Mobile App Security Testing: Myths and Methods

Smartphone on a grey wooden background with the screen showing a padlock within a shield and the words "Security" above and "Off" "On" below

What is mobile application security testing?

Mobile app security is being aware of how your application’s code uses information and ensuring that it does so safely and responsibly.

Application security testing is conducted with the aims of:

  • Keeping personal data safe from prying eyes

  • Ensuring your software collects only the required information

  • Preventing unauthorized access to or modification of the data while in transit

Do you really need to test the security of your app?

Say your app is an innocent game, and you don’t ask for much (if any) information from your users. You don’t need to start the complex process of reviewing your security, right? Wrong.

Say you tested your app’s security when you first released it two years ago. You checked security off of your to-do list, and so you should be all set, right? Wrong again.

These are some of the most common myths about app security testing. Whether your app is used for gaming, recording to-do lists, or conducting banking transactions, you need to run security tests regularly.

And if you haven’t tested and updated security measures since the release of your app, your data could be at risk.

Without clear security protocols, you are vulnerable to data exposure or to attacks that will result in loss of revenue and loss of consumer trust - both of which are tough to regain. This infographic provides some alarming, data-backed insight as to why cybercrime should be a primary concern for every business.

Here are some of the most significant stats:

  • Cyber attacks cost US enterprises an average of $1.3 million in 2017 and cost small to medium-sized businesses an average of $117,000.

  • The cost of a data breach for enterprises grew 11% in 2017.

  • 50% of apps reviewed by Appknox were found to have at least 4 - 6 loopholes. Of the threats detected, 67% were of high severity.

“Security is not a bullet point item.”

In the wise words from Ulf Larson, an OWASP member, “You must consciously design security into your app from the very beginning, and make it a deliberate part of the entire process from design through implementation, testing, and release.”

Mobile app security is an ongoing and, at times, complicated process, but it’s well worth the trouble to be protected from hackers. After all, you don’t want to see your company’s name in the news tomorrow as the latest data breach.

Here are some additional misconceptions about app security:

Myth #1: If it’s in the app store, it’s safe and secure.

Unfortunately, this is often not the case. AppKnox found that 75% of the apps in the public app stores do not pass basic security checks. Both the Apple store and the Google Play store have security measures in place, but they aren’t 100% effective at screening for security issues.

For instance, apps in the Apple App Store must implement a practice called sandboxing. Sandboxing limits a mobile application’s privileges and ability to engage in undesired behaviors.

It also allows the user to control how the app interacts with the system. You’ve probably seen this in the form of a pop-up asking for permission to use the camera on your phone or to access your health data.

Sandboxing, along with Apple’s intensive review process, helps make the Apple App Store safer than the Google Play Store, but neither platform’s measures are foolproof. Malicious applications can circumvent these protections and invade user privacy, stealing browsing history or even scamming them into making payments with touchID.

Because the Android OS allows for more customization, there is a wider variety of apps in the Google Play Store, and thus more room for errors. Therefore, it’s best to conduct your own security testing instead of relying on their processes.

Comprehensive testing combines static, dynamic, and forensic approaches to address numerous threat models. We’ll get more into security testing specifics in a bit.

Myth #2: Two-factor authentication is too much of a hassle for users and isn’t necessary for mobile applications.

Sure, two-factor authentication takes time to set up and adds an extra step between the user and your application, but isn’t it worth it to protect their data?

It most certainly is; especially when dealing with sensitive medical or financial information. Plus, mobile phones can easily be lost or stolen. Two-factor authentication, a form of multi-factor authentication, adds an extra layer of protection that security-conscious users can appreciate.

It works like this: The user will first enter their username and password, and then they provide another piece of information that’s unique to them. According to Authy, this second piece of information falls into one of three categories:

  • Something you know, like a security question or access code

  • Something you have, like a credit card or a key fob

  • Something you are, like your fingerprint or in the case of Apple, FaceID

These categories may also be referred to as knowledge, possession, and inheritance. An effective strategy should include pieces of information from at least two of the categories.

Enabling a multi-factor authentication mobile app can also help address compliance issues, whether at the local, state, or federal level.

