Mobile Application Security Assessment
Service Overview ⫘
To help reduce your overall risk and associated remediation cost, Secureworks will use a comprehensive and prioritized approach that assesses the security and compliance risks of the entire mobile application, its associated internal or Internet systems, and the interactions between them. Specific techniques used during the assessment will vary based on mobile platform, purpose of the mobile application, coding practices and quality of the mobile application, and the unique deployment environment.
Service Methodology ⫘
A combination of software emulation, software development environments, and actual hardware will be used to perform the mobile application testing. Different techniques must be used on each platform to perform similar testing because of differences in the way each mobile platform operates. The Secureworks testing methodology includes top vulnerabilities from the Open Web Application Security Project (OWASP) Mobile Security Project, other proprietary and open vulnerability sources, and undisclosed vulnerabilities.
Within the scope of the assessment, Secureworks will perform the following activities:
Mobile Security Best Practices Review ⫘
During this phase Secureworks will examine the objectives to be met by the application as well as test directly through the user-interface. These two points of view often lead to the fastest and highest quality results. By reviewing how the developer's approach to accomplish the application objectives, risk decisions can be evaluated. This step also allows for validation that the implementation matches the desired design. Testing will focus exclusively on application security and security related issues, rather than usability.
The consultant will install the mobile application on the desired hardware platform and/or in an emulator and commence testing. This level of testing seeks to perform a static analysis of the application as it sits on a device in order to discover if any coding or logic vulnerabilities exist within the application which may lead to inappropriate access, either by an ordinary user during the course of routine application use or by a malicious attacker. The types of undesired activities which are often discovered by this testing scenario include:
- Accessing personally identifiable information (PII) of other application users
- Elevation of user privileges
- Exposure of underlying application code
This first stage is performed with knowledge of the design and goals, but little or no knowledge of the code or supporting systems. If applicable to the application being assessed, testing activities may include:
- Application manipulation
- User Input fields
- Error handling
- Access control
- Multi-factor authentication
- Strong password requirements
- Application updates
- Tethered
- Over-the-air
- Handling transaction interruptions
- Connectivity loss
- Switching networks during transaction
- Incoming call
- Exiting the application
Mobile Application Security Assessment ⫘
This stage includes a detailed manual security testing and an in-depth analysis of the application running on a device, in an effort to expose vulnerabilities which are not apparent from end-user interface testing only. Although not required for testing, the consultant team can work collaboratively with stakeholders such as those from Development, Project Management, and other identified business groups, to examine the different functions of the mobile application. Although a number of findings can possibly result from this analysis, some common discoveries include:
- "Logic layer" vulnerabilities
- Identification of debug or backdoor functionality
- Identification of any gaps in best practices (bad APIs, managed cryptography provider APIs, creating Customer cryptography method, risky identity management APIs, global shared variables that contain sensitive information)
- Identification of poor error handling (are errors handled gracefully by a central API or are they one-off debug prints and leaks, is environment clean up and recovery properly handled upon failure detection)
- Insecure storage of credentials or authentication tokens
- Insecure application behavior during back-grounding which stores sensitive information on the device, as well as fails to properly log the customer out of the application
- Failure to properly handle invalid SSL/TLS certificates for encrypting communications
The Secureworks testing methodology uses a combination of software emulation, software development environments, and actual hardware to perform the mobile application testing. Different techniques must be used on each platform to perform similar checks. This is due to the differences in the way each mobile platform operates. Secureworks testing methodology includes top vulnerabilities from the Open Web Application Security Project (OWASP) Mobile Security Project, other proprietary and open vulnerability sources, and undisclosed vulnerabilities. Tasks that Secureworks performs includes the following:
- Application emulation
- Use of debugging tools
- Use of network proxies
- Limited device and application forensics
Secureworks will dynamically assess the application using both automated and manual analysis to discover issues specific to the given architecture and design of the mobile application. The following topics represent the types of items that are assessed:
- Access control
- Session management
- Least privilege access
- Inappropriate storage
- Does the application store data it shouldn't?
- Password
- Password hash
- Sensitive information
- Logs
- Keys
- Insecure storage
- How does the application store data it needs to store?
- Encrypted vs. clear text
- Cryptographic implementation
- Insecure transport layer
- Does Customer force SSL for all communications?
- How does Customer handle bad certificates?
- Does Customer implement SSL correctly?
- Other transport layer issues, such as IPsec and VPN
- Application buffer overflow and similar vulnerabilities
- Is there any debugging or test code left in the application?
- Mechanisms to prevent malicious in-app advertisements
- Data leakage
- Location
- Device ID
- Personal information
- IP address
- Geo-location
- Platform-specific testing
- Keystroke caching
- Screen shots
- Keychain or password storage
- SQLite data storage
- Cached files and data
- UIPasteBoard
- Backgrounding action
- Snapshots
Web API Test ⫘
Web Service or API Testing focuses on the following areas:
- Simple Object Access Protocol ("SOAP")/XML structure tests
- Representational State Transfer ("REST") / JavaScript Object Notation ("JSON") parameter manipulation
- Input validation attacks
- Cross-site scripting attacks
- Cookie theft
- Web server insecurity
- Authentication method attacks
- Horizontal and vertical privilege escalation
- Third-party software vulnerabilities
- Database vulnerabilities
The subsections below explain the stages within the process that Secureworks will use to test Customer's web APIs and/or web services.
Remediation Validation ⫘
Secureworks will conduct one remediation validation (RV) for only the high- and critical-severity findings listed in the final report. After the final report is delivered, you have 90 days in which to remediate issues, schedule the RV, and have Secureworks perform the RV. You must submit the RV request through email to the Secureworks point of contact for the Web Service Test within thirty (30) days of delivery of the final report or the RV is forfeited. Secureworks will issue a brief report summarizing the results of the RV, which will include information about whether you successfully remediated the issues.
Note: Secureworks only conducts RVs remotely, regardless of whether the Web Service Test was conducted on-site.
Outcome ⫘
Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report may contain the following:
- Executive summary
- Methods, detailed findings, narratives, and recommendations if any
- Attachment as needed for relevant details and supporting data
Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before expiration of the review period, the report will be deemed final.
Upon completion of the Service, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by Customer-designated contact, within five (5) business days of such email confirmation, the Service shall be deemed complete.
Scoping Information ⫘
| Scope | Description |
|---|---|
| Mobile Application Security Assessment - Small | One (1) mobile application assessment on one (1) mobile platforms (iOS or Android) |
Scoping Tips: The standard 8 Service Unit test includes one (1) mobile application installed on one (1) hardware platform (iOS or Android). Two (2) Mobile Application Security Assessments are required to test both iOS and Android platforms for a given mobile application.
Work is conducted during business hours of the Secureworks consultant. After-hours feature is available for an additional cost.
The complete Service Description for this service can be found here: Mobile Application Security Assessment