SlideShare una empresa de Scribd logo

Mobile App Security Testing Techniques and Tools

Krisshhna Daasaarii
Krisshhna Daasaarii
1 de 33
Mobile App Security Testing 2
1. What is Mobile OS Platform latest versions 2. What is Mobile App SDLC & Mobile App Security SDLC? 3. What is Mobile App STLC & Mobile App Security STLC? 4. What is Mobile Apps Development view & Testing view? 5. What is the testing difference in the Mobile Web & Mobile Native Apps 6. What are the Testing Techniques to Deal with Vulnerabilities? 7. What is Real Device Vs Emulator Testing? 8. What is top Mobile Apps Vulnerabilities? 9. What is Client side injection? 10. What are the Security Testing Tools? 11. What are the Mobile Application Security Testing Tools? AGENDA
Android OS version names
Mobile Application SDLC
Mobile Apps Testing Life cycle
Development View Testing View Mobile Apps NativeWeb Hybrid
Mobile Web Vs Native Apps
Mobile Apps Testing Techniques to Deal with Vulnerabilities • Black box/Dynamic Testing- Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually. • Code Review- It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hard coded passwords and secret keys, weak algorithm usage and hard coded keys and data storage definitions. • Penetration Testing- For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks. • Mobile Application Security Assessment- It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them. Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.
Real Device Vs Emulator Testing: Real Testing Device: Testing on real device allows you to run your mobile applications and checks its functionality. Real device testing assures you that your application will work smoothly in customer handsets. Emulators: Emulator is a software program that allows your mobile to imitate the features of another computer or mobile software you want them to imitate by installing them to your computer or Mobile.
Mobile App Security Testing on Major Platforms Emulators 1. iPad Peek 2. iPhone Tester 3. Mobile Phone Emulator 4. Responsivepx 5. Screenfly 6. Mobi ready tool More: http://www.mobilexweb.com/emulators Open source Mobile device Online emulators:
Drawbacks of using Emulators in case of Mobile App Testing Testing on emulators can be a tempting, cost effective option to purchasing devices but miss out on issues: ● Device specific features ● Human interaction issues. ● Multi-touch issues ● Bandwidth and loading sequence ● Wireless network behavior – Wifi and GSM signal drops ● Device interrupts and multitasking ● Data retention during signal drops
Top Mobile apps vulnerabilities
CLIENT - SIDE INJECTION Client side injection can be done with the following ways. 1. Cross Site Scripting testing can be done using following Scripting Languages ● Javascript ● VBScript ● HTML ● Dart ● ActionScript (used to create animated interactive web applications for Adobe Flash Player using Adobe Flash Pro) 2. SQL INJECTION ● SQL Injection can be done with SQL Scripts/Wildcards.
1. CROSS SITE SCRIPT EXECUTION Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. EXAMPLE QUERIES: 1. <script>alert('XSS')</script> 2. <script>alert(document.cookie);</script> 3. http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> 2. <script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real- xssattackexamples.com/";}</script> Persistent Cross Site Scripting By exploiting this vulnerability, an attacket can: ● Hijack your account ● Spread web worms ● Access your browser history and clipboard contents ● Remotely control your browser
2. SQL INJECTION QUERIES SELECT * FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" Reference link: SQL Injection video
Taking a three-tier approach – testing and comparing results across all three layers of the mobile application: client, network, and server will result in building, managing and successfully securing your mobile applications. Successful Mobile Application Security
Web Security Testing Tools: Top 10 – Best Security Tool of the year 2013
Mobile Application Security Testing Tools: 1. OWASP Zed Attack Proxy (ZAP) Tool [Open Source] 2. IBM Security AppScan [Paid Service] IBM AppScan Pricing 3. HP Fortify [Paid Service] How to buy 4. VeraCode [Paid Service] How to buy Few more: 1. Introspy [Open source] 2. Core Impact Pro 2014 R 1.1 [Paid Service] 3. Appthority [Paid Service]
2. IBM Security AppScan: ● AppScan to scan mobile applications with three different models: − Using an emulator for both iOS and Android − Configuring an actual mobile device for both Android and iOS − Scanning mobile web applications by setting up a mobile user agent Methods to scan and test mobile applications
Why IBM Security AppScan?
3. HP Fortify: ● Scan, assess and report on the security of Mobile applications ● 2 ways to coordinate application, information and network security
4. VeraCode
Thanks Krishnaiah Dasari(SDET)

Recomendados

Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 

Recomendados

Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptxosandadeshan
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Mobile App Testing
Mobile App TestingMobile App Testing
Mobile App TestingGeekit |Software Testing Services and Consultancy
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Krisshhna Daasaarii
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 

