Home Page > Publications > Security of mobile applications

Security of mobile applications

The increasing proliferation of company Smart phones and their mobile applications has resulted in a minefield for IT Directors. Which Apps should be utilised and are they secure? Companies must agree on a programme for the usage and testing of 3rd party mobile applications. Setting guidelines on the type of mobile applications which can be downloaded is strongly recommended. As at July 2015 there are over 1.6million apps to choose from. A company mobile App policy could be expressed in terms of those used in the ordinary course of the businesses which can be defined. In practice this is extremely difficult to enforce. It is often is easier to identify a number of mobile apps considered useful for the particular purposes of the business and develop a programme of testing to ensure secure usage. If the testing is successful these mobile applications should be listed as recommended for downloading.

3 aspects of the mobile application should be tested– the code itself, the runtime behaviour, and how the app communicates with other services. Fortunately, tools exist which allow for the testing of a mobile applications source code (eg Veracode or Fireeye) if available or binary code. These tools will provide a shortlist of known weaknesses and recommendations on areas for additional testing. Tools for the testing of mobile app behaviour often work by simulation, looking at what the App does in the background. What exchanges in data are there? Do these go beyond your enterprise? Is this information sensitive? Is it required for the processing of the mobile application? The mobile part of the app, the back-end server, and the communication link between the mobile part of the app communicates with other services such as web services should also be tested. Tools such as PortSwigger’s Burp Suite, exist to ensure that the mobile app responds correctly to server messages and that data is truly encrypted end to end.

Quick Contact Form
Company Name
Contact Name *
Telephone Number *
Email Address *