Mobile applications vulnerabilities testing model
Keywords:mobile application, vulnerability, MASVS, OWASP, Android, vulnerabilities testing model, dependency graph
The process of testing vulnerabilities of mobile software applications has been analysed. This is due to the need to prevent violations of confidentiality, integrity and availability of information. Individual users and the state as a whole benefit from the preservation of these properties. However, in practice this is mostly neglected, and attention is paid to the functional testing. While the known approaches of testing vulnerabilities of the mobile software applications are focused on the study of certain aspects: either a server or a client. At the same time, the applicability of the international standards of testing vulnerabilities in mobile software applications has been established. A characteristic feature of their guidelines is the focus on OWASP methodology. It determines the rating of the most critical vulnerabilities, standard and test scenarios, tools for determining the level of security. They are summed up in OWASP Mobile TOP 10, OWASP MASVS, and OWASP MSTG recommendations. According to OWASP MSTG, vulnerabilities in mobile software apps are tested using OWASP MASVS. There are three parts in these documents, which are the following: general, Android, iOS. Also, these documents define common scenarios for each level of testing vulnerabilities in mobile software applications, as stated in MASVS. The level of security of mobile software applications is determined based on the results of the tests, namely: the test has been passed, the test has not been passed, and the test is not used for the mobile software application. However, the practical use of OWASP methodology is complicated by the focus on the client side of mobile software applications, the subjectivity of the choice of stages and their sequence. To prevent these limitations, a model for testing vulnerabilities in mobile software applications has been developed. A dependency graph is used to codify this procedure. This allows you to determine the stages of testing vulnerabilities in both client and server parts. In addition, it helps you to explain which testing stages to choose, their order, and the appropriate tools. This justification is accomplished by building a dependency relationship between them. An example of its formulation is “the execution of the next stage is preceded by the execution of the previous one”. The obtained results are demonstrated in the example of SSL pinning vulnerability testing.
International Organization for Standardization. (2011, Nov. 21). ISO/IEC 27034-1, Information technology. Application Security. [Online]. Avaliable: https://www.iso.org/standard/44378.html. Accessed on: Dec. 17, 2019.
The President, the Prime Minister and the Ministry of Finance presented the mobile application “Diya”. [Online]. Avaliable: https://www.kmu.gov.ua/news/prezident-premyer-ministr-mincifra-prezentuvali-mobilnij-zastosunok-diya. Accessed on: Dec. 17, 2019.
A. Kramer, and B. Legeand, Model-based testing essentials: Guide to the ISTQB Certified Model-Based Tester Foundation Level. Hoboken, USA: Willey&Sons, Inc., 2016.
M. Antonishyn, and O. Misnik, “Analysis of testing approaches to Android mobile application vulnerabilities”, Selected Papers of the XIX International Scientific and Practical Conference Information Technologies and Security, vol. 2577, CEUR Workshop Proceedings, 2019, pp. 270-280. [Online]. Avaliable: http://ceur-ws.org/Vol-2577/paper22.pdf. Accessed on: Dec. 17, 2019.
Quick heal annual threat report 2019. [Online]. Avaliable: https://www.google.com/url?sa=t&rct=Annual-Threat-Report-2019.pdf&usg=AOvVaBxp0Txjy0ExKPWN. Accessed on: Dec. 17, 2019.
International Organization for Standardization. (2016, Okt. 05). ISO/IEC 27034-6, Information technology. Security technique’s Application Security, first edition. [Online]. Avaliable: https://www.iso.org/standard/60804.html. Accessed on: Dec. 17, 2019.
OWASP Mobile security testing guide (MSTG). [Online]. Avaliable: https://github.com/OWASP/owasp-mstg/. Accessed on: Dec. 17, 2019.
OWASP Mobile application security verification standard (MASVS). [Online]. Avaliable: https://github.com/OWASP/owasp-masvs. Accessed on: Dec. 17, 2019.
National Institute of Standards and Technology. (2019, Apr. 19). NIST 800-163, Vetting the Security of Mobile application. [Online]. Avaliable: https://doi.org/10.6028/NIST.SP.800-163r1. Accessed on: Dec. 17, 2019.
National Information Assurance Partnership. (2019, Apr. 25). Protection Profile for Mobile Device Fundamentals, Version 4.0. [Online]. Avaliable: https://www.niap-ccevs.org/MMO/PP/pp_mdm_v4.0.pdf. Accessed on: Dec. 17, 2019.
S. Zein, N. Salleh, and J. Grundy, “A systematic mapping study of mobile application testing techniques”, Journal of Systems and Software, vol. 117, pp. 334-356, 2016, doi: https://doi.org/10.1016/j.jss.2016.03.065.
S. Bojjagani, and V. N. Sastry, “STAMBA: Security Testing for Android Mobile Banking Apps”, in Advances in Signal Processing and Intelligent Recognition Systems. Advances in Intelligent Systems and Computing, vol. 425, S. Thampi, S. Bandyopadhyay, S. Krishnan, KC. Li, S. Mosin, M. Ma, Berlin, Germany: Springer 2016, pp. 671-683, doi: https://doi.org/10.1007/978-3-319-28658-7_57.
Z. Trabelsi, M. Al Matrooshi, and S. Al Bairaq, “Android based mobile apps for information security hands-on education”, Education and Information Technologies, vol. 22, iss. 1, pp. 125-144, 2017, doi: https://doi.org/10.1007/s10639-015-9439-8.
S. Roy, D. Chaulagain, and S. Bhusal, “Static Analysis for Security Vetting of Android Apps”, in From Database to Cyber Security. Lecture Notes in Computer Science, vol 11170, P. Samarati, I. Ray, I.Ray, Berlin, Germany: Springer, 2018, pp. 375-404, doi: https://doi.org/10.1007/978-3-030-04834-1_19.
T. Wu, X. Deng, and J. Yan, “Analyses for specific defects in android applications: a survey”. Frontiers of Computer Science, vol. 13, iss. 6, pp. 1210-1227, 2019, doi: https://doi.org/10.1007/s11704-018-7008-1.
V.-P. Ranganath, and J. Mitra, “Are free Android app security analysis tools effective in detecting known vulnerabilities?”, Empirical Software Engineering, vol. 25, iss. 1, pp. 178-219, 2019, doi: https://doi.org/10.1007/s10664-020-09879-8.
M. Antonishyn, “Four ways to bypass Android SSL. Verification and Certificate Pinning”, in Proc. VI International Scientific and Practical Conference Transfer of innovative Technologies, Kyiv, 2020. pp. 96-98.
M. Antonishyn, “The usage of dependency graphs to test the security of mobile software applications”, in Proc. Computer and information systems, Kharkiv, 2020, p. 44, doi: https://doi.org/10.30837/IVcsitic2020201369.
How to Cite
Copyright (c) 2020 Information technology and security
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).