Mobile AST Specifics
Unique Aspects of Mobile AST
Security testing for both web and mobile applications is based on the same principles and practices. However, security testing of mobile applications differs from security testing of web applications due to several reasons:
- AST technologies for web applications have been well developed for a long time. Present mobile applications appeared recently for about ten years. That is why technology for testing mobile applications is not as mature as testing web applications.
- A lot of enterprise and open-source AST tools for web applications are available (Checkmarx, Sonatype, Burp Suite, OWASP ZAP, w3af, etc.). There are less MAST tools and they require higher qualifications and more effort.
- Web applications work via web-browser. This environment is quite easy to reproduce. Testing of mobile applications requires either real mobile devices (iOS or Android), or emulators (Android) of the device under testing. Android emulator fully emulates Android devices and can be run on any operating system.
- Testing of mobile applications requires more effort, despite the fact that there are test automation tools here as well (for example, Appium). Mobile devices do not have native runtime environment for test automation. Such an environment shall be specially created. Mobile applications testing even with the help of test automation tools also includes additional steps for preparing test devices and requires experience with mobile devices and still more effort.
- Today, the CI/CD paradigm is a development standard and implies the automatic execution of all operations from committing the source code to the application deployment in production. Deployment of web applications can be performed automatically without any problems. Installing the new version of a mobile application for testing on all test devices requires additional effort. To address this issue, MAST automation should also include the use of the distribution systems such as AppCenter, HockeyApp and so on. Distribution systems have this provision to avoid manual installation of applications on each mobile device. T A new application version gets installed automatically on the device under testing.
- Mobile applications have front-end web applications written in Javascript frameworks. However, mobile applications have some specific features. The architecture of web applications differs from the architecture of mobile applications. Mobile platform architecture impacts mobile application behavior and MAST implementation in several ways:
- Web-version of the application works via web browser (and, thus, it is restricted by the web browser functionality). The mobile version works via the operating system.
- Mobile applications often store a significant amount of information on mobile devices to increase the operation speed. The front end of any mobile application can contain some of the application's business logic. Thus, a lot of sensitive information is stored on mobile devices. This is fast but vulnerable.
- There exist a lot of compliance requirements for mobile applications (GDPR, PCI DSS, OWASP Mobile Top-10, OWASP MASVS, etc.). Mobile applications certification often is an important part of MAST.
All these aspects make MAST unique compared to AST and should be taken into account when planning and conducting MAST.
Mobile AST Requirements
The particularities of mobile applications described above determine the number of specific requirements for their security testing. Mobile AST shall be planned, organized, and performed as follows:
- You shall have configured a special environment for testing mobile applications. This environment can include devices with installed test tools as well as emulators (in the case of Android). It is desirable that these devices or emulators have different versions of operating systems installed.
- Integration with application distribution systems is required to automatically get the latest versions for testing on the test devices. This avoids having to manually download and install applications on test devices.
- During the testing, it is necessary to take into account the features of the architecture of mobile applications and conduct checks for specific vulnerabilities caused by these features.
- In order to fully integrate into the development process, it is necessary to have automated tests (auto tests), which can be combined with security testing tools to generate data for analysis.