Benefits of Mobile Application Code Reviews
Studies have indicated that Mobile Security Exploits may double in 2011; hence, increasing the need to secure mobiles and mobile applications. One way to do this is to ask users to secure their phones by following various guidelines, which instruct them to lock the phone, use an antivirus, avoid storage of sensitive data, etc.
As an Application Owner (or Mobile Application Developer), the best way to secure phones is to get your mobile application tested for Security Vulnerabilities. There are two traditional ways of testing mobile applications -
- Mobile Application Gray Box Test
- Mobile Application White Box Test
Mobile Application Gray Box Tests
Mobile Application Gray Box Tests are conducted with partial knowledge about the applications and having test logins to the same. These attacks are targeted to determine flaws related mainly to three categories - Local Storage of Data, Hard-coded Sensitive Data in the Source Code and Data in Transition. For knowing more about these Mobile Gray Box Tests, please refer to our article here.
Mobile Application White Box Tests
Mobile Application White Box Tests or Mobile Application Code Reviews are a superset of Gray Box Tests. Apart from the execution of gray box test cases, it involves auditing the code base of the application for security flaws. An Android application code review is conducted on its .java files and tested via its .apk files or Android Marketplace download. An iOS (Apple OS) application code review is conducted on its .h and .m files and tested via the Apple App Store download.
There are certain benefits to performing Code Reviews for a mobile application than a Grey Box Test. Let’s discuss some of those.
Detecting injection flaws
In the case of mobile applications, certain logic and code built into the mobile application runs on a phone. This opens a new attack vector resulting in injection flaws that can allow the attacker to hack into your mobile phone. A code review of the mobile application increases the chances of detecting injection flaws. This requires source-to-sink tracking of the variables in the Android/iOS code.
Detecting backdoors or suspicious code
This is especially useful for third party mobile applications that are loaded onto the mobile phone. Mobile applications are increasingly targets of malwares. Any piece of malicious code present or a backdoor inserted by developers may result in a major data leakage from the user’s phone. Since a code review analyzes the code, such patterns are discovered. This is a definite advantage of a code review over a gray box test.
Detecting hard-coded passwords and secret keys
We have noticed cases of payment gateway mobile applications hard-coding secret keys and credit card numbers. Many times sensitive data like passwords, user details, encryption keys, etc. are hard-coded in the application. A code review would reveal the hard-coded data used by a mobile application.
Detecting weak algorithm usage and hard-coded keys
Mobile applications use custom encryption algorithms and sometimes also hard-code the encryption key in the application package or store it in the mobile device. Moreover, they use weak encryption algorithms or encoding. Even a strong encryption with an easily locatable encryption key defeats the purpose of encryption. These can be detected better by performing mobile code reviews.
Including all other Gray Box Test cases
The security of mobile applications is incomplete without taking the server-side application into account. Business logic-related test cases of parameter manipulation attacks, server-side injection attacks and other known attacks will be tested. Apart from these, mobile platform-specific issues like screenshot caching in the iOS platform, data storage in .plist files in the iOS platform or data stored in xml files or SQLite databases in the Android platform will also be detected. A source code review is thus a comprehensive testing approach for mobile applications.
This article attempts to showcase the advantages of White Box Tests over Gray Box Tests for mobile applications. We as a service do conduct both Gray Box and White Box Mobile Application Security Tests.