What Are Mobile Security Threats? Tips for testing your mobile app security

 

 

Mobile Security Threats – Overview - Part 1

The movement of critical applications to mobile is faster than expected. “eMarketer” expects mobile to overtake desktop in US- rising from $8.72 billion to $12.85 billion — just slightly above desktop’s $12.82 billion. At the same time, there will be 156.4 million mobile phone search users in the US, representing 49.0% of the population. As of Feb 2015, 78% of Facebook users are mobile-only. 84% of 13-17 year old own a mobile phone. 83% of 6-9 year old use a tablet.Mobile device makers are providing customized platforms to increase their share of the customer’s wallet.78% of smartphone users access a retail site via a mobile app. These people want on-the-go, targeted information with minimal data use that a mobile app provides. 44% of tablet users accessed a retail site via a mobile app.

 

 

Mobile Applications

There are three types of applications which are hosted in any Mobile. Native applications written in a specific platform will run only in the supported devices like iOS for iPhone. Most common are the Web applications which any mobile device can access that are built using standards like HTML5 and available online. The last one is the Hybrid applications, a web-based user interface that have a layer of native applications around it which combines the best of both i.e. native and HTML5 worlds.

Mobile Security

Mobile Security – Five vulnerable areas

As the horizon widens, the scope for security threat also increases substantially for the mobile applications. The security risk for mobile applications comes in the following five ways.

1. How the access to the system works? Where the users are challenged while accessing the systems? How passwords and userids can be tracked in mobiles?
2. How the data which comes to the Mobile applications is validated?
3. How to track the audit trail of data flow – to and from Mobile applications?
4. How safe is the data stored in the Mobile devices? Does encryption happens for all critical data?
5. Is data leaking to log files or out through notifications?

Five Major Mobile Security Threats:

The following are the 5 major threat areas which impacts the mobile security.

• Firstly, the data available in the mobiles like phone numbers, call logs, contacts, account details, IMEI can be accessed without the knowledge of the mobile owners which may be due to vulnerabilities in the applications installed in Mobiles.
• Second, major one which may cause financial losses are like sending premium SMS messages, stealing PIN numbers from transaction authorizations, making expensive calls, Fake anti-virus and ransomware.
• Thirdly, impersonation can happen by SMS redirection, sending email messages and posting in social media like Face book, Twitter etc.
• Fourthly, there may be surveillance issues like accessing the audio, camera, call logs, locations and SMS message in the mobile devices.
• Lastly, Botnet activities like launching DDoS activities, Click fraud, and sending premium SMS messages from the device.

Mobile Security Threat Modelling:

Before proceeding on the vulnerabilities existing in the mobile apps and threat modelling, we should categorize the applications available in the Mobile, the type of applications ported in the device by the manufactures. Normally developers of these applications should have considered the OWASP top 10 threats and addressed the same. For example, in a SQL injection, the code should verify that use of interpreters clearly separates untrusted data from command or query.

Before identifying the threats, the factors which expose the mobile applications like – location independence, always online and traceable nature, more focus on design and functionality than security, multiple types of applications on devices, should be considered and appropriate weight should be given.

The threat modeling should consider both the device security and app security – jail break, different platforms, versions, interfaces, Mobile Device Management etc., Also, the exposure to different attackers like internal, external, network or device access, black box/white box should be considered.

Having identified the threats, risk should be attached to each of the identified risks and risk prioritization should be done. The test cases should be written for all possible combinations for these identified risks.

Mobile Security Tools/Testing Tools:

There are many commercial tools available which protects your mobiles against anti-theft, antivirus, back-up essentials, blocking unwanted calls, parental controls, web-root analyses, SIM card locking. These tools are available to the end-users to protect their devices.

Still the mobile security testing tools area is emerging with tools which can comprehensively address the above mobile security threats. The tools which identify the vulnerabilities in the applications are quite good. The mobile security tester should find the appropriate tools to identify the vulnerability and write comprehensive test cases to address them in the mobile devices and applications.

It's Your Turn:

What do you Think? How to protect your mobile device with 360 degree Security, Share your insights in the comments box below. The next part of the content is coming next.  ~~ Keep Following ~

Various Agile Testing Practices Being Adapted By Global Enterprises

CEO at Microsoft Corporation, Satya Nadella, has started preaching a more nimble agile implementation approach for building software, as part of the recent transformation the company has undergone. A recent survey of IT and development professionals shows that agile is the new norm. The majority of development projects and teams have embraced this new methodology while the pure waterfall model is slowly moving towards minority.

It was a little over a decade ago that agile software development first entered the scene as a reaction to traditional approaches for software development projects. While it was initially promoted as a movement, many looked upon it as a major challenger to some of the more entrenched practices such as the waterfall model. Its test-first development practices like test-driven development inspire confidence and promote simple designs. In TDD, the developer begins with writing code for an automated test case, which describes either a new function or a feature that needs improvement. Then he produces minimum amount of code to pass that test and finally refactors the new code so that it can meet acceptable standards. Testing the code at an early stage diminishes the need of excessive debugging. Another technique used by agile techniques is behavior-driven development, which stems out of TDD. In BDD developers combine ideas and techniques of TDD with object-oriented design and analysis.

