Thursday, 25 August 2011

Mobile Application Testing

Mobile Application Security Testing – Part I


Mobile application development and usages growth is tremendous since last couple of years. People are using mobile applications to store their personal information, credit card details, bank account details, to do financial transactions. Mobile applications are now beyond the perimeter of any corporate environment and it has really created security risk.
Just like web applications mobile applications should be tested from various security aspects. As compared with web applications mobile applications are very hard to test hence in my experience mobile applications are likely not tested for security. It is likely that mobile applications are not secured as compared with web applications.
This blog post is limited to installable mobile applications for Nokia S60 series only. In future blog post I will address some browser and different platform based mobile application.
Just like we install application in our computers mobile applications will get installed. It will do some changes in registries; add some files and folders to existing structure, it will do some configuration settings. For security testing it require testing all this files and changes. We will use analysis process to verify these changes.
Mobile Application Analysis
Application analysis starts before application actually gets installed on mobile. Many times application details and data is getting stored on phone memory, this details may be your personal information, your credit card details or your mailing username and password. Phone memory is considered as safe place to save these details. Application analysis is very tedious job, the main aim to do application analysis is
  • Verify the files and folders created on mobile file system. If application installation provides option to install application/application files on memory cards then both phone and memory card.
  • Identification of changes made to existing file system and applications
  • Analyze the information written to mobile file system
Methodology
  1. Directory and File Structure Analysis
  2. Fingerprinting Analysis
  3. Configuration and Usage Analysis
  4. Fingerprinting Comparison
  5. Content Analysis
Directory and File Structure Analysis
Mobile file system is very small in size as compared with operating system file system and careful selection of that structure will reduce the work. To get the list of files and directory structure
  1. Generate the file structure listing and keep it at safe place
  2. Install mobile application and create new file structure listing. Make sure not to do any configuration changes before second file structure listing
  3. Compare first and second file structure listing. By this way we will have different / new /updates files/ directory list
  4. Make sure to verify all possible area where application might get installed at least once manually.
  5. After careful consideration you will have list of files and folders for further analysis. Copy all newly created files to your desktop.
Fingerprinting Analysis
From step one, we will have list of files to get analyzed; now what if we do some modification and it is changing file parameters. File contents will get changed while different run as well. To get such details we will use md5 hash. Any changes during run will show us the difference using md5 difference verification.
Configuration And Usages Analysis
Do various change in application configuration and verify the applicable difference. For example add one new account for email client. Add new wireless router details.
Fingerprinting Comparison
Create new fingerprint hash and compare it against step2, this will show the difference and file impacted during application use.
Content Analysis
Files copied from step 1 and list from step 4 should be analyzed for security testing.

1 comment: