There are a number of different platforms and languages that make up what we now know commonly as an “App”, testing the different types and parts of an application can take time, and of course methods of doing so vary depending on platform and type of application. The three that follow are typical examples found on most android and IOS operating systems:
2. Native iOS/android/windows/blackberry applications – Objective C/Java etc
3. Hybrid Applications – Native applications with embedded web views/content.
It is import to note that the techniques and languages used to write the applications, vary for each mobile platform. To this end it is important that each application is treated as a separate application and tested independently.
Mobile Application Testing Process
The process should always begin by taking in an overview of how the application works and what it does. Once determined there are a number of steps we will take to identify any potential weakness in the way the application works/stores or transmits data.
The end users handset or mobile device should be treated as if it is compromised or stolen. Any security that is based on the client side installed application exists under the control of the attacker and can be disabled or modified; this also applies to secure storage. For example if data is stored on the device in an encrypted way, and the key is also stored on the device, then said key can be recovered and used. This does not mean that client side security mechanisms should not exist, but security must exist on the server side as well. The test will broadly follow the same steps as an OWASP application test, e.g are messages encrypted, are sessions handled properly, code injection etc.
This approach can be roughly broken down into:
1. Application Mapping
2. Client Attacks
3. Network Attacks
4. Server Attacks