In addition to exposure from their web applications, organizations are realizing their expanding portfolio of mobile applications also provides avenue of attack for malicious actors. The challenge is that mobile applications are often more complicated than their web-based counterparts – they have code that runs on untrusted user devices, code running on corporate web services, and often also rely on untrusted 3rd party web services. In addition, testing these applications can be challenging – given the array of available static (SAST) and dynamic (DAST) scanners as well as a variety of manual testing options what sort of testing needs to be done to achieve an acceptable level of coverage?
We looked at the data from a number of mobile application security assessments and ran some of the numbers. The goal was to answer questions like:
- What types of vulnerabilities are most common in mobile applications?
- In what component – mobile device code, corporate web services or 3rd party web services – are the most serious vulnerabilities found in mobile application systems?
- What type of testing – SAST versus DAST and automated versus manual – found the most and most serious vulnerabilities?
Unfortunately we didn’t find any single magic answer, but the data does provide some insight into pros and cons for different testing approaches and what you can expect as you try to craft a cost-effective mobile application security testing program that gives you sufficient test coverage.
You can see a copy of the slides from my presentation at RSA 2014 online:
The abstract for the talk is:
Typically, mobile application assessments myopically test only the software living on the device. However, the code deployed on the device, the corporate web services backing the device and any third party supporting services must be “whole-isticly” tested AS WELL AS testing the interactions between these components to reach an acceptable level of software assurance for mobile applications.