Up your mobile application security

Mobile Application security focuses on assessing the security posture of applications on various mobile device platforms (i.e. Android, iOS and Windows). Mobile applications are being utilised by businesses across the globe to organise workforces, improve customer service, increase revenue, and connect with users from around the world.

Like computers and websites, mobile applications have their own vulnerabilities that can be exploited by a malicious actor to steal or leak personally identifiable or business critical information.

Common issues that affect mobile applications include:

  • Storing sensitive information that could be read by a malicious actor or by other applications installed on the user’s phone
  • Using encryption methods that are no longer secure and contain weaknesses that can be broken to decrypt the sensitive information.
  • Transmitting sensitive information over insecure transmission protocols (i.e. HTTP)

These issues could be exploited in numerous ways, for example, a malicious user deploying a malware to the device to capture keystroke/monitor the copy/paste feature. Alternatively, an attacker could obtain sensitive information by being connected to the same network and capture traffic that is being sent.

Mobile security testing entails utilising the same techniques a malicious user uses to determine any weaknesses within the application. The testing process would usually involve:

  • Checking the copy and paste functionality to determine whether sensitive information can be stored in clipboard.
  • Determine how the application stores, transmits, and receives sensitive information and whether this information can be obtained.
  • Checking the encryption standards to determine whether they are vulnerable.
  • Analysing the source code to pinpoint specific security weaknesses.

Mobile applications should have security tests conducted on an annual basis to verify that security measures have been implemented and the application is secure/hardened against a malicious actor attempting to steal sensitive information.