Mobile App Security Testing Guide
Mobile app security testing is critical to ensuring that mobile applications are secure and free from vulnerabilities. There are various types of mobile app security testing techniques, including Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). In this guide, we will focus on SAST.
What is SAST?
SAST stands for Static Application Security Testing. It involves analyzing the code (and sometimes the compiled binaries) of applications to find vulnerabilities, hardcoded credentials and bad practices. This is also called whitebox testing because it examines the internal structure of the application. SAST aims to detect underlying flaws in code that may lead to security issues.
Goals of SAST
The goals of SAST include:
- To analyze the code (and sometimes the compiled binaries) of applications for vulnerabilities, hardcoded credentials and bad practices
- To identify underlying flaws in code that could make the application vulnerable to security attacks
- To improve the quality and security of the code by following best practices and standards
- To reduce the cost and time of fixing security issues by detecting them early in the development cycle
SAST Tools
SAST tools and result quality differ depending on the language and frameworks to be assessed. Some of the OSS/Free tools we use for Android APKS and IOS IPAs include:
- MobSF - https://github.com/MobSF
- Immuniweb Mobile - https://www.immuniweb.com/mobile/
- Frida - https://github.com/frida/frida
- Objection - https://github.com/sensepost/objection
- Apktool - https://github.com/iBotPeaches/Apktool
- Insider - https://github.com/insidersec/insider
- TruffleHog - https://github.com/trufflesecurity/trufflehog
- SecretScanner - https://github.com/GoVanguard/SecretScanner
- SecretSearcher - https://github.com/GoVanguard/SecretSearcher
OWASP Mobile Application Security Testing Guide
The OWASP Mobile Security Guide is a comprehensive guide to mobile application security. It covers threat modeling, secure coding, best practices, and testing techniques. The guide is intended for developers, security professionals, and anyone interested in mobile application security. https://github.com/OWASP/owasp-mastg
OWASP Mobile Application Security Verification Standard
The OWASP Mobile Application Security Verification Standard (MASVS) is a standard for mobile application security testing. It provides a set of requirements for testing the security of mobile applications, including requirements for authentication, authorization, data storage, and communication. https://github.com/OWASP/owasp-masvs
Conclusion
Mobile app security testing is essential to ensure that mobile applications are secure and free from vulnerabilities. SAST is a powerful technique that can help detect underlying flaws in code that may lead to security issues. By following best practices and standards, developers can improve the quality and security of their code and reduce the cost and time of fixing security issues. The OWASP Mobile Security Guide and the OWASP Mobile Application Security Verification Standard are valuable resources for anyone interested in mobile application security testing.