Sandeep Tuppad’s View & Experience On Mobile Application Security Testing

The smart phones and the availability of the connectivity has simplified many things in our lives. Whether it’s about navigating the streets or connecting with our friends and family or mobile banking or paying bills or booking movie tickets online. There is absolutely no limit. However it has also made the smart phone users and the service providers vulnerable to the security threats. It could be threat to finance or private information. So smart phone users and app developers need to be smarter to minimize the risks. However, most smart phone users are not tech savvy and even if they are they may be blissfully unaware. In such a scenario the onus is on the app developer and app security testers to ensure security. Why do I say minimize? Because there are few smartest people out there who can hack into almost any software/hardware. The mobile devices which capture

Data Theft - Web App Security Testing

Data Theft – Mobile App Security Testing

most of the market are android and iOS. Other smaller players are Windows and Black Berry. Each platform is vulnerable, some more and others less compared to other. Open source platform android is more vulnerable compared to iOS as android app and OS internals are available to be understood. I also believe the app framework of android is naturally more vulnerable for exploitation by hacker.

There are two players who can be impacted by the security of the app.
1) App “User” –
The user of the app running it on a mobile device or tablet.
2) App “Service Provider” or “Business” –
The app provider such as WhatsApp, Bank providing online services to users, online Food ordering app etc. These can be Business or non-paid service providers running the servers to serve the customers using their apps.

There are two other players who need to ensure the security of the app.
3) App “Developer” – The one who develops the app for a service provider or business
4) App “Security Tester” – The one who tests the app for its intended use and vulnerabilities. Often hired by the service provider.

Security from App Users perspective:
The Apps in which the user credentials and private information is stored on device or on the server which an unintended person can get access by some means. It can be user’s login credentials, credit card/debit card details for an online shopping or user’s private conversation as in case of a social networking app or any other user specific details at more technical level which can be used by imposter commit a fraud or harm. These are just a few examples and not limited to that.

Security from App Service Provider or Business perspective:
When the app user himself/herself attempts to exploit the vulnerabilities which can harm the app service provider or business. Imagine the app is to make online shopping. The reward points are granted based on users buying habits. What if the app user is able to modify the reward points by exploiting the app’s vulnerability? This would cause loss to business. What if an app user is able to get access and modify to other users data which he/she not intended to access. This can cause great damage to the service provider in terms of credibility.

There is also a possibility wherein the app developer himself/herself has added malicious code to eavesdrop and steal sensitive data. It could be your contacts list, messages, location details, call log or anything private and confidential.

In my experience following are some of the many areas where app could be vulnerable if not implemented with security in place.

Area What’s the risk? Incidents I have come across?
Device Logs It’s possible that during the development stages of the app various sensitive details which are directly or indirectly a risk may be printed to console or to some log files. But developer may forget to eliminate and they slip into production app. Credit card details being logged.
Rest API requests and responses logged.
Network traffic interception and tampering HTTP requests are unencrypted and can be intercepted and tampered by an intruder. With a session data stolen one can launch range of attacks. This is easily possible in public or untrusted hot spots.If the user himself/herself is intercepting the traffic whether HTTP or HTTPS (which can be unencrypted by the user if he/she has the malicious certificate installed on device) and the rest api calls are not implemented with security in mind then he/she can cause damage to business directly or indirectly by hacking into other user’s data.If the apps are caching the HTTP requests locally it can be a threat.
Insecure data storage in files/databases The app may store lot of sensitive details related to user or business on the device in files and databases. If these files can be accessed and the file contents are unencrypted it can be a risk. Private conversations in social networking app, which can be hidden in UI with password but can be read through access to database. We can modify the conversations too.
Also Found out the Lock Pattern password which is stored as an array of characters.
The C2DM registration ID which can be stolen to impose as the real user by the hacker.
Setting in file which enables rewards to a user. It can set again and again locally to get discounts.
Lack of Binary Protections and Reverse engineering If the apps sensitive code blocks are not obfuscated then they can be reverse engineered. This would give an unintended access to app’s sensitive logic which when understood can lead to possible exploitations. It can also be sensitive data being leaked not just the app logic.If the attacker is smartest he/she can modify the code with malicious logic, recompile, install and run. Think of an online shopping app which is loaded with the currency. Imagine attacker modifying the code block which verifies if the user has sufficient balance to make a purchase. The verification can be bypassed thereby allowing to shop irrespectively. Email login credentials found in reverse engineered code (SMTP Details).Critical code logics and sensitive strings discovered
App execution control flow manipulation Using GDB the app is run in debug mode. One can modify the variables and the control flow to exploit bunch of possible vulnerabilities.
Authentication and OTP codes If the authentication code or user verification codes are short and there is no limit to retries or sufficient incorrect authentication timeout before next retry then password can be hacked with automated test. In simple words its brute force attack.
Intra and Inter app data communication If the apps are placing the sensitive data in clipboard for later retrieval or to be passed to another app or within app it’s a threat. A malicious app can read the clipboard data and dump it to a file to be retrieved by the attacker remotely or locally when has the access.The data is passed between apps and within different entities within apps as in case of android app as intents. It’s possible to intercept the intent data using a malicious app installed on device if security measures not taken care while implementing an app.

