Securing business data

Mobile Application Testing

Mobile Application Testing 

CNS will evaluate the security of the application, how does it handle and store data? how does it transmit data? does it manage sessions properly? CNS will assess the application from both an authenticated and unauthenticated point of view (I.E an authorised user or someone who has stolen the device). It is vital that mobile applications for staff or clients handle and use data in a sensible fashion.

device mobile security

Types of Application

There are a number of different platforms and languages that make up what we now know commonly as an "App", testing the different types and parts of an application can take time, and of course methods of doing so vary depending on platform and type of application. The three that follow are typical examples found on most android and IOS operating systems:

1.      Web based applications - Javascript, CSS, HTML etc

2.      Native iOS/android/windows/blackberry applications - Objective C/Java etc

3.      Hybrid Applications - Native applications with embedded web views/content.

It is import to note that the techniques and languages used to write the applications, vary for each mobile platform. To this end it is important that each application is treated as a separate application and tested independently.

software-crop

Mobile Application Testing Process

The process should always begin by taking in an overview of how the application works and what it does. Once determined there are a number of steps we will take to identify any potential weakness in the way the application works/stores or transmits data.

The end users handset or mobile device should be treated as if it is compromised or stolen. Any security that is based on the client side installed application exists under the control of the attacker and can be disabled or modified; this also applies to secure storage. For example if data is stored on the device in an encrypted way, and the key is also stored on the device, then said key can be recovered and used. This does not mean that client side security mechanisms should not exist, but security must exist on the server side as well. The test will broadly follow the same steps as an OWASP application test, e.g are messages encrypted, are sessions handled properly, code injection etc.

This approach can be roughly broken down into:

1.      Application Mapping
2.      Client Attacks
3.      Network Attacks
4.      Server Attacks

Testing Process Flow Diagram

Get in touch

Talk to our experts today
call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere