MASTMobile Application Security Testing |
Mobile Applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. Cloud computing has allowed for the instantaneous utilization of applications which imparts tremendous agility to the enterprise. Accompanying such convenience are risk management challenges due to a lack of transparency, leading to security concerns that include applications. CSA released the Mobile Application Security Testing (MAST) whitepaper in June 2016 which defines a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications. Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security issues of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially malicious functionalities, application collusions, obfuscations, excessive power consumptions and traditional software vulnerabilities. Testing and vetting processes will also cover internal communications such as debug flag and activities, as well as external communications such as Global Positioning System (GPS), Bluetooth, Near Field Communication (NFC) and Global System for Mobile communication (GSM) accesses. Apart from mobile application security testing and vetting, a mobile application security incident response plan will also be developed. The initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management. The initiative hopes that more research into mobile application security vetting and testing will help reduce the risk and security threats that organizations and individuals expose themselves to by using mobile applications |
Scope |
The app security testing and vetting process uses both static and dynamic analysis to analyse the application. The testing and vetting process covers:
The testing covers the internal communications such as debug flag and activities and external communication such as GPS, NFC access as well as checking the links that is written in the source code. In addition to security testing and vetting, the project will also develop processes and procedures for security incidence response pertaining to a mobile breach. |
Goals |
|
Artifacts |
Mobile Application Security TestingThe Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications. Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response. The use of mobile applications has become unavoidable, almost a necessity, in today's world. More people are starting to question the security of mobile applications and it's about time that you take a look at what the Cloud Security Alliance has to say about mobile application security!
Release Date: 06/30/2016 Download here |