In any mobile business application, the data security is of utmost importance. Security tests have to be conducted not just on the mobile device, but also across different data interaction points in the application architecture.
On Device Tests
On the device, mobile vendor specific features will have an impact on the security tests. When mobile applications move to sleep state in the mobile device, it typically stores the state of the application in the device memory. This is not secure as the data can then be retrieved back via memory readers. Tests have to be conducted to ensure that the application footprint on the device is not compromising any data.
Checks are also made to see that uninstalling of application ensures that the device is clear of any data about the application. To secure the device when there is loss of device, remote un-installation of application tests are conducted. This is typically done via the mobile device management software (like SAP Afaria) which has a client on the mobile, but a server side component at the enterprise.
If the application has to work in offline mode, it’s also important to store the application specific data with good encryption. Hack tests are done on such data to ensure security.
Some approaches to store data on the device is via the Data vault which is password protected and data is stored with AES 256 bit encryption. Tests to crack the password and security of the vault are conducted.
Malicious applications on the device can also be a threat to the security of data on device. Ensuring that data from enterprise application is not read by other applications is critical.
On device security threats are very critical on every mobile Operating system (OS) upgrade. Tests have to be conducted on different OS and with different settings of the mobile device.
Network Infrastructure Tests
When data from the backend enterprise system flows into the mobile applications, data passes through the middleware and through a network (Wi-Fi, 2G or 3G data networks), and security needs to be ensured in these transmissions. From the application side, the communication has to happen via secure HTTPS protocol. Multilayered defense against threats like denial of service needs be ensured and tested. There can be no direct access to the back-end server from the mobile application.
Tests for Backend security
The user data requests for the mobile applications are typically handled after authentication. Protocols like X.509, OAuth 2.0 and SAML 2.0 are used. All the incoming data are checked with the metadata sent via the enterprise gateway to check for non-tampering of data in the network. This ensures that there is sufficient protection against injection attacks. Virus checks on binaries are conducted before they are downloaded and stored in the back-end servers.