Mobile Application Testing

A thorough mobile testing methodology

Through research initiatives, Elevate has created a thorough mobile testing methodology. Using a combination of manual and dynamic analysis along with custom automated fuzzing, Elevate’s Mobile Security Testing covers areas such as:

  • Storage protection
  • Transport protection
  • Authentication
  • Authorization
  • Session management
  • Data validation
  • Error and exception handling

For open mobile platforms such as Android, mobile applications are also decompiled to maximize understanding and testing coverage. For closed platforms such as BlackBerry OS and iOS, source code is often requested to accompany the engagement or binaries can be reversed at runtime.

Data protection controls

  • Elevate begins the assessment by evaluating data protection controls on the client device. In particular, Elevate will examine:
  • Where and how the application manages sensitive information
  • Whether the application is properly utilizing native APIs for features like key stores
  • Whether dangerous client artifacts such as user credentials, personal information, and/or any other sensitive application data are unintentionally or insecurely stored on the client device

Storage and Transport protection

As part of this analysis, Elevate will also examine memory to ensure sensitive data is properly erased by the application. Additionally, Elevate will review the communication between the mobile application and any remote systems/services. Traffic analysis will focus on uncovering vulnerabilities related to information disclosure, tampering, and spoofing.

Authentication and authorization testing.

Once the analysis of transport and storage-level data protection controls has concluded, Elevate will transition to authentication and authorization testing. During this phase of testing, activities include, but are not limited to:

  • An examination of implemented authentication protocols
  • Certificate validation
  • Password policy enforcement
  • Account lockout mechanisms

In addition to assessing how the application performs authentication, Elevate also evaluates how the application segregates functional roles and implements authorization concepts such as principle of least privilege.

Authorization testing will also assess how data access controls are applied and whether or not authorization corner cases such as confused deputy attacks are present. During this testing phase, Elevate will attempt to access hidden functionality in both the client and the server in addition to attempting to escalate their privileges.

As an example, Elevate may determine how data is retrieved from the server for the different users and use this information to replay or manipulate the request to gain access to another user’s data.

Session management

In cases where the application communicates with a remote system/service, Elevate’s testing will evaluate how session management is performed. In some cases the application simply maintains a persistent connection (e.g., socket). If the application uses a persistent socket, Elevate will check to see what happens when the connection is severed, either because the application does not support both data and voice or multi-tasking. In some cases, the application may implement a session identifier to uniquely identify the user for the duration of the session. For such cases, Elevate will examine the entropy, length, timeout, and rotation to determine the applications susceptibility to preset identifiers, brute force, session fixation, and other related vulnerabilities.

Data validation

Data validation is another important aspect of our testing. Elevate will identify any open ports, interfaces, IPC channels, or other input modes that can be leveraged by an attacker or malicious application. Fuzz testing will be performed on those interfaces that are exposed and examine how the application handles erroneous input.

The objective of this process is to determine the extent the application is performing filtering, sanitation, and validation. Vulnerability categories in scope include, but are not limited to, cross-site scripting, SQL injection, command injection, mishandled exceptions, and memory corruption vulnerabilities that can lead to remote code execution or denial of service condition.

As vulnerabilities are discovered, Elevate will attempt to demonstrate the positional exploitability of each finding, to achieve the two primary objectives of the assessment:

  1. Obtain unauthorized access and
  2. Retrieve sensitive information.

Using commercial, open source, and proprietary tools, Elevate implements a structured testing methodology to make the mobile application assessment as efficient as possible.