Whether it’s about intercepting and tampering the network traffic or access the files and database or to launch brute force attacks or to reverse engineer and add malicious code to app or to intercept the inter app communication data, capture device logs, we need tools and utilities either running outside the device or on the device. Some of the tools are sophisticated ones and coming with our own such tool may be tough task. There are other tools which are not very complex to implement but I would rather use them if available to save my time and efforts. But those tools do have limitations in terms of the attacks I can carry out for a specific area for vulnerability. But tools limitations should not limit a security tester. She/he should go beyond the tools and perform the attacks manually with other means. If possible implement own tool which may be generic or has to be customized for every app to be tested for a specific area for vulnerability. But this would need the tester to educate himself/herself with the internals of the app framework and OS architecture. Having the knowledge of app development one can think of the possible security holes which may slip out into app. The mobile app framework (android or iOS) itself could be having limitations in terms of level of security in an area. So a real security tester should go beyond being just a tester and should be able to write or understand source code. Unless I know coding how can I exploit the app by reverse engineering? I have been developer most part of my life and at TestInsane, I am Developer in Test and Tester who brings in a different value to testing as a Developer. The security testing thrills me. Why? Because it’s challenging and feels like treasure hunt. My experience of being a developer has truly helped me in this never ending endeavor.

But the mobile devices come with user permissions which won’t let us access the protected file systems, access device shell and execute privileged commands or install new software (Only the App Store is source in case of iOS). These operations are only available to super user (also called root user).So we can’t install tools and utilities on the device meant for the security testing. But can we gain super user access? Yes we can. It’s called rooting the device. On android it’s easier. But on iOS it depends on release version. Apples iOS is not open source, so it’s the hackers who discover the iOS security loop holes to gain root access. Once rooted any third party apps and binaries can be installed and run. However rooting comes with a risk of bricking (leaving your device un-operational which is as good as brick). But successful rooting is equally rewarding considering what you can achieve as a user or a security tester. But from a developer point of view I would say the app (which needs to be implemented with high level security in place) should be capable of discovering and taking a counter measure to mitigate the risk of being exploited if device rooted ϑ

Security testing is a specialized skill beyond holding tester or developer tag.  It needs time and hunger to keep learning forever. Think of a fighter who has all lethal weapons and knowledge of the weapons. But that alone not enough to win the battle. He needs know how to fight using them (and without them) while continually exploring, acquiring or building and adding new weapons to his repertoire. So tools are like weapons, they help you fight better but they are not everything.


SandeepTuppad - VP, Mobile Apps Testing

SandeepTuppad – VP, Mobile Apps Testing

Sandeep Tuppad has a decade of experience in software development (Drivers & Application Software) for Consumer Electronic Devices such as Digital Television and other display devices. He has prior experience of implementing automation framework and utilities aiding software testing in the past. At TestInsane, he is responsible for exploring and implementing test automation framework, utilities, gathering knowledge and mentoring the team to enable “quality mobile apps testing”. He loves to travel and pursue outdoor adventure sports.

Follow him on LinkedIn at

3 comments on “Sandeep Tuppad’s View & Experience On Mobile Application Security Testing

  1. […]   […]

  2. How do you do mobile application security testing for iOS and Android? Is there any open source tool available for security testing?

    This is our experience at my start-up “Test Insane”. You may find these helpful in understanding our perspective about security testing on Android. With iOS there may not be much unless you do jailbreak and try finding vulnerabilities, but anyways on…

  3. Hi Sir,

    I need help regarding the penetration testing tool. I want to implement the Security Testing in the Mobile Money App like as Paytm.
    Could you please help me regarding the best Tools to test the Performance,Security and networking,Connections of Mobile App.

Leave a Reply to rohit Cancel reply

Your email address will not be published. Required fields are marked *