MAST

Mobile Application Security Testing
Mobile Applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. Cloud computing, in the form of PaaS offerings, has allowed for the instantaneous utilization of applications which imparts tremendous agility to the enterprise. Accompanying such convenience are risk management challenges due to a lack of transparency, leading to security concerns that include applications.

The project will aim to create a safer cloud eco-system for mobile applications by creating systematic secure engineering approaches to application architecture, design testing and vetting that helps integrate and introduce security, quality control and compliance to mobile application development and management.

The project hopes that more research into mobile application security vetting and testing will help reduce the risk and security threats that organizations and individuals expose themselves to by using mobile applications.

Scope
The app security testing and vetting process uses both static and dynamic analysis to analyse the application. The testing and vetting process covers:
  • Permissions
  • Authentication and authorization
  • Exposed communications
  • Data protection (Encryption In Motion, at Rest and In Use, etc)
  • Potentially dangerous functionality
  • Application collusion
  • Code obfuscation
  • Excessive power consumption
  • Auditing and logging
  • Input validation
  • Password management
  • Application configuration
  • Access control
  • Traditional software vulnerabilities
The testing covers the internal communications such as debug flag and activities and external communication such as GPS, NFC access as well as checking the links that is written in the source code.

In addition to security testing and vetting, the project will also develop processes and procedures for security incidence response pertaining to a mobile breach.

Goals
  • To develop a whitepaper for vetting and certification scheme based off the NIST Special Publication 800-163: Vetting the Security of Mobile Applications;
  • To develop a certification scheme for mobile application security with a maturity model;
  • To develop a vetting scheme (i.e. approval-rejection basis) for mobile applications;
  • To develop resources for addressing potential security issues or an incident during certification period.
Download Whitepaper