It’s true that this does put an extra burden on the user - and your mobile app developers - but, it is now considered best practice to implement multi-factor authentication. Even Instagram is doing it.

Myth #3: App security is only necessary for applications that deal with highly-sensitive information.

It would be nice if it worked this way, but hackers are not only hunting for your social security number or your credit card information. If you’re storing any personally identifiable information (PII), it needs to be protected.

According to the U.S. General Services Administration, personally identifiable information is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”  

In 2017, 16.7 million Americans had some form of personally identifiable information stolen, resulting in $16 billion worth of data.This includes information such as your name, date of birth, phone number, gender, or social security number.

This information is often sold in underground markets and then used to open fraudulent credit cards, apply for loans, transfer money, or carry out identity theft.

In short, even information that may not seem private can be put to sinister use in the wrong hands, and it needs to be protected.

Myth #4: All apps dealing with sensitive information must pass the same security requirements, so they're all equally as safe to use.

Alas, not all apps are created equal, even when it comes to mobile banking, health, or trading. There are no mandated security requirements for apps dealing with highly-sensitive information.

Accenture and NowSecure analyzed 30 banking apps in 2016 and found that every single one had at least one security issue.  

Applications that are looking to secure highly-sensitive information, like financial or health-related data, will need to take extra precautions. Utilize Apple’s Secure Enclave, or implement the aforementioned multi-factor authentication procedures.

While there aren’t any compulsory security requirements, the OWASP - detailed more below - sets some helpful guidelines.

Myth #5: Making transactions online is safer than making transactions on a mobile app.

This one is not 100% false - every website and app is different. There is no consensus on whether online sites or mobile applications are safer for transactions, as it totally depends on the security protocols that are in place.

“I could put 10 security people in the room and half of them will say that’s true and half of them will say that’s false, but part of it is mincing words about how you define security,” said Brian Reed, Chief Marketing Officer at NowSecure.

Mobile devices can, however, benefit from extra secure entry practices like retina or fingerprint scanning and can layer third-party multi-factor authentication apps onto existing applications for added security.

Additionally, well-designed mobile apps don’t store data, and smartphones are less likely than computers to get a virus.

Myth #6: Apps built on a no-code or low-code platform are released with built-in security measures.

Proper security is not built-in to apps created with these sort of platforms. Often, people do not consider the security of these app development options, leaving them vulnerable and their data at risk.

NowSecure has run testing on applications created with low- or no-code platforms and found mixed results, even among apps created on the same platform.

The only way to truly know if an app created in this fashion is secure is to conduct thorough security tests, and then beef up your protections according to the results.

Where to begin

You know you need to secure your app, but how do you get started? A great place is with the OWASP.

OWASP, the Open Web Application Security Project, is an international open community dedicated to the creation and maintenance of secure mobile applications. OWASP has a myriad of resources that can aid in testing and securing your mobile application.

In particular, this checklist of secure coding practices outlines software security coding practices that will mitigate the most common security threats.

Before diving into the checklist, you’re going to need a developer’s help. If you hired an agency to build your app, they should be able to help certify each requirement. Another option is to hire a contract developer or reach out to an agency well-versed in mobile security.

Along with OWASP’s resources, there are plenty of tools out there to help you automate and expedite the testing process.

By habitually testing your application’s security, you can avoid the top 10 mobile security threats:

  1. Improper Platform Usage
  2. Insecure Data Storage
  3. Insecure Communication
  4. Insecure Authentication
  5. Insufficient Cryptology
  6. Insecure Authorization
  7. Client Code Quality
  8. Code Tampering
  9. Reverse Engineering
  10. Extraneous Functionality

If you think your app isn’t out of compliance with anything listed above, think again. A 2018 benchmark analysis by NowSecure found that of the 45,000 mobile apps reviewed, 85% violated at least one of the OWASP top 10.

Protecting your users

It’s important to note that it is much easier - and more cost-effective - to build a secure app than it is to retroactively implement security practices. That being said, the expense of retroactively securing your app is still definitely worthwhile - and significantly cheaper than the costs associated with a security breach.

Proper mobile security testing is the only way to ensure your app - and your users - aren’t the next victims of digital fraud.

If you need help testing your mobile app’s security, give us a shout. Our developers can help you navigate the process with ease.