ANDROID PENETRATION TESTING
At a glance
The number of mobile device users has increased significantly in the last years: with smartphone ownership extending to more than half the world, and mobile applications have become an integral tool for our daily life. Therefore, protecting the data that mobile applications access has become critically important. The flood of apps can be seen in just about every industry.
WCS’s android app penetration testing is designed to analyze the security of the Android version installed on the device under test along with the applications installed on the device. Testing looks to identify weaknesses that can result in the compromise of the Android device, any information held on the device, or any networks to which the device can access.
Authentication Session Management
Session security is an essential consideration in the design of mobile systems and apps where communication between the device and an external network is vital for operation. Inadequate security controls can expose user accounts to risks of unauthorized access and data loss. Authentication vulnerabilities are consistently considered a significant risk for mobile systems.
The majority of mobile applications implement user authentication processes to manage authorization controls. Android supports a range of local and biometric authentication mechanisms to facilitate this. Typically the number and type of authentication procedures that are implemented will relate to the sensitivity of the information and resources that the application may access.
Authentication session management testing includes the verification that the authentication procedures employed by any application meet industry best practices for that application’s specific access type. Authentication procedures may range from simple username and password through to two-factor/biometric authentication. Testing of applications handling sensitive information such as financial transactional data will include checks for compliance with industry standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Gramm Leach Bliley Act, and the Sarbanes-Oxley Act (SOX).
Where passwords are employed for user authentication, password strength, and policy enforcement are assessed to ensure the authentication processes are sufficiently secure for the implementation purposes of the control.
Input and Output Manipulation
Input and output manipulation testing revolves around injecting data into communications to force applications into unexpected or incorrect operation. Injection flaws are security vulnerabilities that are exploited by inserting data into backend commands. By injecting meta-characters into a command string, a malicious attacker can cause injected code to be inadvertently interpreted as a part of the command and to be executed as part of the command.
While these types of vulnerabilities are most prevalent in server-side web services, mobile applications can also be vulnerable to these techniques. The input and output manipulation tests will ensure that data validation techniques are employed to protect against such manipulation.
The test process assesses the mobile applications for potential vulnerabilities in entry points for untrusted inputs and identifying known and dangerous library/API calls.
Information leakage is a type of software vulnerability whose exploitation results in information being unintentionally disclosed to end-users. This type of vulnerability is particularly useful for attackers looking to gather system information to aid the identification of other known vulnerabilities and escalate their attack.
The Information leakage tests specifically look to identify and weakness that results in the unintentional disclosure of information that may be useful for an attacker for facilitating further attacks on the application, the device or the interconnected infrastructure. This is different from weaknesses that lead to the exposure of sensitive information either at rest or in-transit.
A typical example of information that falls into this category includes account identification data that, if disclosed, would enable a brute-force attack on the application access controls.