1 hour 12 minutes
Hey, folks, this is mobile app. Sec one a one A cyber recourse on mobile application security testing. I'm Tony Ramirez, a senior application security analyst. It now secure. And today is the second video of the mobile app sec one or one. Siri's the mobile landscape.
So, as the title would tell you, today's objectives are learning about that mobile landscape learning about mobile app development, learning not only that, but the differences between the types of testing that will get into and it's static versus dynamic. But not only that, we also have to have an intimate understanding of the mobile attack surface to really get
information out of how we should be testing APS, and we're gonna cover that too.
So we got a lot ahead of us.
So starting off, we're gonna really be covering
Android versus IOS.
So right away, the first topic that really always comes up when you tell people your mobile testing or you're doing mobile app development, you're doing any mobile app. Security testing is you have IOS, or do you have an drug? Do you have ah, you know, a iPhone? Or do you use an android pixel device or something. And the truth is, is
those aren't really a good indication of whether Anapa secure or not,
because both platforms have their advantages over one another. Both have good things, both have bad things. And you know what? It's kind of Wild West because now you're starting to see new versions of IOS specifically for Tablet and You Android does have its Tablet OS, which is the chrome OS.
But I mean, that's only just the tip of the iceberg with what mobile development really is.
So let's actually dig in tow what that actually means
from a high level. Yeah, you have IOS versus Android. You have Apple vs Google, but really it's native and hybrid development, and there's a lot of languages. There's a lot of frameworks that are going in actually creating APS, and it really isn't clear cut. For instance, on the native side,
you have job Scotland,
Jesse and Swift, any of the NBK and you know those air native languages and you know, there how a lot of people are developing APS. But more and more people are using hybrid tools, and the advantage to these hybrid tools are they allow you to create APS for, you know, a single code base that will work across both platforms. But
a lot of people always ask me, Hey,
well, isn't native app development more secure than hybrid app? Development isn't hybrid at development Mawr, you know, efficient the native And the truth is is that when you look at these things, the truth is it really falls into the hands of the developer. Whether you're developing a secure app or not doesn't really matter which framework you're using or if you're
developing natively. Really? What matters is
you're you know how your developers handling security issues within your app.
That kind of leads us to this other topic of static and dynamic analysis source code versus binary and ultimately, how we're gonna be doing mobile testing. So let's dig in a little bit on mobile testing.
So a mobile testing you basically have two different types of scenarios. You have static testing any of dynamic testing on the static side, we're looking at source code or binary. We're looking at, You know what's actually being written by the developer and with bad coding practices, are they using? And maybe we aren't using any
what's great about it is there's no what configuration,
but it is less accurate when we're actually doing testing. When I'm talking about testing, we're talking about security testing
on the dynamic testing side. We're testing on real devices. We're seeing how that APP runs on the device and really were creating real world scenarios. The challenge there is there is a little bit of configuration behind that,
but you're getting real world results.
And the point I'm going to give away, too right up front is that you need both. Whenever you doing any types of app testing, you really need static and dynamic testing both involved.
So let's actually dig into what static testing is typically with a static testing engine. What you're getting is a binary that binary is what gets installed on device and runs. It's pretty straightforward in that sense, but APS are developed in kind of a weird way. Today you have all these third party components, their party libraries, third party parts
that really the developer leverages so they don't have to recreate those parts themselves.
What's great is it streamlines the coding practice, but those third party components aren't always secure, so that's a part of testing. If you're not doing static analysis correctly, you may not be testing those parts. So when you're looking at static testing tools, you want to make sure that you're testing the entire binary. That's an important part of testing,
usually on its own. It does lead to false positives, because static analysis is looking for certain terms, looking for certain actions, certain correlations on how that sort scope looks and how that he compiled code looks. And it's making some indications on whether, you know,
secure coding is being done correctly.
Country to static. You have dynamic testing. And unlike static, where you're looking at a binary dynamic, you're actually running the app on a device.
And the advantage here is you're actually able to see if the APP is exploitable on a device. So that means that you're getting real world results. That's why we said that earlier. Oh, you're getting real world results because you're actually running it, and you're trying to exploit it on that device.
It also means that you act to actually run through work flows on that happened, you actually have to perform processes,
and unless you exercise,
the less data you're going to receive back because again, applications are fairly big. They're not straightforward. There's a ton of different work. Flows later involve the naps today, and they all do different things. They communicated different endpoints. They communicate to different parts off that code base. And really, it's important to exercise that at as much as possible. And as one thing that I will repeat
learn to exercise APS because the more you exercising that, the more data you're going to get back.
This leads us to this next concept of the mobile attack surface. What are we actually testing? What is it that we're looking for? What's important in mobile, what's important to the APP?
And really we could break this up into a few components but really comes down to the code functionalities within that napper. The data that's stored on that device, or how that app communicates and that communications aren't always as simple as you think, because you have one end of that where your devices actually sending a request out
to some server
in the cloud around some server you own
wherever doesn't matter,
and you know it has to set up that TLS connection. If it doesn't do it correctly, then there may be some security issues with your app. Then on the other end of that r a p I issues your server actually has to handle those AP requests correctly.
Handle authorization correctly. Session management correctly. These are all really important topics and security,
but all of them are part of that mobile app security spectrum. And we want to make sure that when we're testing, we're looking at all these components because they're all important because they all apply to mobile app security, whether it's IOS or android. And again, this all applies to both.
So this brings us back to that thing I said before, you need both. You need both types of testing, testing and mobile means You need to be ableto you know, see how that app runs on the device, but also see what the binary hasn't and how the app was developed. And you know, there are things that are easier to task dynamically than they are to test statically. And everything's a test
statically their way easier to test than they are dynamic week
and you again you need both so perfect example of something that's easy to do dynamically is network testing. We set up a proxy we observe that was calls sent by the APP and were able to test them and see what's going on. We're seeing what's stored on the device itself. It's really easy for a tester to go on that device. See what's being stored by that application
and actually determine if it's sensitive or not, or if it's something that's unnecessary.
But on the flip, on a static side, looking at code quality, build configurations, things like, Hey, there's debatable code in here. Hey, there are, you know, things that really shouldn't have been configured this way. Simple things like, you know,
code protections. Free security options are really easy to determine if they exist on an application using static analysis,
and there are things that really you need both and really a lot of these things that seem like hey,
you know, it's it's difficult to do on dynamic. It's difficult to do static. When you use static and dynamic testing together, you really get better results. And like a perfect example of that is cryptographic methods. It's really easy to determine if your applications using some cryptography, and it's easy to determine from
from a dynamic sense how that crypt was being used and when it's being used.
But being able to use static and dynamic together kind of determines how that's being used in what reference. And you know, context is so important in security because we want to understand how that information is being handled and used. And context is again
the key for a lot of the things we're doing here today.
So we kind of zoom through a few topics today. We looked at the mobile app landscape, how static and dynamic testing kind of work together and how that mobile attack surface looks and how important it is. I think as we go forward, you're gonna use that information to better understand how to perform that testing and understand why that's important.
So as we go into these next videos, you know,
be sure to reference back to these because they're useful information as we expand our knowledge. Thank you for your time. See in the next one