7 Best Practices for Mobile App Security Testing

When we talk about the importance of mobile app security, we often think about the cost associated with neglecting security, such as stolen intellectual property, regulatory fines, and loss of consumer trust. With such high risk, it can be hard to understand why developers would deprioritize such an important step in the software development lifecycle (SDLC).

Consider Apple and Google's bug bounty programs, which offer rewards to external developers who identify a bug in one of their products. Apple has paid out $20 million, and, in 2022 alone, Google paid $12 million, proving that there had been very real vulnerabilities hidden within their code.

If these providers acknowledge the existence of unknown bugs or weaknesses within their ecosystems, developers should too.

The importance of mobile app security testing

An important step in taking ownership over a mobile app’s security posture is embedding mobile application security testing into the SDLC. By integrating testing early, developers will be empowered to address bugs and vulnerabilities earlier, reduce rework, and release builds faster.

For example, a testing solution can uncover things like:

• Visible hardcoded keys or credentials
• Improper use of permissions or intents
• Use of insecure or legacy cryptography
• Insecure communications between the mobile app and server endpoints
• Lack of protection against tampering or reverse engineering

So, if security testing is such an integral part of mobile app development, why isn’t everyone using it?

Challenges that hinder mobile app security testing

Saying that developers should perform mobile app security testing is the easy part. Implementing it can be challenging, especially within the context of the ongoing cybersecurity talent gap. Over 3.4 million jobs are unfilled across the various cybersecurity disciplines.

With this shortage of security knowledge and expertise in the workforce, security-related tasks are falling on other members of the development team. This means that mobile app developers are juggling tight release schedules, limited resources, complex regulatory requirements, lack of security expertise, and much more.

To get the most value out of security testing, developers should implement these seven best practices for mobile app security testing.

Best practices for mobile app security testing

1. Establish objectives

Before diving into mobile app security testing, it’s important to understand the purpose driving testing efforts. This helps ensure that development teams aren’t wasting time on security requirements that don’t apply to their mobile app. It also gives them a baseline to measure their progress against.

So, how do developers determine what security requirements their mobile app must meet? Start at the beginning. Two common reasons that developers begin seeking a security testing solution are:

1. They’ve already experienced an attack.
2. They want to obtain a specific certification or meet an industry standard.

These cases are a great place to start when defining security objectives. Developers can take this one step further by performing threat modeling to uncover the specific security needs of their mobile application. For example, a crypto digital wallet app and an mHealth app are subject to different threats and regulatory requirements.

While regulatory requirements will likely play a large part in the overall security strategy, many of them don’t provide concrete (or mobile-specific) guidance around security testing. This is where frameworks come in handy.

2. Define testing requirements

After defining objectives and becoming intimately familiar with a mobile app’s threat landscape, it’s time to map those objectives to testing requirements. We recommend using a framework that outlines an actionable, mobile-specific path to satisfy those requirements through testing and evidence.

OWASP’s MASVS, or Mobile Application Security Verification Standard, is the only mobile-specific security framework for improving the security posture of a mobile app. It defines levels of security verification based on risk level, and standardizes security requirements for each. Developers can gain a better understanding of the level of security they are working towards according to the level of verification their mobile app requires.

If MASVS is the what, then Mobile Application Security Testing Guide or MASTG, is the how. Each MASVS level has a corresponding set of recommended security tests in the MASTG. This combination of testing requirements and descriptive test cases guides developers toward a more comprehensive approach to testing.

3. Test early, often, and after every build

Waiting to perform security tests until the end of the SDLC is problematic for many reasons. If a vulnerability or bug is found just before release, it’s likely that other portions of the code are impacted. Remediation may require significant edits and even possible architecture changes, which could result in critical schedule delays or compromises on app security. Last minute changes can also cause greater developer frustration, as deadlines get tighter.