Más contenido relacionado

La actualidad más candente

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing StrategyankitQA
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptxosandadeshan
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 

La actualidad más candente (20)

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Android Security
Android SecurityAndroid Security
Android Security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android Security
Android SecurityAndroid Security
Android Security
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Mobile Application Testing Strategy
Mobile Application Testing StrategyMobile Application Testing Strategy
Mobile Application Testing Strategy
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Security Testing.pptx
Security Testing.pptxSecurity Testing.pptx
Security Testing.pptx
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
Mobile App Testing
Mobile App TestingMobile App Testing
Mobile App Testing
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 

Destacado

Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing ToolsEric Lai
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Destacado (15)

Mobile Apps Security Testing -3
Mobile Apps Security Testing -3Mobile Apps Security Testing -3
Mobile Apps Security Testing -3
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Prince2 Methodology
Prince2 MethodologyPrince2 Methodology
Prince2 Methodology
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

Similar a Mobile App Security Testing Techniques and Tools

Mobile app testing
Mobile app testingMobile app testing
Mobile app testingsanpalan
 
Mobile testing
Mobile testingMobile testing
Mobile testingsanpalan
 
The Essentials of Mobile App Testing and Monitoring
The Essentials of Mobile App Testing and MonitoringThe Essentials of Mobile App Testing and Monitoring
The Essentials of Mobile App Testing and MonitoringMobilePundits
 
A Complete Guide to Mobile App Testing Types.pdf
A Complete Guide to Mobile App Testing Types.pdfA Complete Guide to Mobile App Testing Types.pdf
A Complete Guide to Mobile App Testing Types.pdfpCloudy
 
Mobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariMobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariJaved Ansari
 
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfThe Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfAnanthReddy38
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your TestingBugRaptors
 
Mobile Testing Tools 101
Mobile Testing Tools 101Mobile Testing Tools 101
Mobile Testing Tools 101TechWell
 
Mobile Application Testing - White Paper
Mobile Application Testing - White PaperMobile Application Testing - White Paper
Mobile Application Testing - White PaperJade Global
 
Experitest & Capgemini Co-webinar -
Experitest & Capgemini Co-webinar -Experitest & Capgemini Co-webinar -
Experitest & Capgemini Co-webinar -Experitest
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
 
HienVo_Mobile Testing_v.1.2
HienVo_Mobile Testing_v.1.2HienVo_Mobile Testing_v.1.2
HienVo_Mobile Testing_v.1.2Hien Vo
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 

Similar a Mobile App Security Testing Techniques and Tools (20)

Mobile app testing
Mobile app testingMobile app testing
Mobile app testing
 
Mobile testing
Mobile testingMobile testing
Mobile testing
 
The Essentials of Mobile App Testing and Monitoring
The Essentials of Mobile App Testing and MonitoringThe Essentials of Mobile App Testing and Monitoring
The Essentials of Mobile App Testing and Monitoring
 
Mobile testing
Mobile testingMobile testing
Mobile testing
 
A Complete Guide to Mobile App Testing Types.pdf
A Complete Guide to Mobile App Testing Types.pdfA Complete Guide to Mobile App Testing Types.pdf
A Complete Guide to Mobile App Testing Types.pdf
 
Mobile Application Testing by Javed Ansari
Mobile Application Testing by Javed AnsariMobile Application Testing by Javed Ansari
Mobile Application Testing by Javed Ansari
 
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdfThe Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
The Crucial Role of Mobile App Testing in Ensuring Quality and Security.pdf
 
100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing100 effective software testing tools that boost your Testing
100 effective software testing tools that boost your Testing
 
Mobile Testing Tools 101
Mobile Testing Tools 101Mobile Testing Tools 101
Mobile Testing Tools 101
 
Mobile Application Testing - White Paper
Mobile Application Testing - White PaperMobile Application Testing - White Paper
Mobile Application Testing - White Paper
 
Experitest & Capgemini Co-webinar -
Experitest & Capgemini Co-webinar -Experitest & Capgemini Co-webinar -
Experitest & Capgemini Co-webinar -
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
HienVo_Mobile Testing_v.1.2
HienVo_Mobile Testing_v.1.2HienVo_Mobile Testing_v.1.2
HienVo_Mobile Testing_v.1.2
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Ownux global March 2023.pdf
Ownux global March 2023.pdfOwnux global March 2023.pdf
Ownux global March 2023.pdf
 
Mobile application testing
Mobile application testingMobile application testing
Mobile application testing
 
Ownux Global June 2023
Ownux Global June 2023Ownux Global June 2023
Ownux Global June 2023
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 

Mobile App Security Testing Techniques and Tools

  • 2. 1. What is Mobile OS Platform latest versions 2. What is Mobile App SDLC & Mobile App Security SDLC? 3. What is Mobile App STLC & Mobile App Security STLC? 4. What is Mobile Apps Development view & Testing view? 5. What is the testing difference in the Mobile Web & Mobile Native Apps 6. What are the Testing Techniques to Deal with Vulnerabilities? 7. What is Real Device Vs Emulator Testing? 8. What is top Mobile Apps Vulnerabilities? 9. What is Client side injection? 10. What are the Security Testing Tools? 11. What are the Mobile Application Security Testing Tools? AGENDA
  • 3.
  • 5.
  • 7. Mobile Apps Testing Life cycle
  • 9. Mobile Web Vs Native Apps
  • 10.
  • 11. Mobile Apps Testing Techniques to Deal with Vulnerabilities • Black box/Dynamic Testing- Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually. • Code Review- It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hard coded passwords and secret keys, weak algorithm usage and hard coded keys and data storage definitions. • Penetration Testing- For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks. • Mobile Application Security Assessment- It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them. Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.
  • 12. Real Device Vs Emulator Testing: Real Testing Device: Testing on real device allows you to run your mobile applications and checks its functionality. Real device testing assures you that your application will work smoothly in customer handsets. Emulators: Emulator is a software program that allows your mobile to imitate the features of another computer or mobile software you want them to imitate by installing them to your computer or Mobile.
  • 13. Mobile App Security Testing on Major Platforms Emulators 1. iPad Peek 2. iPhone Tester 3. Mobile Phone Emulator 4. Responsivepx 5. Screenfly 6. Mobi ready tool More: http://www.mobilexweb.com/emulators Open source Mobile device Online emulators:
  • 14.
  • 15. Drawbacks of using Emulators in case of Mobile App Testing Testing on emulators can be a tempting, cost effective option to purchasing devices but miss out on issues: ● Device specific features ● Human interaction issues. ● Multi-touch issues ● Bandwidth and loading sequence ● Wireless network behavior – Wifi and GSM signal drops ● Device interrupts and multitasking ● Data retention during signal drops
  • 16.
  • 17. Top Mobile apps vulnerabilities
  • 18. CLIENT - SIDE INJECTION Client side injection can be done with the following ways. 1. Cross Site Scripting testing can be done using following Scripting Languages ● Javascript ● VBScript ● HTML ● Dart ● ActionScript (used to create animated interactive web applications for Adobe Flash Player using Adobe Flash Pro) 2. SQL INJECTION ● SQL Injection can be done with SQL Scripts/Wildcards.
  • 19. 1. CROSS SITE SCRIPT EXECUTION Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications, such as web browsers through breaches of browser security, that enables attackers to inject client-side script into Web pages viewed by other users. EXAMPLE QUERIES: 1. <script>alert('XSS')</script> 2. <script>alert(document.cookie);</script> 3. http://server/cgi-bin/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT> 2. <script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://not-real- xssattackexamples.com/";}</script> Persistent Cross Site Scripting By exploiting this vulnerability, an attacket can: ● Hijack your account ● Spread web worms ● Access your browser history and clipboard contents ● Remotely control your browser
  • 20. 2. SQL INJECTION QUERIES SELECT * FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1 SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""="" Reference link: SQL Injection video
  • 21. Taking a three-tier approach – testing and comparing results across all three layers of the mobile application: client, network, and server will result in building, managing and successfully securing your mobile applications. Successful Mobile Application Security
  • 22. Web Security Testing Tools: Top 10 – Best Security Tool of the year 2013
  • 23. Mobile Application Security Testing Tools: 1. OWASP Zed Attack Proxy (ZAP) Tool [Open Source] 2. IBM Security AppScan [Paid Service] IBM AppScan Pricing 3. HP Fortify [Paid Service] How to buy 4. VeraCode [Paid Service] How to buy Few more: 1. Introspy [Open source] 2. Core Impact Pro 2014 R 1.1 [Paid Service] 3. Appthority [Paid Service]
  • 24.
  • 25.
  • 26. 2. IBM Security AppScan: ● AppScan to scan mobile applications with three different models: − Using an emulator for both iOS and Android − Configuring an actual mobile device for both Android and iOS − Scanning mobile web applications by setting up a mobile user agent Methods to scan and test mobile applications
  • 27.
  • 28.
  • 29. Why IBM Security AppScan?
  • 30. 3. HP Fortify: ● Scan, assess and report on the security of Mobile applications ● 2 ways to coordinate application, information and network security
  • 31.