Today’s workforce is increasingly mobile. Mixing professional and personal devices at work and at home is now commonplace. This practice is known as BYOD or Bring Your Own Device. Because these mobile devices are connecting continuously to the internet, the level of device exposure has risen exponentially in the past few years.
Due to this phenomenon, the National Institute of Standards and Technology (NIST) has issued recommendations on vetting the security of apps to include mobile application testing.
Mobile Application Vulnerabilities
Most mobile apps have vulnerabilities once deployed. This should come as no surprise. A 2018 report from WhiteHat Security showed that as many as 85% of mobile applications have at least one vulnerability when initially deployed, and approximately 50% of mobile applications violated the Open Web Application Security Project (OWASP) Mobile Top 10 standards for secure data storage (data leakage, client-side injection, and weak server-side controls) and secure communication protocols.
On the development side as well as the business side, this issue means continuous adherence to a secure software development lifecycle (SDLC) is essential, as is penetration testing both before and after deployment.
Your Mobile Application Pen Testing Strategy
Your mobile application testing strategy should include a penetration test before, during, and after deployment. Using the right mobile application testing tools can secure your data, protect the integrity of your applications, and limit your potential exposure in case of a breach.
1. RedLegg Cybersecurity and Pen Testing Services
RedLegg provides a full suite of security solutions, including advisory services, managed security services, application assessments, and penetration testing. RedLegg’s mobile application assessments provide high-quality results and detailed corrective actions, including the following:
- Functional review
- Vulnerability analysis
- Risk analysis, scoping, and threat analysis
RedLegg’s methodology complies with best practices from various frameworks, including the Open Source Security Testing Methodology (OSSTM), OWASP, and Penetration Execution Standard (PTES) to reduce the likelihood and impact of a breach.
Here are 11 other mobile application testing tools you can use to assess and secure your mobile apps:
2. Burp Suite
Burp Suite is an integrated platform with tools that work together to support the entire testing process from mapping to analysis. The enterprise edition unlocks all features, including the following:
- Web vulnerability scanning
- Scheduled scans
- Repeat scans
- Manual and advanced tools
3. Zed Attack Proxy
The OWASP Zed Attack Proxy (ZAP) is an open-source alternative to Burp Suite. It contains a similar feature set, including the following:
- Automated tools, including spider, active and passive scanner, port scanner, and forced browse
- Manual tools including intercepting proxies, manual request editor, and fuzzer
Nikto is an open-source vulnerability scanner that checks for things such as vulnerable directories, outdated server software, and potentially dangerous programs:
- Scans multiple ports or multiple web servers
- Checks host authentication
- Guesses credentials for authorization realms
- Replays saved positive requests
5. Micro Focus
Micro Focus employs what it calls a holistic and analytics-driven approach to security:
- Manages identities (privileges, access controls, identity “stores”)
- Protects data through active monitoring
- Secures applications (security into DevOps processes)
Kiuwan is a SaaS static-source-code analytics platform with a distributed engine. It provides seamless security as part of the DevOps process without the need to do analysis on central servers:
- Third-party integration scans
- OS component management and license compliance
- Vulnerability remediation
QARK stands for the Quick Android Review Kit. Another open-source project, it is a static-code analysis engine that is designed to recognize potential vulnerabilities for Java-based Android apps, including the following:
- Headless mode for integration into the SDLC
- Inspection of raw Java source code or compilation of APKs
- AndroidManifest.xml parsing
- Source-to-sink mapping
- Automatic issue validation
8. Android Debug Bridge
ADB is a command-line tool to communicate with Android devices. You can install or debug apps using a Unix shell. This tool is included in the Android SDK Platform-Tools package:
- Management of emulator or actual Android devices
- Device connect with USB or Wi-Fi
- App installation and port forwarding
- Shell commands
- Call activity manager
9. Codified Security
Codified Security allows testing of mobile apps for security issues pre-release and is another static-code analysis tool:
- Multiple platform support, including Objective-C, Java, Xamarin, Apache Cordova and PhoneGap, and Swift
- Cloud hosting and on-demand testing
- Auto-validation to eliminate false-positives
- OWASP, PCI-DSS, and HIPAA regulation coverage
Drozer is an Android application assessment toolkit. Whether your app or device is being deployed as an individual instance or across your organization, Drozer provides tools to help you identify vulnerabilities and share public Android exploits:
- Generate shellcode for the remote administrator tool
- Provide maximum leverage on devices
- Execute dynamic Java-code, avoiding the need to compile and install test scripts
- Run in emulators and on real devices
Veracode’s application security solution is a unified platform that assesses security for apps throughout the development cycle:
- Seamless integration into the software lifecycle to block threats in production
- Developer tools, including API and workflow integrations
- Analysis of third-party components
- Remediation of risks in open-source components
Mobile Security Framework, or MobSF, is a penetration testing framework for mobile application testing for Windows, iOS, or Android:
- Static and dynamic analysis
- Malware analysis
- Web API testing
- Support of APK, IPA, and APPX, as well as zipper source code
Data Breaches Tied to Mobile Apps
An estimated 60% of organizations reporting data breaches say they can tie a security incident directly to an insecure mobile app. With the potential privacy, legal, reputation, and financial consequences of a potential breach, you can’t afford not to ensure that your code is clean, your app is secure, and your data is protected.
Whichever mobile application assessment strategy you deploy, make sure you pick the right mobile application testing tools.
Learn more about mobile and app assessment testing by watching the webinar below!
Want more? Brush up on...
- pretty much everything you'd need to know about pen testing
- components of an application assessment
- 5 foundational facts about mobile app security
Featured Image: iStock.com/artiemedvedev