December 7, 2012
Testing Best Practices: Quality Assurance & Security Considerations
It’s hardly news that the number of mobile devices in the world is growing astronomically. According to a Forrester study published in February, an estimated one billion consumers will own smartphones by 2016. As the number of devices increases, so too do opportunities for attackers to gain access to sensitive personal information. One of the things that make mobile devices especially vulnerable is that many users aren’t aware of the risks involved. They think, “It’ll never happen to me,” or that “mobile” means “magically secure.”
As Quality Assurance testers, we have a key role to play in protecting a users’ security and privacy. This means we need to be prepared for the challenges that we will face. The first step is to take a look at the key vulnerabilities and ways to approach mobile application testing and security testing in each one of them.
Lost and stolen devices
Apart from the obvious threats like malware, phishing, and other attacks that can take place remotely, there is one major threat to the security of individuals and enterprises, which is lost and stolen devices. Look no further than the case of the left-behind iPhone 4 prototype for evidence of this type of security risk.
Every week, in every city around the world, scores of mobile phones are reported lost in public places like taxi cabs, restaurants, and bars. This remains the most common (and easiest) way of accessing other people’s sensitive information. To make matters worse, device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the device wide open to information theft. Contacts, email messages, and data saved in some mobile applications can be easily accessed by anyone.
From a mobile application testing perspective, it is critical that apps under testing have the means to protect sensitive personal data against unauthorized access. This is very hard to achieve without compromising usability. Things like session timeouts or prompting a user to reenter the password for a transaction that involves money may be annoying or awkward to the user, but it’s a necessary evil for application security. Mobile application developers should strive to implement these kinds of mechanisms while keeping usability at an acceptable level. We should also look for the apps to store as little data as possible on the mobile device.
Application permission requests were built into mobile platforms as a means to improve security. Unfortunately, such notifications are being largely disregarded by device users. They tend to confirm all requests without thinking of the risks. This is because users are quick to choose functionality over security and privacy. In fact, that means any app may have the functionality to tap into the device’s messaging app or location data. And they end up having access to such data.
This is clearly a cultural issue so, as mobile apps developers, there is not much we can do to change the users’ behavior. However, we can make sure that the app is not attempting to get more permissions than those strictly needed and that the user is notified properly. The goal should be to minimize the risk while we wait for some cultural changes to take place and the users to start thinking more carefully about their security and privacy.
Numerous specialists have been warning that the Google Android and Apple iOS app stores have given rise to too many mobile app developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that results in brittle code plagued with flaws and functionality that is not needed. Many mobile apps are built in two weeks…that’s clearly not enough time for putting much security thinking in this kind of development.
As mobile app testing specialists, we can play a key role in minimizing the issues caused by this brittle approach to mobile application development. Code review becomes a fundamental practice to study mobile app development and find a lot of hidden code errors. Such errors will never show during functional testing and most of them will be transparent to the end users; however, they could lead to data leakage or privilege-escalation vulnerabilities. Other common mistakes the mobile app tester should look for are authentication or authorization errors, poor file-system permissions and application permissions that are too lax.
Another major source of concern for mobile security experts is the data that is sent between the device and the server, especially as users increasingly use Wi-Fi in public locations. Wireless networks in places like hotels, airports and cafés lack security and are quickly becoming one of the favorite scenarios for attackers. Despite being highly insecure, users generally use such networks without much care. From a mobile apps testing perspective, the mobile apps developer’s role is to make sure that sensitive data in transit between the app and the Web server goes encrypted.
The same is true for Web applications; there are an increasing number of tools that can help us perform some basic security tests. We will discuss tools and utilities in detail in a future post, but for now we can mention traffic analysis and penetration tools. The first will allow us to “listen” to the traffic that flows between the device and the servers, manually analyze that traffic and look for method calls that could be manipulated, while penetration tools will allow us to simulate attacks to the app utilizing the same techniques a thief would use in real-life scenarios.