How is the security of a mobile application evaluated?

Assessing the security of a mobile application is essential to detect problems in apps and mitigate them before cybercriminals exploit them

In early May 2024, it became public that some of the most downloaded mobile applications in the world, such as Xiaomi File Manager or WPS Office, were vulnerable to an attack that has put Android mobile security at risk in 2024: Dirty Stream. This case allows us to observe how malicious actors are focusing on attacking our cell phones, critical devices for our day-to-day personal, professional and business lives.

In this dangerous context, assessing the security of a mobile application has become an essential action for companies that develop mobile apps. Mobile application security audits allow companies to detect and mitigate vulnerabilities before they can be successfully exploited. Therefore, companies that develop mobile applications must submit their apps to periodic security tests.

Below, we will explain how to evaluate the security of a mobile application to make it resilient to the growing number of attacks against our smartphones.

The main objectives of mobile app audits

A security audit of a mobile application consists of analyzing its components and functionalities to verify its security status. This type of audit is performed on both Android and iOS applications.

Some of the main objectives of mobile app security testing are:

• Determine the maturity level of the application in terms of security.
• Identify weak points or entry vectors for a potential attacker.
• Ensure proper use of the tools provided by the platform.
• Raise user awareness of the responsible use of the applications.
• Comply with current regulations and standards.
• Complement the risk management process.

Dynamic and static analysis of a mobile application

The dynamic analysis of a mobile application consists of a set of techniques that aim to study the application’s behaviour while it is running. As a result, the application is interacted with to analyze how it manages user data and binary protections. This type of analysis is broken down into the following parts:

• Monitoring of the application and manipulation of its execution flow.
• Interception and analysis of the communication between the application and the servers.

The second point is closely related to the procedures followed during the security audit of a conventional web application or API, so the vulnerabilities identified will be similar.

While static analysis is composed of a set of techniques aimed at reverse engineering the application, in this process of assessing the security of a mobile application, an attempt is made to recover the application code and its resources to identify vulnerabilities without executing them and to understand their logic as far as possible.

Methodologies used to perform a mobile app security audit

Currently, the primary reference in this type of audit to evaluate the security of a mobile application is the OWASP mobile security project (OWASP MAS).

This project includes a verification standard (MASVS) that indicates the security controls to be performed, together with a testing guide (MASTG). This second document explains Android and iOS concepts in detail and raises multiple techniques and tools to verify the controls described in the MASVS.

Additionally, it is relevant to follow methodologies used in conventional web application security audits (OWASP ASVS/WSTG) or an API (OWASP Top 10 API) to identify security issues in the application’s communications with servers.

Tools for assessing the security of a mobile application

The toolkit used in a mobile application security audit is extensive due to the many factors that must be considered. The types of tools most commonly used to assess the security of a mobile application are:

• Decompilers are programs that allow one to obtain an approximation of the application’s source code and various resources. For example, in Android, it is common to use Apktool to unpack APK files, while in iOS, it is common to use GHidra, Hopper or IDA to decompile the executable of the IPA file.
• Proxy servers are tools that intercept the communication between the application and the servers to analyze and modify it. This type of program is essential for studying the information exchanged with the servers during dynamic analysis. An example of a widely used proxy server is Burp Suite.
• Code instrumentation tools are programs that inject dynamic libraries into the application process to manipulate its flow during execution. This type of program is mainly used to circumvent binary protection measures against reverse engineering, such as detection of execution on jailbroken or rooted devices and the use of debuggers. The best-known tool to perform these tasks is Frida or those based on it, such as objection.
• Rooting/jailbreak software: programs used to modify the operating system of a mobile device to disable multiple security measures that make auditing difficult. An example of this type of measure is sandbox protection, which prevents a user or program from accessing the files managed by an application. Currently, for Android, the best option is to use Magisk, and for iOS, depending on the operating system version, we have Checkra1n or Dopamine.
• Android and iOS development tools: set of programs included in Android and iOS development kits. For example, an essential Android auditing program is ADB. On the other hand, iOS users are expected to use specific tools.

Risks of not assessing the security of a mobile application

Failure to properly review the security of a mobile application can have serious consequences that could result in an attacker compromising user information.

The most common security issues to which a mobile application can be exposed are:

• Insecure storage of sensitive information on the device.
• Inadequate use of the platform’s tools.
• Presence of sensitive information in the application.
• Exposure of sensitive functionalities to third parties.
• Use of obsolete technologies.
• Insufficient protection against reverse engineering.
• Leakage of personal data to third-party platforms.

Due to the complexity of mitigating these security problems in this type of app, conducting an annual security audit of mobile applications is recommended. Additionally, a recertification can be performed between audits to verify the proper mitigation of identified vulnerabilities.

In short, mobile applications have become critical tools for individuals and companies. Through them, we control our bank accounts, communicate with friends, colleagues, and partners, check the news, and manage multiple areas of our daily lives.

That is why they have become a very attractive target for criminals. Evaluating the security of a mobile application is the best way for developers to prevent their app’s security from being breached. And, incidentally, to avoid the economic, reputational and legal consequences of a security incident.