Full Report
Monday morning, raring for a week of pwnage and you see you’ve just been handed a new assessment, awesome. The problem? It’s a mobile assessment and you’ve never done one before. What do you do, approach your team leader and ask for another assessment? He’s going to tell you to learn how to do a mobile assessment and do it quickly, there are plenty more to come. Now you set out on your journey into mobile assessments and you get lucky, the application that needs to be assessed is an Android app. A few Google searches later and you are feeling pretty confident about this, Android assessments are meant to be easy, there are even a few tools out there that “do it all”. You download the latest and greatest version, run it and the app gets a clean bill of health. After all, the tool says so, there is no attack surface; no exposed intents and the permissions all check out. You compile your report, hand it off to the client and a week later the client gets owned through the application… Apparently the backend servers were accepting application input without performing any authentication checks. Furthermore, all user input was trusted and no server side validation was being performed. What went wrong? How did you miss these basic mistakes? After-all, you followed all the steps, you ran the best tools and you ticked all the boxes. Unfortunately this approach is wrong, mobile assessments are not always simply about running a tool, a lot of the time they require the same steps used to test web applications, just applied in a different manner. This is where SensePost’s Hacking by numbers: Mobile comes to the fore, the course aims to introduce you to mobile training from the ground up.
Analysis Summary
As a cybersecurity best practices consultant, I have extracted and reorganized the key implications from the provided context into actionable security recommendations. The core finding is that **relying solely on automated tools for mobile assessment misses critical server-side vulnerabilities that mirror traditional web application weaknesses.**
---
# Best Practices: Comprehensive Mobile Application Security Testing
## Overview
These practices address the failure mode identified where an assessment, relying only on automated tooling and superficial checks (like exposed intents or permissions), missed critical backend and server-side validation flaws. The guideline emphasizes adopting a methodology that blends mobile-specific analysis with established web application testing principles.
## Key Recommendations
### Immediate Actions
1. **Mandate Backend Endpoint Analysis:** Immediately integrate thorough testing of all application communication endpoints (APIs) as a core component of the mobile assessment methodology, regardless of platform (Android, iOS, etc.).
2. **Implement Server-Side Input Validation Checks:** For all mobile application testing, prioritize verifying that the backend server infrastructure performs strict validation on **all** incoming data originating from the mobile client.
3. **Verify Authentication Gateways:** Explicitly test all mobile application endpoints to ensure proper authentication and authorization are enforced server-side before processing any request data, specifically looking for requests that bypass standard client-side authentication flows.
### Short-term Improvements (1-3 months)
1. **Adopt Multi-Discipline Testing Methodology:** Formalize a standardized mobile assessment methodology that explicitly incorporates principles from web application security testing, including techniques for data validation, session management, and communication protocol security.
2. **Establish Traffic Interception and Manipulation Capabilities:** Equip assessors with the skills and tools necessary to reliably intercept, analyze, and modify traffic flowing between the mobile application and its backend servers (Dynamic Analysis).
3. **Integrate Static Analysis for Sensitive Data:** Implement procedures to conduct static analysis specifically focused on identifying hardcoded secrets, sensitive data storage locations (e.g., potential credit card numbers), and insecure data handling within the application binary.
### Long-term Strategy (3+ months)
1. **Develop Platform-Agnostic Knowledge Base:** Invest in training that moves beyond platform-specific tools to focus on underlying concepts (e.g., communication protocols, programming languages, authentication mechanisms) to ensure assessment consistency across Android, iOS, and other emerging mobile platforms.
2. **Formalize Continuous Security Training:** Institute mandatory training, similar to the recommended "Hacking by Numbers: Mobile" style, that builds knowledge from the ground up, emphasizing practical, hands-on labs derived from real-world assessment findings.
3. **Integrate Transport Security Review:** Standardize the review of transport layer security (TLS/SSL configurations) to prevent information disclosure during data transmission between the app and servers.
## Implementation Guidance
### For Small Organizations
- **Focus on Core Stack Review:** Prioritize initial efforts on thoroughly reviewing the server-side codebase for the top 10 web application vulnerabilities (e.g., injection, broken access control) as these are directly exposed via the mobile front-end.
- **Use Standardized Proxy Tools:** Leverage readily available proxy/interception tools immediately to monitor all outbound and inbound application traffic for immediate identification of unencrypted or poorly secured communications.
### For Medium Organizations
- **Develop Internal Mobile Security Checklists:** Create internal testing checklists that explicitly combine mobile platform checks (permissions, intents) with rigorous server-side validation and authentication checks.
- **Mandate Code Review for Data Handling:** Implement a policy requiring code reviews for the application layer that handles sensitive input before it reaches the business logic layer, focusing specifically on data validation checkpoints.
### For Large Enterprises
- **Establish Cross-Platform Assessment Teams:** Certify dedicated assessment teams capable of performing both static and dynamic analysis across all supported mobile platforms, ensuring consistency in methodology application.
- **Formalize Security Gates in SDLC:** Integrate comprehensive mobile security testing (including API testing) as a mandatory gate before deployment, ensuring that server-side validation is verified by a dedicated security gate independent of the application development team.
## Configuration Examples
*The provided text does not contain specific configuration examples, but infers necessary configuration verification:*
1. **Transport Layer Security Verification:** Ensure all communication channels enforce TLS 1.2 or higher, and verify that the mobile application performs proper certificate pinning or validation to prevent MITM attacks against the backend API endpoints.
2. **Input Validation Configuration:** Configure backend frameworks and web servers to reject requests containing malformed, overly long, or unexpected data formats originating from the mobile client before the data is processed by core business logic.
## Compliance Alignment
This holistic approach aligns with:
- **OWASP Mobile Application Security Verification Standard (MASVS):** By demanding testing across the application, client, and server components.
- **NIST SP 800-53 (SA/SC families):** By focusing on system and communications protection, and ensuring input validation is enforced.
- **ISO/IEC 27002 (A.14 - System acquisition, development and maintenance):** By establishing secure development and testing practices that look beyond the client application layer.
## Common Pitfalls to Avoid
1. **Trusting Tool Output Blindly:** Never accept an application's security status based solely on reports from automated scanners. This approach misses server-side logic flaws entirely.
2. **Focusing Only on Client-Side Security:** Over-indexing on permissions, exposed components (like Intents in Android), or sandbox controls while neglecting the inherent risks of exposed APIs and input trust.
3. **Treating Mobile as Isolated:** Assuming mobile application security testing is distinct from web application security testing; server communication must be tested using the same rigor applied to traditional web endpoints.
## Resources
- **Training Approach Inspiration:** SensePost Hacking by Numbers: Mobile methodology.
- **Core Skills Required:** Investigation into communication protocols, static analysis techniques, authentication/authorization testing, and data validation testing relevant to mobile environments.