Some weeks ago I did a short presentation on this years German OWASP day in Frankfurt and I would like to publish the most important points of our research here as well.
If an organization wants to use mobile apps to process business-related documents or wants to broaden the usage of mobile devices within the day-to-day work of its employees, they only have two choices:
- trusting the marketing slides of companies that offer suitable apps, or
- decide to do own penetration testing of the solutions in question.
As we have seen during the last years the first option isn’t such a good selection if the organization has any kind of valuable or sensitive data that should be stored or processed within mobile apps. Thus, organizations should focus on the second – the most transparent – option: manual as well as automated penetration testing of mobile apps.
Within the following picture you can see some of the most common vulnerabilities and design flaws within business apps that we have seen in the last year by testing more than 180 apps.
When it comes to penetration testing of mobile apps, the costs are always one blocking point within most companies. What we have seen, it is possible for organizations to check the security of a chosen app without blind trust in the developer or high costs for an assessment by applying automated and manual testing. The following pictures compares the common three ways such an assessment can be done:
- fully automated (cheap and can only find very common vulnerabilities),
- partly automated (not that expensive and can detect a large amount of vulnerabilities and design flaws), and
- manual (most expensive but also most secure assessment type).
When looking at the above picture you can see that the partly automated assessment of a mobile application is reducing the risk heavily and needs much less time and knowledge compared to a fully manual assessment. This approach is often enough (depending on the used tools and skills), if the application is question is not used for processing of highly sensitive data or is granting access to the so called grown jewels and is much cheaper than a manual assessment.
According to our experience this is the way every organization or larger company should go for about 80% of their apps.