Mobile application security testing: The unique characteristics of device security models

By Sanjay Zalavadia, VP of Client Services, Zephyr

Smartphones, tablets and wearables have all led to changes in how businesses operate and how consumers are kept connected to their favorite organizations. However, workers cannot simply use just any application; software often must undergo stringent evaluations to ensure that it meets employee needs and has the protections to keep company data safe. As more businesses approve of bring-your-own-device policies, quality assurance teams must leverage mobile app developmentsecurity testing techniques while understanding the unique needs of device security models.

Security importance on the rise

Although computers are still a main target for hackers, mobile devices are increasingly experiencing their share of attacks. Application security has become such a priority for organizations that the market is expected to grow to $6.77 billion by 2021, tripling its current estimate, according to predictions from MarketsandMarkets. The report noted that the surge of breaches aimed at applications is a primary driver for the market's rapid development. This makes sense, especially since malicious programs are already in app stores just waiting to be downloaded.

Google Play, in particular, has been a victim of numerous apps targeted to release malware and access user data. TechTarget contributor Eric Beehler noted that Google's open format and lack of safety oversight has caused many problems for users and can mean trouble when exposing business information. Although improvements are constantly being made to avoid these incidents, companies must test applications themselves to ensure that they are safe for employees to work with.

"All it takes to access the data stored on an unlocked smartphone running a poorly written app is a simple extraction of the file attached to the mobile application, then a query," Beehler wrote. "This action can tell you anything you want to know about the data stored in that app, which is especially troublesome if the database connects to a back end system. Because of these mobile application vulnerabilities, sensitive data should be encrypted at the device level, and external connections should be encrypted as well."

Taking stock of device security capabilities

Rather than relying on providers to ensure that apps are safe, organizations have to test out the programs themselves as well as make use of security testing tools to protect employees and business data. TechTarget contributor Dan Cornell noted that there are a few testing types that these solutions should address: static, dynamic and forensic. These approaches will examine code at rest, the behavior of running systems and what's been left behind after a program has been run, respectively. Using these methods together will give QA teams a fuller picture of the app's security and help make decisions regarding how to better protect employees.

While security testing tools will be a major asset to evaluating applications themselves, the solutions can also gauge the protection capabilities of the device. It's important to note that as new devices and operating systems are released, support is discontinued for older versions. IT and QA staff must determine if employees are using any legacy systems that no longer receive patches and manufacturer updates, as this will leave a huge vulnerability if it's not addressed appropriately. Newer hardware may also have better features like encryption and passcodes, whereas legacy devices may not have things like remote wipe to reset to factory defaults or remove encryption keys. Taking stock of what devices and operating systems are being used will help teams make a security map of their infrastructure. This way, teams can create a solid protection strategy and provide employees with capable applications.

Don't Miss ( 1-5 of 20 )