To reduce these bottlenecks — or unknowingly releasing a vulnerable mobile app — development teams should shift security left. One important part of shifting left includes embedding security testing into earlier stages of the development lifecycle. This enables developers to quickly remediate issues while the context is still clear in their mind rather than jumping back into code that was written weeks or months ago.

4. Integrate testing into the CI workflow

To achieve a seamless integration, development teams should incorporate security testing into their CI (continuous integration) workflow. Automation is inherent to CI tools, like Bitrise, GitHub, and Jenkins, which enables frequent and thorough scans without significantly slowing down the SDLC.

A CI tool also generates a build report detailing any bugs that may have been found and suggestions for resolving the issue. These suggestions might be quick fixes or they could require developers to break the build in order to fix the error or misconfiguration. This is yet another reason to test early and often!

Additionally, the CI report records who committed each build and what changes were made, functioning as a change log of sorts. This may be relevant to some regulations or in the event of an audit.

5. Test third-party dependencies

It’s estimated that anywhere from 70% to 90% of the code in an application is made up of third-party, open-source code. The code that developers have written in-house is only a small portion of a mobile app’s architecture, and it’s often dependent on these third-party SDKs and integrations. The scope of this potential risk is massive.

Take, for example, the Apache Log4j Project, an extremely popular open-source software library. In December of 2021, a series of vulnerabilities were uncovered within Log4j, putting at risk all the systems, software, and mobile applications using it.

Understandably, developers don’t want to recreate the wheel, so using third-party components will likely always be integral to mobile app development. However, developers must ensure any third-party components they rely on are kept up to date and known security issues are mitigated.

6. Use both static and dynamic analysis

Static and dynamic analysis are both important to the security testing process, but serve different purposes.

Static analysis breaks down and analyzes a representation of a mobile app’s source code. This is a great time to test those third-party dependencies, but not everything can be tested without executing the program. Evaluating network communications and examining behavior at runtime are two examples.

That’s where dynamic analysis comes into play. This involves functional analysis that scans the app at runtime, searching for vulnerabilities or weaknesses that would only be revealed during execution. For example, tracing data flow beyond the application code to endpoints and analyzing interactions with memory, storage, or the network at a point time are all functions of dynamic analysis.

7. Implement automated security testing and pentesting

Automated mobile app security testing and pentesting are another powerful duo, and they shouldn’t be viewed as competing approaches. They both play a pivotal role in the common goal of improving a mobile app’s security posture.

Automated security testing should be conducted after each build, and is used to catch common errors and vulnerabilities. On the other hand, pentesting is a more thorough, resource-intensive testing process, performed by security experts later in the SDLC.

We dive deeper into this topic here, but to summarize, automated security testing supports your pentesting efforts by allowing developers to “clean up” those common errors in earlier stages of the SDLC. This allows pentesters to focus on more complex issues and also reduces the remediation workload generated by the pen test.

Optimize with a testing solution

A developer-friendly security testing tool is the key to enhancing the team’s testing capabilities. These can include automated scanning that easily integrates into the SDLC, valuable remediation suggestions, and compliance with industry standards and best practices.

There are many options for security testing tools on the market, but they don’t offer equal value. Some organizations may already have a general-purpose security testing tool, but these are often costly, slow, and lack mobile-specific features. Open-source testing tools are a good place to start, but they’re not always well maintained.

The ideal security testing tool is one that is mobile specific, built to detect common vulnerabilities and threats that are unique to mobile applications. A great way to vet a testing solution is to see how it measures up against OWASP MASVS.

Choose a tool — like AppSweep, Guardsquare’s free testing tool — that provides automated security scanning, integrates easily into developer workflows, and provides actionable remediation tips. This insight and guidance around a mobile app’s security posture is invaluable.

Executive Summary (TL;DR)

• Delaying security testing until the end of the development process can have significant impacts on schedule and product success.
• To take ownership over a mobile app’s security posture, resolve bugs faster, and reduce rework, developers can and should embed security testing earlier in the SDLC.
• Adopt these seven best practices for mobile app security testing to optimize your testing efforts.