Areas to Test For Mobile App Security

Admitting that there are many ways to test a mobile app, one security expert says there are three important areas that must be tested no matter what.

Writing in his Spylogic blog, Tom Easton says that the application layer is the obvious choice, but of equal importance are the transport layer and the file structure.

Easton, who has presented at Black Hat, SANS Mobile Device Security Summit and OWASP AppSec DC, writes that with the Application Layer authorization and authentication need to be reviewed as well as session handling, business logic, input validation and crypto functions. In addition, "Business logic needs to reviewed just like you would in a Web Application Assessment," he said

With the Transport layer the questions to ask are How does the application communicate over TCP? How are custom protocols and third-party APIs used? Does the application use SSL? Is it vulnerable to “sidejacking” (HTTP session hijacking)?

With the mobile file system, how much information is being stored in files, SQLite databases, system logs and more, and do they contain private keys and hardcoded passwords?