Key Testing Methodologies in Agile

Agile development involves a number of different testing methodologies. Let us learn more about them in detail.

Unit / Component Testing: Individual software units, related data, and a number of other use procedures are all tested in order to assess how tight the operation is. With the help of the unit test, the behavior of a small piece of code- known as a unit- is tested and the tester notified whether the test has passed or failed. Automated unit testing provides various benefits which closely aligned with several agile principles. The key benefit is that it produces working code faster, with fewer bugs. It includes a collection of skills processes and tools which support agility. Besides, you get quick feedback from running tests, giving developers the ability to cover more code. And as we all know, the Agile Manifesto is all about working software. Automated unit testing makes this quicker than any other process.

Integration Testing: From the perspective of an agile workflow, the UI is bound to feature numerous experiences of changes and multiple versions with user feedback and team input being deciding factors. In this regard, test automation in UI maintenance becomes extremely time consuming. In order to enhance the overall coverage while not allowing the maintenance costs to escalate, automation needs to be done at a systems and services level.

Acceptance TDD: In the acceptance test-driven development, a test-first approach is followed. The development team first clearly understands the acceptance criteria and creates test cases based on the bullet points that are clearly labelled in the acceptance criteria. Any modification to the same may be done by setting up a prior planning meeting in negotiations with the Product Owner.

The primary idea of acceptance test driven development involves a set of tests that should be passed before an application may be regarded as finished. It is a well-established fact that testing an application before delivering it is an invaluable practice.

Continuous Integration: Continuous Integration is an agile development technique where code is checked in small increments and tested against the larger code base. This is a development practice that has been around for long. In fact, it has been around for so long that most developers tend to take this practice for granted. However, it has been found recently that this is not the correct practice.
The build of code is only half the battle won. A successful build will tell you that in terms of syntax, the code holds together but it won’t give any suggestion on how the code works. The practice of continuous integration should ideally involve automatic code deployment to the platform on which it is supposed to reside.

Agile teams usually have a self-organizing setup with a variety of skill sets spanning across the team. Besides using the above test techniques,developers can also use code review to learn the code base and new techniques and technologies to help grow their skill set. Code reviews can benefit every team regardless of their development methodology. With work being decentralized across the team, it provides huge benefits for the agile teams. Code review helps in facilitating knowledge sharing not only across the team but also the code base.

Conclusion : For an agile project, a number of tests may confirm that your system is working as per expectations. These are value-driven tests that also focus on value creation. Exploratory testing, on the other hand, is driven by risk and focuses on unexpected behaviors. Though the outcomes are complementary, the goals tend to be conflicting and this is something that needs to be recognized. This is why it is important to automate agile testing. 

Quality Assurance Is a Step Ahead in Software Testing

Was the software tested? Well, this is the first question the customers ask when it stops working and anything critical appears. That is why; Quality Assurance in software testing is an important aspect so that the software runs smoothly without any complaint. The specialists study different test cases, judge the test scenario to find the critical issue and bring out the solution on the same.

---

Basically, QA are the actions that will ensure service that is high-quality, profitable and it is also based on reviews that continue through life with the help of the solution delivery and solution design. The main objective of QA is to reduce the “expected risk” that can cause menace in the achievement of the project.

QA is an extreme part of software testing. In SDLC, everyone follows the following process and accordingly completes the projects.

• Main requirement of client
• Software developer develops and assembles the code to design the software
• Then, it is passed through testing i.e. a tester will perform different phase of testing like unit testing, modular testing etc.
• QA specialists analyze the gap in the software and check whether the software meet up the client’s requirements.
• Finally, it goes for the production purpose and submitted to the client.

QA acts as a filter so that one can complete SDLC in a successful manner. It is one step ahead of software testing because QA analysts are not at rest at all and they continues the process and manage the test cases, execution of testing, customer support, and search of defect and suggest any further improvement in the application. It is an integrated procedure and everyone needs to work in proper system to get the work done smoothly. They are final people to check the quality of the application before delivery the application to the clients.

The performance and quality of an application have totally become vital and everyone wants to be a part of this connected world and QA analysts are ready to give top quality application indirectly be a part of the best services that the client offers to the targeted customers. Software Development Lifecycle works as a team and it much like preparing a food for guests and without reviewing the taste, texture and health benefits, you cannot present the same dish in front of the guests. In the case of software creation, the process also goes in the same manner.

The reviews on each stage of SDLC will reduce the risk, effort, time and cost. QA analysts helps the clients to reach the business goals on real time and it also includes less risk and give maximum satisfaction to the customers. In SDLC, quality of the software application matters a lot at the end.