Mobile applications vulnerabilities testing model

Authors

DOI:

https://doi.org/10.20535/2411-1031.2020.8.1.218003

Keywords:

mobile application, vulnerability, MASVS, OWASP, Android, vulnerabilities testing model, dependency graph

Abstract

The process of testing vulnerabilities of mobile software applications has been analysed. This is due to the need to prevent violations of confidentiality, integrity and availability of information.  Individual users and the state as a whole benefit from the preservation of these properties. However, in practice this is mostly neglected, and attention is paid to the functional testing. While the known approaches of testing vulnerabilities of the mobile software applications are focused on the study of certain aspects: either a server or a client. At the same time, the applicability of the international standards of testing vulnerabilities in mobile software applications has been established. A characteristic feature of their guidelines is the focus on OWASP methodology. It determines the rating of the most critical vulnerabilities, standard and test scenarios, tools for determining the level of security. They are summed up in OWASP Mobile TOP 10, OWASP MASVS, and OWASP MSTG recommendations. According to OWASP MSTG, vulnerabilities in mobile software apps are tested using OWASP MASVS. There are three parts in these documents, which are the following: general, Android, iOS. Also, these documents define common scenarios for each level of testing vulnerabilities in mobile software applications, as stated in MASVS. The level of security of mobile software applications is determined based on the results of the tests, namely: the test has been passed, the test has not been passed, and the test is not used for the mobile software application. However, the practical use of OWASP methodology is complicated by the focus on the client side of mobile software applications, the subjectivity of the choice of stages and their sequence. To prevent these limitations, a model for testing vulnerabilities in mobile software applications has been developed. A dependency graph is used to codify this procedure. This allows you to determine the stages of testing vulnerabilities in both client and server parts. In addition, it helps you to explain which testing stages to choose, their order, and the appropriate tools. This justification is accomplished by building a dependency relationship between them. An example of its formulation is “the execution of the next stage is preceded by the execution of the previous one”. The obtained results are demonstrated in the example of SSL pinning vulnerability testing.

Author Biography

Mykhailo Antonishyn, Pukhov institute for modeling in energy engineering of National academy of sciences of Ukraine, Kyiv,

postgraduate student

References

International Organization for Standardization. (2011, Nov. 21). ISO/IEC 27034-1, Information technology. Application Security. [Online]. Avaliable: https://www.iso.org/standard/44378.html. Accessed on: Dec. 17, 2019.

The President, the Prime Minister and the Ministry of Finance presented the mobile application “Diya”. [Online]. Avaliable: https://www.kmu.gov.ua/news/prezident-premyer-ministr-mincifra-prezentuvali-mobilnij-zastosunok-diya. Accessed on: Dec. 17, 2019.

A. Kramer, and B. Legeand, Model-based testing essentials: Guide to the ISTQB Certified Model-Based Tester Foundation Level. Hoboken, USA: Willey&Sons, Inc., 2016.

M. Antonishyn, and O. Misnik, “Analysis of testing approaches to Android mobile application vulnerabilities”, Selected Papers of the XIX International Scientific and Practical Conference Information Technologies and Security, vol. 2577, CEUR Workshop Proceedings, 2019, pp. 270-280. [Online]. Avaliable: http://ceur-ws.org/Vol-2577/paper22.pdf. Accessed on: Dec. 17, 2019.

Quick heal annual threat report 2019. [Online]. Avaliable: https://www.google.com/url?sa=t&rct=Annual-Threat-Report-2019.pdf&usg=AOvVaBxp0Txjy0ExKPWN. Accessed on: Dec. 17, 2019.

International Organization for Standardization. (2016, Okt. 05). ISO/IEC 27034-6, Information technology. Security technique’s Application Security, first edition. [Online]. Avaliable: https://www.iso.org/standard/60804.html. Accessed on: Dec. 17, 2019.

OWASP Mobile security testing guide (MSTG). [Online]. Avaliable: https://github.com/OWASP/owasp-mstg/. Accessed on: Dec. 17, 2019.

OWASP Mobile application security verification standard (MASVS). [Online]. Avaliable: https://github.com/OWASP/owasp-masvs. Accessed on: Dec. 17, 2019.

National Institute of Standards and Technology. (2019, Apr. 19). NIST 800-163, Vetting the Security of Mobile application. [Online]. Avaliable: https://doi.org/10.6028/NIST.SP.800-163r1. Accessed on: Dec. 17, 2019.

National Information Assurance Partnership. (2019, Apr. 25). Protection Profile for Mobile Device Fundamentals, Version 4.0. [Online]. Avaliable: https://www.niap-ccevs.org/MMO/PP/pp_mdm_v4.0.pdf. Accessed on: Dec. 17, 2019.

S. Zein, N. Salleh, and J. Grundy, “A systematic mapping study of mobile application testing techniques”, Journal of Systems and Software, vol. 117, pp. 334-356, 2016, doi: https://doi.org/10.1016/j.jss.2016.03.065.

S. Bojjagani, and V. N. Sastry, “STAMBA: Security Testing for Android Mobile Banking Apps”, in Advances in Signal Processing and Intelligent Recognition Systems. Advances in Intelligent Systems and Computing, vol. 425, S. Thampi, S. Bandyopadhyay, S. Krishnan, KC. Li, S. Mosin, M. Ma, Berlin, Germany: Springer 2016, pp. 671-683, doi: https://doi.org/10.1007/978-3-319-28658-7_57.

Z. Trabelsi, M. Al Matrooshi, and S. Al Bairaq, “Android based mobile apps for information security hands-on education”, Education and Information Technologies, vol. 22, iss. 1, pp. 125-144, 2017, doi: https://doi.org/10.1007/s10639-015-9439-8.

S. Roy, D. Chaulagain, and S. Bhusal, “Static Analysis for Security Vetting of Android Apps”, in From Database to Cyber Security. Lecture Notes in Computer Science, vol 11170, P. Samarati, I. Ray, I.Ray, Berlin, Germany: Springer, 2018, pp. 375-404, doi: https://doi.org/10.1007/978-3-030-04834-1_19.

T. Wu, X. Deng, and J. Yan, “Analyses for specific defects in android applications: a survey”. Frontiers of Computer Science, vol. 13, iss. 6, pp. 1210-1227, 2019, doi: https://doi.org/10.1007/s11704-018-7008-1.

V.-P. Ranganath, and J. Mitra, “Are free Android app security analysis tools effective in detecting known vulnerabilities?”, Empirical Software Engineering, vol. 25, iss. 1, pp. 178-219, 2019, doi: https://doi.org/10.1007/s10664-020-09879-8.

M. Antonishyn, “Four ways to bypass Android SSL. Verification and Certificate Pinning”, in Proc. VI International Scientific and Practical Conference Transfer of innovative Technologies, Kyiv, 2020. pp. 96-98.

M. Antonishyn, “The usage of dependency graphs to test the security of mobile software applications”, in Proc. Computer and information systems, Kharkiv, 2020, p. 44, doi: https://doi.org/10.30837/IVcsitic2020201369.

Downloads

Published

2020-07-09

How to Cite

Antonishyn, M. (2020). Mobile applications vulnerabilities testing model. Information Technology and Security, 8(1), 49–57. https://doi.org/10.20535/2411-1031.2020.8.1.218003

Issue

Section

NETWORK AND APPLICATION SECURITY