Assessing the Security of Mobile applications (Part 2) - Testing the application (section 1)

Number: IRCAR201508267

Date: 2015-08-11


To support BYOD and to take advantage of the multiple applications available to organisations it’s essential that the applications be properly vetted before installation and use so that any vulnerability can be uncovered and organisations can improve business function with minimal risk. It’s very important that applications are secure and function as intended.

To recap we concluded that the app assessing process should include:

  • Planning (covered in article one)
  • Testing of applications (covered in this article and the third article of this series)
  • Application approval or rejection (to be covered in the third article of this series)

In the first article of this series we looked at planning, the initial steps in the application vetting process.

In this article we will cover testing of applications. As part of the planning process, responsibilities would have been assigned and a team positioned to facilitate the application testing process (this covered in part 1).

Processes for testing should be consistent and easily repeatable as well as efficient so that room for error and false negatives and positives are minimized.

Analysis will involve first establishing whether the application will be suited to the testing procedures to be undertaken (pre-processing), followed by testing the app for vulnerabilities using various methods.

All discovered issues and recommendations should be reported and a risk assessment initiated to validate the next steps in the vetting procedure.

A few things to take into consideration:

  • Provision a procedure whereby the security of the app can be assessed
  • Testing should be undertaken after app development but before the app is deployed on the mobile device
  • Don’t forget to test the application updates- this is very important
  • Use a secure approach when testing (utilise encryption where possible for transfer and storage)
  • The strategy should be aligned with your organisations unique security requirements, this should be carefully considered as it is necessary to specify the organisations security requirements to use as a baseline for the vetting process
  • Ensure that any previous testing is not taken as final, as one organisation's security requirement or risk acceptance level may be very different from that of another
  • The app testing can be done internally or externally by service, tool or hands-on manual testing or a combination of various techniques

Testing the application


The delegated team or individual will arrange that the application be forwarded for testing. The application will be sent to the analyser/s, which may be in-house or external to the organisation for analysis.

The initial steps in the testing of the app are for pre-processing whereby the app will be analysed to confirm its suitability to the testing methods, this often involves de-compilation of the app and storage of the app file. This may be cause for concern with regards to the security of the app/files/code, especially if the analyser is not part of the organisation but rather a third party.

Precautionary measures need to be taken to ensure that the apps security and integrity is not compromised during the pre-processing stage. Organisations must ensure that the app compliance with license agreements remains intact during processing and intellectual property protected. Transferring the app via an encrypted channel and ensuring it is stored securely and that appropriate measures are taken to prevent unauthorised access will help safeguard that the security of the app is upheld at all times and throughout the testing procedures.

Testing the app for software weaknesses

Before vulnerabilities can be uncovered a set of security requirements need to be stipulated for the app. These requirements laid out are used as a baseline to ascertain whether the vulnerability found will violate the requirements or not by testing appropriately with that particular requirement in mind. The requirement signifies a feature or conduct that the app should display to ensure that it’s secure. The requirements are also valuable for when security audits are undertaken.

The recommended security requirements should look as follows:

  • Enabling authorised functionality
  • Preventing unauthorised functionality
  • Limiting permissions (apps should function with the least required permissions and allow the same (least) to other apps)
  • Protecting sensitive data
  • Securing app code dependencies (ensure code dependencies are used sensibly and not for malicious activity)
  • Testing app updates (updates for apps must always be tested as if it were a new app, prior to installation on the mobile device.)



The Wall

No comments
You need to sign in to comment

news specifications

Added 20 Mehr 1394


Your rate:
Total: (0 rates)