The key challenges in mobile application security

Mobile security is not just about code running safely on the mobile device. Starting from the design, it also includes the residual data and data in motion.

Looking at the data and behavior of the application, any interesting mobile application will send back data to the server. Lots of applications use third-party web services. Some prevalent problems associated with data on different layers are mentioned as follows:

• Network layer: Data travelling from mobile applications from the device over Wi-Fi and data services
• Hardware layer: Baseband attacks, broadband attacks, and RF range attacks that can affect mobile features
• Operating system layer: Jailbreaking or rooting vulnerability in mobile platforms
• Application layer: API (short for Application Program Interface) of the device without administrative permissions

Since mobile apps are platform-dependent, the key challenges change from the traditional applications; some of the key challenges are as follows:

• Threat Model: Mobile applications that have a significantly complicated threat model cannot be the same for different versions of operating systems, devices, and manufacturers. We will discuss this in more detail in Chapter 5, Building Attack Paths – Threat Modeling an Application.
• Third party code: Developers including code developed by third-parties or open source.
• Obscure assumptions by developers: Assumes that the code is inherently secure.
• Outsourcing: Intellectual property. Part of the code or entire code is not available since it was outsourced.
• Privacy of the data: It is important to comply with regulations and end user's private data. How many third-party API's are integrated? Who collects what data?

The impact of mobile application security

Mobile applications put the security and privacy of an inpidual or corporation at risk. With more vulnerabilities attributed to mobile application flaws than any other category today, security has become a core concern for the business. Several attacks are associated with the way the mobile apps are used and the specific methods the app utilizes to communicate with the user.

Mobile applications can communicate over various services, which increases the attack surface significantly. Some of these services from which applications can obtain input are Bluetooth, Short Message Service (SMS), microphone, camera, and near field communication (NFC), to name a few.

The two primary impacts of mobile application security are data at rest and data in motion:

• Data at rest: Mobile applications are unique in the sense that they reside on the user's phone. As such, threats to these devices are primarily from mobile malware and other applications. Mobile devices are easily susceptible to theft, getting lost, or being acquired and used by someone else. Mobile app developers should also consider the possibility of data recovery using forensics techniques.
• Data in motion: Sensitive information disclosure and man-in-the-middle (MiTM) attacks are possible risks when the data is not secured in transit.
• Other considerations: Mobile app developers should also consider the implications of malicious applications that are installed from various nonstandard app stores. Developers will always have the war game with the latest improvements in mobile malwares, such as Zeus MITMO, Spitmo, Citmo, Tatanga, which have bypassed plenty of mobile security features.

The need for mobile application penetration testing

Today's mobile apps have complex security landscapes; vulnerabilities might occur due to various reasons, starting from misconfiguration to code level bugs.

As the need for mobile applications is increasing, multiple companies ranging, from Fortune 500 to start-ups, are investing lots of money on security programs to protect critical information that is handy for every single inpidual at their fingertip. Naturally, the companies intend the applications to be secured. Their goal is to identify the loopholes while battling cyber attackers and prevent a serious data breach.

As discussed earlier about the importance of mobile applications, penetration test is one of the most effective ways to identify known and unknown weaknesses and functionality bugs (which will lead to a vulnerability) in these applications. By attempting to circumvent security controls and bypassing security mechanisms, a security tester is able to identify ways in which a hacker might be able to compromise an organization's security. Potentially, it leads to damaging the image of an organization that they have built over a period of time while building trust.

Current market reaction

The need for security in mobile applications has paved the market to create multiple job roles with respect to mobile security. Some of these job roles are as follows:

• Mobile Application Security Expert
• Mobile Security Compliance Specialist
• Mobile Technology Risk Manager
• Mobile Device Management Specialist
• Security Architect – Mobile Application
• Mobile Application Privacy Specialist
• Mobile Application Security Assurance Specialist