YOU ARE HERE: HOMEWhat are the vulnerabilities that will be detected from mobile application vulnerability / security scanner?

What are the vulnerabilities that will be detected from mobile application vulnerability / security scanner?

Mobile application security scanner or vulnerability scanner are purpose built tool or system cater for mobile application security concern and requirement.

Test mobile apps to the appropriate depth

Not all mobile applications are created equal when it comes to security assurance. A simple marketing application may just need a fast automated scan with each incremental release. On the other hand, for an application that handles personal, financial or health care information, you need to secure the entire mobile ecosystem, including the customer-installed application, the back-end web services it communicates with, and the data that flows between them.

Depend on the mobile application lifecycle or division of work, the security concern and what the tool/system use for:

Mobile application is one type of application developed and running on the mobile device OS, whether it is popular like Google Android or Apple iOS. The mobile application (and source code and development  platform itself) and the mobile platform itself, and other mobile OS API/shared services together form the mobile application architecture. It just like web application architecture, it had it very own set and component of security concern, this is why generic vulnerability scanner that used for perform generic host is not the right tool use for perform vulnerability scanning on the mobile app, due to mobile app like native apps which are installed on the mobile operating system using a package. A mobile app is likely to follow a server client approach where the native app speaks to a server [eg: Facebook, Ebay]

Automated source code audit is possible on both the server side code and the client side code. All the commercial static application security testing (SAST) tool/system with mobile platform, mobile app support and source code development language support is required to perform truly mobile app static application security testing (Mobile SAST).

However for binary mobile application, you can only perform mobile app dynamic, static and behavior analysis but without access to mobile app source code. Typically we sum them under Mobile DAST category.  Typical vulnerabilities types include: Leaking personal user sensitive data (email, credential, IMEI, GPS, MAC address); over the network Communication over the network with little or no encryption; Having world readable/writable file; Arbitrary code execution; Malware.

Remark: Web application website that supported HTML5 mobile interface is not classify as mobile application, that fall under web application security scanner domain due to nature of web application architecture it built on. It typical test with running web vulnerability scanner but specific browser like Chrome or Safari to simulate Android and iOS.

Mobile SAST for  detect highly complex vulnerabilities that are not visible without access to the source code; to tell you the precise location of any flaw in the source code, including the line number, which greatly simplifies remediation and managing false positives; improper platform usage – This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. There are several ways that mobile apps can experience this risk; insecure data storage – This covers insecure data storage and unintended data leakage; insecure communication – This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc; insecure authentication – This category captures notions of authenticating the end user or bad session management.; insufficient cryptography; insecure authorization; client code quality; code tempering; reverse engineering; extraneous functionality.

Mobile SAST with SCA (Software Composition Analysis). Many organizations use open source or third-party code components (frameworks, plug-ins and libraries), which can comprise up to 90% of typical applications. For customer project involved lot of 3 party code component, module and libraries, SCA will help to scan and detect for any security vulnerabilities that you are package them as part of your own develop application.