Mobile Application Security Testing - Deloitte

Transcription

Mobile ApplicationSecurity TestingApril 2019

2

Mobile Application Security TestingOUR UNDERSTANDING Mobile devices have become a part of our life and theapplications on them are a dominant form of digitalinteraction. All of us use at least four to five mobileapps every day. We can check everything on apps –right from our bank account balance and latest scoresof different sports to shopping for an outfit to findingdirections to a restaurant. There’s an app for almosteverything. Mobile apps play a very prominent role to drive thebusiness of every organisation today. Given theincreased usage by organisations, it is crucial to securethese mobile apps to preserve and improve business’reputation. It is imperative that user data, company data, andintellectual property is secured and handled properly onall mobile apps. Hence, mobile app security testing iscritical to meeting today’s security threats. However, aone-size-fits-all approach to mobile app security testingisn’t sufficient, because every mobile app is unique andrequires a different level of security.Our comprehensive mobile security testing approachand methodology have been developed afterperforming several mobile app security assessmentsacross various clients in different sectors such asbanking, finance, healthcare, indoor navigation,technology, and IoT solutions.Typical challenges inmobile applicationsecurity testingBlind spot while scopingDuring scoping and coveragewhen traditional security testingapproach is followed, differentareas in the mobile appecosystem lead to “blind spots”.Standard threats and risksA one-size-fits-all approach tomobile app security testing isn’tsufficient, because every mobileapp is unique and requires adifferent level of security.Mobile app testingenvironmentMobile apps face devicecompatibility issues and devicefarm of jailbroken iOS androoted Android devices alongwith specialised tools arerequired to execute fine grainedmobile app security tests.Our comprehensive mobilesecurity testing approach willcover all the possible threatsand attack vectors that affectthe mobile app landscape. 2019 Deloitte Touche Tohmatsu India LLPSkill setsMobile app security testingrequires various skill sets towork together, which is oftenchallenging.3

Mobile Application Security TestingOUR VALUE PROPOSITIONMOBILE PENTESTING SETUPDevice farm made up of JB/rooted/nonJB/non- rooted devices running different OSversions. This ensures mobile appcompatibility and execution of highpercentage of planned security testsTEST CASES50 security tests formulated for bothandroid and iOS applicationsRUNTIME ANALYSISUsage of specialised tools and techniquesw.r.t. advanced mobile applicationtestingDEPLOYMENT SOLUTIONAND CONFIGURATIONEmploy techniques to bypass certificatepinning, rooted/jailbroken device, debugand tamper detections, loopholes insettings and configurations of devicemanagement solutionsMOBILE APPLICATION SECURITY TESTING COVERAGE AREASAPPLICATION LEVELImproper sessionmanagement(Mobile and server side) Server side penetration testingBack end services and ApplicationProgram Interface (API) testingMOBILE DEVICE LEVEL Reverse engineering and codeanalysisData storage and forensic analysis 2019 Deloitte Touche Tohmatsu India LLPWeak server-side controlsStealing sensitiveinformationFile analysis4

Mobile Application Security TestingTOOL KIT FORMOBILE APPSECURITY TESTING QARK AndroBugs MobSF Clangs iOS Analyser Burp Proxy Apktool MobSF Drozer iFunBox Appie iExplorer Frida 2019 Deloitte Touche Tohmatsu India LLP5

Mobile Application Security TestingSELECT CREDENTIALSCASE STUDY 1OverviewActionsOutcomesA leading solution provider in virtualisation andcloud: Mobile application security assessment of20 enterprise-level mobile applications Client is a global firm headquartered in the US and has presence in many countries includingIndia. Client engaged Deloitte to assist it to perform mobile app security assessment of 20 enterpriselevel mobile apps. Performed in-depth mobile app security assessment for mobile apps (Android and iOS) thatbelong to different categories such as finance, IoT, indoor navigation, business, sales Developed a custom mobile app penetration testing set-up consisting of a device farm made upof a combination of rooted/non rooted Android devices and jailbroken/non-jailbroken iOS devices Formulated a comprehensive mobile app security checklist comprising 50 security tests for bothAndroid and iOS 100 critical flaws identified and immediately remediated by the concerned mobile app teams Several security flaws identified in device management platforms and third-party frameworksused to develop mobile apps Mobile app pentesting report for one of the important business apps was consideredcomprehensive for production roll-out by one of the strategic customers of the client Several unique mobile app vulnerabilities uncovered by using advanced mobile app pentestingtechniques such as runtime hooking and binary modificationCASE STUDY 2A large multinational product-based company:Security assessment of their flagship LearningManagement Solution (LMS) mobile applicationThe client engaged Deloitte to:OverviewActionsOutcomes Perform security assessment of their flagship mobile apps (iOS and Android) powered by 100 APIs Provide effective remediation for the identified vulnerabilities and exploits Focused to uncover security vulnerabilities more oriented towards business logic flaws, privilegeescalation, and user-role authentication and authorisation Identified and remediated highly impactful vulnerabilities in mobile apps, which was possibleafter following a custom mobile pentesting methodology developed by Deloitte Most of the reported vulnerabilities ( 60%) were classified as zero day in nature and immediatefixes were rolled out considering the criticality and impact Authorisation-based security flaws helped the client to have a relook at the configured gatewayand apply rules consistently across all the incoming service calls Detailed practical recommendations were provided by Deloitte team to address the criticalvulnerabilities in the areas of data storage and forensics 2019 Deloitte Touche Tohmatsu India LLP6

Mobile Application Security TestingCASE STUDY 3OverviewActionsA large insurance and investment solutionscompany: Security assessment of their mobileapplicationsThe client engaged Deloitte to perform mobile app penetration test across their entire applicationstack consisting of 150 critical APIs Performed in-depth analysis across mobile app stack to identify the attack vectors, assets, andtheir value to the business Identified security vulnerabilities oriented towards business logic flaws, privilege escalation, userrole authentication and authorisation, and password management False positive analysis of the vulnerabilities reported by automation framework and otherscanners Formal documentation of identified vulnerabilities Walk-through of vulnerabilities to stakeholdersThe programme is still going on, and following are its current outcomes:Outcomes Assessed multiple mobile apps powered by 150 APIs and uncovered a huge number of securityloopholes Helped client to fix the critical, high, and medium rated vulnerabilities in priority to deliver secureapplications to its customers Identified very critical security vulnerabilities in application, which are already in production andhelped client to fix them 2019 Deloitte Touche Tohmatsu India LLP7

CONTACT USROHIT MAHAJANPresident – Risk Advisoryrmahajan@deloitte.comMANINDER BHARADWAJPartnermanbharadwaj@deloitte.comGAURAV SHUKLAPartnershuklagaurav@deloitte.comSANTOSH JINUGUDirectorsjinugu@deloitte.comDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its networkof member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL(also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detaileddescription of DTTL and its member firms.This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) isintended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substituteto obtaining professional services or advice. This material may contain information sourced from publicly available information or otherthird party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused dueto reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, ortheir related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or otherprofessional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This materialor information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Beforemaking any decision or taking any action that might affect your personal finances or business, you should consult a qualifiedprofessional adviser.No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to,use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice andterms of use. 2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

these mobile apps to preserve and improve business’ reputation. It is imperative that user data, company data, and intellectual property is secured and handled properly on all mobile apps. Hence, mobile app security testing is critical to meeting today’s security threats. However, a one-size-fits-all approach to mobile app security testing isn’t sufficient, because every mobile app .