Mobile app security testing tools of the trade: How to choose

This is part two of three in a series about building a mobile app security program from NowSecure Director of Services Katie Strzempka. Part one defines a mobile app security program and summarizes how to create a high-efficiency team. Part two explains how to choose the right mobile app security testing tools to drive consistency in your processes and reporting. Part three gives pointers for working with your development team to achieve your program’s objectives.

To start, building a mobile app security program requires setting your objectives and metrics, documenting your security standards and methodology, and assembling your team. From there, you need to arm your team with the tools they need to thoroughly test your organization’s mobile apps. The size of your team can affect what tools will work for you. If you test one or two mobile apps each year, you might choose different tools than if you test 40, 50, or even hundreds of app releases annually.

iOS and Android app security testing tools for smaller teams/programs

Make no mistake — there’s a steep learning curve for many of the open-source mobile app security testing tools listed below. In addition, some of the tools are not updated regularly, and technical support is unavailable. So using the tools effectively requires a certain level of technical acumen. But experienced analysts may be able to meet the needs of the organization, at low testing volumes, with a collection of open-source tools.

Examples of open-source/free mobile app testing tools include:

• Santoku:  A virtual machine that contains a number of open source tools specific to mobile application security testing, forensics and data recovery, and malware analysis.
• Mobile Security Framework (MobSF): Automated penetration testing framework for Android and iOS apps including static and dynamic analysis and web API testing capabilities.
• Mitmproxy: Allows a user to intercept and modify requests and responses exchanged between an app and backend services in order to inspect any data transferred.
• Drozer: Identifies security vulnerabilities in Android apps and devices and supports the use and sharing of public exploits.
• Frida: An analyst can use Frida to inject JavaScript snippets into native Windows, Mac, Linux, iOS, and Android apps. Created and maintained by NowSecure researcher Ole André V. Ravnås and sponsored by NowSecure.
• Radare: A reverse-engineering framework used to analyze and inspect iOS and Android binaries. Created and maintained by NowSecure researcher Sergi Álvarez and sponsored by NowSecure.

For teams that are new to mobile or don’t have the requisite expertise, I highly recommend a commercial tool. A commercial tool will drive consistency, reduce on-boarding time for analysts, and make setup of the testing environment easier.

Configuring a testing environment is a time-intensive, frustrating process that requires, at least, the following:

• Jailbreaking or rooting a test device
• Setting up ad-hoc WiFi networks for various network attacks
• Reverse-engineering app binaries to evaluate source code

Most commercial software licenses will also include some level of technical support. This helps in two ways. First, vendor tutorials and resources will not only teach an analyst how to use the tool, but will ingrain in them a process for evaluating the security of mobile apps. Second, if an analyst experiences problems trying to use the tool, help is just a chat-box or phone call away (rather than at the end of hours of independent troubleshooting).

FREE guide – “Mobile App Security Program Management Handbook“- download now.

Tools for larger teams and/or more mature programs

More sophisticated mobile app security programs require a combination of tools to drive efficiency, reduce turnaround time, and deliver consistency in reporting from one analyst to the next. Advanced open source tools should certainly be used for areas of test coverage where automation is not possible, which may include web-services/API penetration testing and manual analysis of reverse-engineered code to identify weaknesses.

A larger, more mature mobile app security team needs a toolset that can deliver the following:

• Automated testing for basic coverage: Basic coverage should at least include checks for improper certificate validation or hostname verification, insecure storage of sensitive data, and personally identifiable information (PII) saved in device logs.
• Manual testing across the entire attack surface: Security analysts will need tools for forensic analysis and data recovery, network analysis, web penetration testing, reverse-engineering, and code analysis.
• Flexible reporting: Customizable reporting will maintain consistency while allowing your team of experts to adjust or add new findings beyond those uncovered by automated testing. Ideally reporting maps directly to your program’s requirements, as well as standards such as CVSS, the OWASP MASVS, and Common Weakness Enumeration (CWE).

A note on automated mobile app security testing tools

No matter their size, a mobile app security team can benefit from automating aspects of their security testing. It all depends on volume. A smaller team can’t test as many apps as a larger team can. If testing demands surge, automated testing reduces the amount of time it takes to test an app, gives developers feedback more quickly, and frees up analysts for more in-depth mobile app penetration testing. Larger organizations need automated security testing as part of their continuous integration and delivery practices and need it to integrate with other aspects of their DevOps stack.

Choose mobile app security testing automation tools carefully. Look for a combination of static and dynamic analysis capabilities. Some automation tools require source code and/or are only capable of static analysis, which can lead to more false positives. When test results continue to sound the same false alarms, security analysts lose credibility with developers. A combination of static and dynamic analysis helps filter out false positives. I tend to think of dynamic analysis as a way to confirm the results of a static check.

For example, if the objective of a check is to determine whether an app is logging sensitive data:

• Static analysis will flag whether or not certain debugging and logging flags are enabled or disabled
• Dynamic analysis will actually run the app and search device logs for sensitive values (e.g., user credentials)
• In this example, if dynamic analysis finds user credentials in log files, there’s no denying the issue

Mobile app security testing tools summary

In choosing the tools that work for your organization, the end goal is some semblance of consistency in coverage, results and reporting:

• Consistent coverage ensures you’re spending your time wisely and evaluating the security of an app across the entire mobile attack surface
• Consistent results help you track progress against your program’s objectives (and 87 percent of CEOs want better cybersecurity metrics according to a December 2016 study published by RedSeal)
• Consistent reporting helps the multiple teams involved in the mobile app development process understand what needs to be done to reduce risk in an enterprise’s mobile apps

Read part one of this series on mobile app security program management. Part three of this series will guide you in rallying your development and DevOps teams to establish mobile app security program buy in and achieve program objectives.