The art of mobile app pen testing can sometimes feel like digging a hole in quicksand thanks to vulnerabilities and privacy issues that crop up during continuous release cycles. Mobile app security professionals must connect and engage with the broader mobile appsec community to amplify their efforts and learn from each other.
The NowSecure services team understands the challenge all too well and frequently taps members’ diverse backgrounds in mobile forensics spanning government, academia and commercial enterprises to continuously improve and innovate our pen testing program.
All told, together the group has pen tested thousands of mobile apps. Speaking from their vast experience, the group fielded questions from the audience earlier this month at the NowSecure Connect 2019 conference. Panel members who participated in the discussion included:
- Katie Bochnowski, Vice President of Customer Success & Services
- Rono Dasgupta, Mobile Security Analyst
- Michael Krueger, Technical Services Lead
- Jordan Thomas, Director of Customer Solutions
- Tony Ramirez, Mobile Security Analyst
(L-R) NowSecure services teammates Tony Ramirez, Michael Krueger, Katie Bochnowski, Rono Dasgupta and Jordan Thomas share their best tips and tricks for mobile app pen testing at NowSecure Connect on Monday, June 3, 2019, in Washington, D.C.
What follows are some of the insights and best practices for mobile app pen testing that mobile application security practitioners and mobile app developers can learn from and adopt to meet their organizations’ needs.
Focus on Four Potential Attack Vectors
While the NowSecure pen testing methodology depends on the mobile application in question, our assessments have four areas of focus in common: data at rest, data in transit, back-end servers and APIs, and reverse engineering.
Data located on the device matters because a device could be lost or stolen and fall into the wrong hands. You want to know what data an app sends over the network because it could be leaking sensitive information and transmitting it insecurely. Server back-end testing matters because an important aspect of mobile application security is what the app is talking to. And finally, tearing apart the app through reverse engineering shows you the information that can be gathered from an attacker’s point of view.
Square Away the Logistics in Advance
One of the hardest parts of mobile pen testing occurs at the onset of the services engagement. Surprisingly, obtaining the app binaries from developers often presents an obstacle. “A lot of people don’t realize the difficulty — not just installing the apps, but actually getting them from developers and provisioning them for your devices,” said Ramirez. Communication and building trust with the client are key.
And speaking about communication, it’s imperative to nail down the scope of testing early on, advised Dasgupta. Ensure there’s an upfront agreement specifying what should be covered and also what not to break, such as taking down a back end or fuzzing.
Automate Where You Can
While the need to pen test certain highly sensitive applications absolutely won’t go away, the old timeline of taking a month to complete a test doesn’t work with today’s volume and velocity of mobile app releases. As such, the NowSecure team recognizes that delivering results faster requires some degree of automation.
“Without automating a piece of a pen test, it’s going to be hard to just throw bodies at the problem,” Thomas noted. Bochnowski added that automation is especially important in situations where the customer has an urgent pen testing deadline. For those projects, the NowSecure team uses the NowSecure automated mobile application security testing solution to flag any high-level risks and shares that information with customers before completing a manual analysis using NowSecure Workstation and a variety of open-source tools such as Frida and many others.
Another challenge everyone in the pen testing world faces is assembling a report, writing it and having it reviewed by peers, noted Krueger. Ramirez echoed, “Being a pen tester means you’re also an author. You not only have to be technical, but also descriptive.”
“Reporting is the most painful part of pen testing because at the end you’re tired and just want to get it done,” said Thomas. “It’s most often where I think mistakes are made and the biggest bottleneck in getting the task done.”
Thomas said that a huge component in speeding pen testing is automated reporting. Krueger built a data aggregation and report generation tool called Red Eye, which gets its moniker from the coffee drink that combines drip coffee and a shot of espresso. The NowSecure services team uses Red Eye to refer to common findings and detail mitigation recommendations. “We don’t need to spend time copying and pasting code and formatting a document and can spend more time testing, peer reviewing and checking our work,” said Krueger.
Obtain Expert Assistance
For organizations more comfortable with outsourcing mobile app pen testing or lack the time or expertise to perform it in house, contact NowSecure to learn more about our mobile app pen testing service. Our comprehensive assessments feature detailed, vetted findings that are second to none. The assessment includes both authenticated and non-authenticated testing to accurately model real-world security challenges and couples findings with recommendations to remediate security issues.