Managing attack surfaces is no easy task - you can’t protect what you don’t know you have. Many businesses have their own stories of a pseudo-mythological Windows XP box that sits in the corner and makes everything run. But one of the areas that often escapes testing is our mobile apps.
With more and more businesses bringing their services on the go, we take a look at why mobile application testing is important, and what Secora commonly identifies when testing.
A static shock
We often tend to think of programs and applications as signed, sealed and delivered when they’re pushed out into the wider world. However, one of the first steps that an attacker, or a security consultant will take when performing a mobile application penetration test is to attempt to decompile the application.
When mobile applications are shipped, they are compiled - their code is neatly compressed and packaged into a format that can be easily installed and run by whatever mobile device they find themselves on. However, this process is often reversible to some extent with Android apps in particular, this process is extremely easy to reverse.
Using publicly available tools, attackers can decompile these apps, retrieving a large amount of source code. This is known as static analysis, and the benefits of this are quite obvious - through source code, attackers can more easily identify vulnerabilities, hidden or administrative functionality and more.
But one of the most common issues discovered with mobile apps is that of hardcoded credentials. Let’s consider a simple application that allows users to send an SMS using an external service. It is highly likely that access to this external service is managed through the use of an API key. An attacker would be able to decompile the mobile application, retrieve the API key and use it themselves to send mass spam messages. This is much more common than one would think - Secora has frequently discovered passwords, API keys, URLs pointing to interesting servers and files - the list goes on.
When performing mobile application penetration tests, Secora will decompile the application and comb it for secrets to ensure that they can be removed before the attackers can get their hands on them.
Bigger on the inside
If you aren’t testing your mobile apps, then the likelihood is, you are missing the web services that support them. All but the simplest of mobile applications are fed via web services which is used to fetch data, perform operations and more. And as web services, these pieces of functionality can contain any number of common vulnerabilities - injection, improper authentication and more.
At Secora, we use tools to intercept the traffic as it travels from the mobile application to the server, examining how it works and how both the server and the application interact with one another. From here, it undergoes the same kind of rigorous testing that we provide to any other web application or API call, attempting to use our experience to manipulate it into revealing additional data or performing some unintended action. All of the most common web application attacks are fair game - for more information on the wild, wild web, check out our blog post on the vulnerabilities we identify most often.
Conclusion
In today’s digitally mobile world, the importance of rigorous mobile application testing cannot be overstated.
As Secora’s insights reveal, mobile apps are not impervious fortresses upon their release—they are as vulnerable as any other facet of our digital infrastructure, perhaps even more so due to their pervasive use and the critical data they often handle. Decompilation and the retrieval of sensitive information such as API keys and credentials, along with the vulnerabilities in supporting web services, underscore the necessity for thorough security measures. Without meticulous testing and constant vigilance, businesses risk exposing their attack surfaces to malicious entities, potentially leading to compromised data integrity and loss of consumer trust.
As the boundaries between digital and physical continue to blur, it’s clear that mobile application testing is not just a best practice but an imperative step in ensuring the robustness and resilience of our ever-expanding digital ecosystem. The work done by Secora and other security consultants serves as a critical bulwark in this ongoing effort, safeguarding the mobile gateways to our personal and professional lives.
If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.