The war between Mobile Apps and Pen Testing
With new mobile devices being launched in the market at frequent intervals, testing mobile apps has become a challenging task for the testers. But what role does testing mobile apps play in pen testing? What effect does it have on Pen testing?
Today there is quite a load of new work emerging along mobile apps and wireless networks. Certainly, that there are no security breaches one must attack the system of the client as well as mobile devices and other wireless tech as there might be a hidden route somewhere and most of the time in the most unexpected places.
Where are the hackers’ hideouts?
Since Pen-testing is all about security assessment so there is always the fear of hackers. PEAP (Protected Extensible Authentication Protocol) network security relies and depends on client configuration security. Thus all wireless clients are to be properly configured.
Let’s consider one of the most effective attack types. Any attacker may set up a wireless access point of his own as a rogue RADIUS server and users will be tricked into logging into this foul man’s scheme. When the login takes place the attacker simply captures the credentials and uses them to access any network. And all that because users were not correctly configured from, let’s say, a MS Windows device to validate RADIUS’s identity. Why does this approach work? Many clients will be attempting to get connected with a network called as something they’ve already been acquainted to. And a user will know nothing of the scam. There are many more examples of such attacks and all a pen tester has to be sure of is that if there’s any slightest crack a hacker will be using it as they are a really creative kind of guys.
Mobile devices are the weakest link – holds true!
The growth of mobile technology is miraculous. Certainly there are several tools available in the market that can make laptops extremely tough nuts to crack, yet mobile devices are left without such software as for now. Thus if you are testing something and traditional methods are not letting you in – go the mobile way. Tablets and smart phones are rarely configured for proper RADIUS server validation. There is a reason, as you know to why most, if not all, of the protections that are deployed to an agency network include systems preventing wireless IDN intrusions, systems that are detecting intrusions, etc. are not offering any public network and mobile device protection. All that may be advised if you are with mobile apps penetration testing you are to do your best, consider all the hacking options available and never stop learning.
Device variation is the biggest challenge in testing mobile apps due to the compatibility issues as a mobile application can be deployed across devices that have different operating systems (iOs, Android etc), manufacturers (Samsung, HTC, Nokia etc) and keypad types (virtual keypad, hard keypad). Further the team cannot be 100% sure if a tested application works well with a given device, it will run smoothly on the other device. Hence it becomes equally difficult to check for security issues on different devices as well.
Though mobile application testing is too different than other platforms, yet testing needs to be taken seriously for business purposes. Thus we hope testers play a justified role in testing mobile apps for security as well in order to increase business hence the revenue. The war can be kept aside!