What is Mobile Application Security Testing (MAST)?

Penetration testing, or pen testing, is the most common security starting point for mobile app development teams. It’s a valuable way to get an initial outside assessment of your application when you don’t have the time, tools, or security knowledge in-house to assess the security posture of an application. Pen testing is a great compliment to an overall security testing strategy and is often a requirement for compliance purposes.

Automated mobile application security testing is about taking on the responsibilities of security testing, in-house, with the support of automated tools to make it cost-effective and manageable enough to get frequent feedback on the security assessment of an app. Automated tools can also be integrated into the software development life cycle (SDLC) as part of a continuous integration or continuous delivery (CI/CD) process.

Other alternatives to mobile application security testing include Bug Bounties and crowd-sourced app security testing. Relying on these third-party programs to find vulnerabilities should supplement internal security practices, such as threat modeling, code reviews, and automated security testing.

General-purpose app testing tools may actually already be in place in your organization. They are often well integrated into the organization’s security process.

However, they are often expensive, not the most developer-friendly, they can be slow, and for mobile apps, they often lack the depth of analysis and tailored findings that are specific to mobile application threats. Mobile developers should evaluate their application security testing tool to ensure it has a strong focus on mobile application threats, including consideration of the OWASP Mobile Top 10 and the OWASP mobile security testing guide.

Open source tools can be a good way to initially get coverage in security testing, but often, these tools are not maintained and kept current as the security landscape changes. These tools should be evaluated based on how well they are maintained by a community, as with any open source project.

Additionally, these tools should be evaluated based on how easy it is to consume the output or findings of the tool. High rates of false positives or difficult to read reports can make integrating such a tool more frustrating than beneficial.

Mobile apps have unique risks, in particular the concept of a MATE (man-at-the-end) attack vector, which means an attacker can load the application on their local device which gives them access to specialized tools, time, and resources to inspect and reverse engineer the application. Additionally, mobile apps need to make use of unique mobile platform features and security controls, as well as ensure secure communications and storage of data.

These threats to mobile apps are often not covered by generic application security testing tools. Selecting a security testing tool that is specialized in mobile apps and built for mobile app developers can be critical in providing relevant, actionable findings.

To truly improve the security controls around building mobile apps, organizations must ensure that automated security testing tools fit into their developers’ existing workflows. Tools in use should be fast, provide actionable results or recommendations, and integrate directly into the SDLC.

The key criteria here is making sure there is a way to automate the analysis. As you execute automated security testing within your DevOps workflow, you’ll want to make sure you can compare the results build-over-build to pinpoint which commits and releases of your app introduced new vulnerabilities or findings.