THE BENEFITS OF WEB AND MOBILE APP PENETRATION TESTING
Mobile applications find many uses in the retail, finance, and health sectors. They’re always just one tap away, and they can include device-specific functionality, which web applications don’t have. One thing which they have in common with web apps, though, is a need to be very careful about their security. Penetration testing for mobile apps is just as important as penetration testing for web applications.
Comparing Web and Mobile Apps
A web application runs on a server, and users access it through a browser. It can be something as simple as a set of forms that initiate actions, or as complicated as a fast-action game or an ERP system. A mobile application runs as a separate application on the client side, but it’s often built around browser code that accesses a single site. Some mobile apps are effectively just single-page browsers while others add native functionality.
There are also mobile applications—which are entirely native—and they have security issues as well. But they’re more varied, and each one has to be considered based on its own functionality. For this discussion, we’re looking at applications that consist largely of access to a web server, whether they’re standalone or use a normal browser.
The Differences in Risk
Web and mobile applications each have their distinctive risks. A web application coexists in the browser with other sites. It has less control over its environment and what the user can do compared to a mobile application. It may run on an outdated, unpatched browser. It could find itself on an obscure browser with which it was never tested. Trying the application out with enough different environments to be confident about it is a laborious but necessary task.
A mobile application comes with its own browser, so it has full control over the client and server. However, it has enough risks of its own that Open Web Application Security Project (OWASP) has compiled a list of mobile device risks. Some of these are particularly relevant to developers and security testers.
- Insecure communication. Applications that send sensitive data ought to send it securely. In a browser, this is just a matter of setting up an HTTPS server and using appropriate URLs in the browser. A mobile application needs to do more work. Some of them do it poorly, ignoring validation errors. Some don’t use it at all, sending passwords and credit card numbers over the air as cleartext.
- Inadequate form validation. Forms in mobile applications are vulnerable to malicious data if they don’t check their inputs carefully enough. Mobile developers, sometimes, get careless because they don’t think of their applications as web apps.
- Unsafe data storage. A mobile application typically needs to store some data for the user. Some apps store sensitive information without protecting it, in ways that other applications can read.
- Hardcoded passwords and keys. It would take a really foolish web developer to put an undisguised password or key into a page’s JavaScript, but mobile app developers have more of an illusion of safety. Extracting such information from a mobile app is harder than pulling it out of a browser, but it’s a dangerous risk all the same.
- Access to device functionality. A mobile application can request access to the user’s microphone, camera, email, and address book. Most users will grant it without a thought. If it’s compromised, it will have access to information that a web application can’t easily reach and even spy on the user.
Ironically, security problems in a mobile application often result from an excess of trust. Because it’s self-contained, developers don’t always think about the issues as carefully as they would for a website.
The Importance of Penetration Testing
Any type of application that accesses server-side code and handles private information needs testing to ensure confidence that it’s secure. Penetration testing for mobile apps has some differences from penetration testing for web applications. There’s no address bar in a mobile app, so people can’t enter arbitrary URLs. Different testing tools are needed. Real or simulated attacks may involve simulating the application and replicating its server requests.
When people grant access to their personal financial or health data, they have a right to see it protected. Developers need to earn trust by subjecting their applications to rigorous testing. Orenda Security specializes in penetration testing, DAST, and application assessments. We serve the healthcare, financial, and retail sectors.
Contact us today and request a quote!