobile Application Security Testing Tools?
AGENDA
11. Mobile Apps Testing Techniques to Deal with Vulnerabilities
• Black box/Dynamic Testing- Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the
application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human
penetration tester can verify this exploitability manually.
• Code Review- It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hard coded passwords
and secret keys, weak algorithm usage and hard coded keys and data storage definitions.
• Penetration Testing- For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to
expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing
include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie
modification, code execution, and few other common software attacks.
• Mobile Application Security Assessment- It is a holistic security assessment of mobile applications, the associated backend systems and data flows
and interactions between them.
Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact
remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated
with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the
mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple
approaches looking from different angles to have the confidence that your application is secure.
12. Real Device Vs Emulator Testing:
Real Testing Device: Testing on real device allows you to run your mobile applications and checks
its functionality. Real device testing assures you that your application will work smoothly in customer
handsets.
Emulators: Emulator is a software program that allows your mobile to imitate the features of another
computer or mobile software you want them to imitate by installing them to your computer or Mobile.
13. Mobile App Security Testing on
Major Platforms Emulators
1. iPad Peek
2. iPhone Tester
3. Mobile Phone Emulator
4. Responsivepx
5. Screenfly
6. Mobi ready tool
More:
http://www.mobilexweb.com/emulators
Open source Mobile device Online emulators:
14.
15. Drawbacks of using Emulators in case of Mobile App Testing
Testing on emulators can be a tempting, cost effective option to purchasing devices but miss out on issues:
● Device specific features
● Human interaction issues.
● Multi-touch issues
● Bandwidth and loading sequence
● Wireless network behavior – Wifi and GSM signal drops
● Device interrupts and multitasking
● Data retention during signal drops
18. CLIENT - SIDE INJECTION
Client side injection can be done with the following ways.
1. Cross Site Scripting testing can be done using following
Scripting Languages
● Javascript
● VBScript
● HTML
● Dart
● ActionScript (used to create animated interactive web applications
for Adobe Flash Player using Adobe Flash Pro)
2. SQL INJECTION
● SQL Injection can be done with SQL Scripts/Wildcards.
19. 1. CROSS SITE SCRIPT EXECUTION
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through
breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users.
EXAMPLE QUERIES:
1. <script>alert('XSS')</script>
2. <script>alert(document.cookie);</script>
3. http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>
2. <script>window.onload = function() {var
link=document.getElementsByTagName("a");link[0].href="http://not-real-
xssattackexamples.com/";}</script>
Persistent Cross Site Scripting
By exploiting this vulnerability, an attacket can:
● Hijack your account
● Spread web worms
● Access your browser history and clipboard contents
● Remotely control your browser
20. 2. SQL INJECTION QUERIES
SELECT * FROM Users WHERE UserId = 105 or 1=1
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
Reference link: SQL Injection video
21. Taking a three-tier approach – testing and comparing results across all three layers of the mobile application:
client, network, and server will result in building, managing and successfully securing your mobile applications.
Successful Mobile Application Security
23. Mobile Application Security Testing Tools:
1. OWASP Zed Attack Proxy (ZAP) Tool [Open Source]
2. IBM Security AppScan [Paid Service] IBM AppScan Pricing
3. HP Fortify [Paid Service] How to buy
4. VeraCode [Paid Service] How to buy
Few more:
1. Introspy [Open source]
2. Core Impact Pro 2014 R 1.1 [Paid Service]
3. Appthority [Paid Service]
24.
25.
26. 2. IBM Security AppScan:
● AppScan to scan mobile applications with three different models:
− Using an emulator for both iOS and Android
− Configuring an actual mobile device for both Android and iOS
− Scanning mobile web applications by setting up a mobile user
agent
Methods to scan and test mobile applications
30. 3. HP Fortify:
● Scan, assess and report on the security of Mobile applications
● 2 ways to coordinate application, information and network security