SecureState has developed a detailed manual testing process for assessing mobile applications that can be extended to the financial and privacy compliance requirements of payment apps. Our Black Box Mobile Application Assessment (MAS) simulates an attacker downloading your application from an “app” store and hacking the application with no knowledge of built in security controls or other information. Below are the phases for our Black Box Testing Methodology.
In the first phase of this assessment, SecureState works with the client to establish the rules and scope of the engagement and exchange contact information for both parties. Before the assessment, personnel identify “trophies” or high value data in the mobile assessment as targets of interest. SecureState provides a detailed Project Charter that contains information on scope and everything that will be required to conduct the testing.
In the next phase, SecureState will assess the mobile application’s SOAP or REST-based web services for common vulnerabilities. We will perform security testing specific to web services, including but not limited to XML structural testing, XML content-level testing, HTTP GET parameters/REST testing, Naughty SOAP attachments, Replay testing, Web service MITM (Man-in-the-middle) testing. Based on the answers to scoping questions provided by SecureState prior to the engagement, SecureState will determine a threat model and use it to scope this piece of the assessment. Depending on these threats, SecureState will outline a set of tests that are applicable to your web services. SecureState has developed a testing methodology and toolset in partnership with the OWASP Testing Project designed to test web services.
Next, SecureState monitors all network traffic generated by the mobile application. SecureState looks to identify sensitive information being sent through cleartext protocols, which may be observed and either stolen or reused by an attacker. Custom protocols will be analyzed and SecureState will attempt to reverse engineer data flows in an attempt to read or alter those communications.
During the next phase, SecureState will attempt to identify weaknesses in the trust model of the application and enumerate any sensitive operations or data that can be accessed or modified without the proper authorization by other applications or services. After this, SecureState uses the mobile application with the intent to fully understand the capabilities of the application. During this time, all points of interaction and input are determined.
SecureState then attempts to exploit logic flaws within the application, checking for issues such as invalid operations, bypassed validation checks, weak or invalid authentications, and bypassed authorizations. SecureState will then attempt to inject “garbage” or random data into input fields in an attempt to get the application to crash or start to behave in unexpected ways. Additionally, SecureState will attempt to inject attack strings relevant to the context of an application, looking for OWASP Mobile Top 10 vulnerabilities such as SQL injection or Cross-Site Scripting (XSS). Then, SecureState will attempt to identify sensitive information stored locally on the device storage or expandable storage cards. SecureState will verify that any sensitive information stored on the device cannot be accessed or modified outside of trusted systems and processes. SecureState uses a unique “forensic” approach to this phase of testing, as application processes during runtime are monitored to determine where the application writes data to the device. These areas include log files, local databases such as SQLite, and more. SecureState evaluates these areas to determine if there are security concerns with stored data on the device. Finally, SecureState will attempt to “disassemble and decompile” the mobile application to look for sensitive information, buffer overflows, memory handling issues and more.