​The Mobile App Testing Landscape

Written by: Henry Hu, Co-Chair, MAST Working Group & CTO, Auriga Security, Inc. and Michael Roza, Member, MAST Working Group

Cloud computing accelerates the development and real-time use of applications, which drives personal productivity and business agility. However, with the proliferation of mobile apps and how it intertwines with both work and play, new security challenges arise which need to be addressed. This in turn, has led to a vibrant and growing mobile app testing market. According to Market Research Future Analysis, the 'global mobile application testing services market reached USD 3.2 billion in 2018 and has been estimated to be valued at USD 13.6 billion by 2026 growing at 20.32 % CAGR during the forecast period 2019–2026.'

CSA's Mobile Application Security Testing (MAST) working group recently published a 'MAST - Landscape Overview' paper that provides an overview of the MAST market, of which the key points are succinctly covered in this post.

Back In 2016, this working group developed and released a paper with the aim to define a framework for secure mobile application development achieving privacy and security by design. The figure below summarizes the paper's key requirements, which references NIST Special Publication 800-163 (now superseded by SP 800-163 Rev 1) as the basis of consideration in determining classification levels for basic security vetting specifications.

Review and Testing of Apps by Major Mobile App Stores

A common practice among popular mobile app stores is that they do not publicize the types of security review and testing performed on applications submitted to them. Rather than a 'security by obscurity' mindset, the reason for non-disclosure is more likely to do with the number of new vulnerabilities discovered each day (leading to new tests), and that some of the vetting tools are machine-learning based and dynamic in nature.

The paper gives an overview of the review and vetting processes by major mobile app stores: Google Play Store, Apple App Store, Microsoft Store, Amazon AppStore, Samsung Galaxy Store, BlackBerry World and Huawei AppGallery.

App Testing Guides & Tools

Other than the MAST paper, there are also detailed testing guidelines from OWASP, and software tools from a variety of vendors to automate app security testing

• Guides
  • OWASP Mobile Security Testing Guide (MSTG)
  • OWASP Mobile Application Security Verification Standard (MASVS)
• Tools - Many of these tools are open-source, maintained by hundreds of volunteer security professionals, support both Android and iOS platforms, and generate reports about potential vulnerabilities with recommendations on how to fix them.
  • Drozer
  • MobSF
  • QARK
  • Zed Attack Proxy

App developers typically tap multiple tools (e.g., static app security testing, dynamic app security testing, forensics analysis) to automate their security testing workflow to catch as many red flags as possible to improve their app's chances of passing the app stores' review and approval process.

A Temporary Pause

The MAST working group concluded that existing efforts by OWASP provide the industry with detailed guides and checklists to enhance the security posture of mobile apps, while there are a healthy number of open source tools available to conduct security testing on mobile apps. With no obvious and pertinent gaps in the mobile security testing landscape at the moment that the working group can help to address, the working group will be temporarily suspended, but continue to monitor potential security gaps that arise from the emergence of trends such as Beacon Technology, Wearables, and 5G/6G wireless.