Mobile Application Security Testing (MAST)
By Aloysius Cheang, Executive Vice President, Asia Pacific, Cloud Security Alliance
The use of mobile applications has become unavoidable, almost a necessity, in today's world. More people are starting to question the security of mobile applications. With the emergence of cloud computing, organizational transformation is required to address this paradigm shift. Cloud computing accelerates real-time use of applications, which allows for business agility. However, with the proliferation of mobile applications, a new set of security challenges arises.
In order to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications, a framework for secure mobile application development, achieving privacy and security by design is required.
We need to make sure to take security seriously from the beginning of an application development to application data deletion. We can manage this in the form of a lifecycle; which involves development, testing, production, update, application removal and application data deletion. In the most recent mobile application security testing documents released by NIST (2015) and CSA (2016), there are a few major requirements one needs to look at when it comes to mobile application security. In short, permission misuse, improper information disclosure, API/LIB native risk, application collusion, development obfuscation, connection encryption strength, data storage and power consumption are the key controls identified. Next, one needs to address the issue of how to test the security of mobile applications. Mobile application security testing and vetting processes utilised through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code.
We should be aware that there are many other mobile application security concerns in the market and that we should make more effort to address these issues. The next journey in mobile application is to embark on developing mobile certification framework that will certify the security of mobile applications. The question is, will you be interested to be part of this?