Chip & System Security Testing 
Looking ahead to future of Post-Quantum Cryptography, we have partnered with PQShield to strengthen our hardware security solutions.
SOLUTIONS

  • > Side Channel Analysis

    Ready-to-use side channel tools to assess cryptography algorithms.

  • > Fault Injection: Laser, EM & Glitching

    Make sure your chip withstands different techniques of physical fault injections.

  • > Firmware Security Analysis

    Qualify embedded code binaries without physical devices and benches.

  • > Security Failure Analysis

    Photoemission analysis to explore internal information in a chip.

  • > Vulnerability Research

    Dynamic analyses at a system level for investigating potential vulnerabilities.

  • > esDynamic for EDU SCA and FI

    A learning center for academics to teach and perform side-channel analysis and fault injection

TECHNOLOGIES

  • > Data Science Platform

    esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.

  • > esFirmware Engine

    Assess the security of the firmware of IoT devices against logical and physical attacks.

  • > esReven Engine

    Record and replay vulnerability researches within reverse engineering processes and tools.

PROFESSIONAL SERVICES

  • > Cybersecurity Training

    Grow your expertise with training modules driven by a coach.

  • > Hardware Evaluation Lab

    High-end laboratory capabilities specialized in hardware security evaluations.

Mobile & Backend Security Testing 
Standard Mobile Payment Security PCI MPoC
Prepare for the future of mobile payments with PCI MPoC (Mobile Payments on Common-of-the-shelf devices).
EXPERTISE

  • > Mobile App Security

    Know the threats and risks of your Mobile App.

  • > DevSecOps

    Integrate the security protections verification in your CI/CD pipeline.

  • > PCI MPoC

    Prepare your product to meet this new mobile payment standard.

SOLUTIONS

  • > Mobile App Security Testing (MAST)

    esChecker SaaS: automating the security testing of your mobile app binary.

PROFESSIONAL SERVICES

  • > Mobile App Penetration Testing

    Testing the resiliency of your Mobile App, SDK or RASP tool.

  • > Backend Penetration Testing

    Testing the resiliency of your Web App, API or Backend Systems.

  • > Coaching for Mobile App Developers

    Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.

  • Go to our German website

Our Company 
Passionate about security and wanting to work in an exciting and innovative environment? Full time and internship opportunities starting 2023.
OUR COMPANY

  • > Events

CAREERS

  • > Meet our experts

  • > Open positions

    Join our team!

FOLLOW US
Blog
Contact us
Back to all articles
Mobile App & Software

How to run accurate dynamic mobile application security testing?

6 min read
Edit by Rémy Balangué • Mar 2, 2023
Share

If you read this blog post, this certainly means there is no need to convince you about the importance of securing your mobile application against hacking. And to make a proper job, you certainly embrace a multi-layer approach.

First, by designing and coding with the aim to handle well the sensitive data and operations. This is what OWASP specified in the MASVS by two levels: L1 (Standard Security) and L2 (Defense-in-depth).

Second, by hardening the code against attacking tools, mixing code obfuscation and anti-tampering measures to make reverse-engineering harder to achieve. OWASP’s MASVS have captured this in the R, Resiliency, layer.

We wrote a blog post about this: How can OWASP help you define your mobile app security policy?

 

How can you make sure your app protections are effective?

Now comes this critical question: how do you validate these software protections? They are implemented to withstand attacks. This means that you need to create the conditions of attacks to observe if they are effective.

Easy to say, but how difficult in practice?

You don’t have necessarily the knowledge and skills internally to do this. And the human external resource is tedious and incompatible with regular and systematic verifications.

There is one option though: specialised automated testing tools. There are quite a few. They are not necessarily appropriate to address the critical point of security protection validation. We believe that a testing process should mandatorily have the application actually executed.

In other words: make sure the application is running when testing different attack scenarios and observe if the behaviour is as expected.

In “Gartner” language, this could be seen as a Dynamic test. And the tool feature would be named a DAST (Dynamic Application Security Testing). Okay ... but this wording mainly comes from AST (Application Security Testing), and the application to mobile apps does not necessarily work.

Many DAST tools do not make the proper testing of the application binary running and being tested. Maybe because it is difficult to implement.

Some will name it IAST, standing for Interactive Application Security Testing. This combines together the notion of dynamic and interactivity, here the manual interactions allowing to gain security testing code coverage.

Regardless of the toolmaker and the terminology, you will need to do one thing: make sure you know precisely which problem you want to solve: which assurance do you want on your mobile application. Once done, selecting the right tool should easily flow...

 

What kind of dynamic testing for the application resiliency?

To protect your application, you have to understand how it behaves when:

  • Running in suspicious environments, such as a rooted or jailbroken phone,
  • A potential threatening software is used along with the phone (a debugger, an instrumentation framework like Frida, a debugger, etc.),
  • A piece of code is being injected into it,
  • And many more scenarios.

As a result, a dynamic test is a test happening at runtime. We need:

  1. A mobile application
  2. A dynamic test running on the mobile application in real conditions
  3. A mobile device

 

Two reasons why you shouldn't test your apps on emulators

Reason #1: Your anti-emulation protection would falsify your actual results

If your application is correctly protected, it should NOT allow the use of emulators. As a result, all your dynamic tests run on an emulator will be biased.

Using an emulator would generate a lot of false-positive tests as the app would crash immediately, even though you're testing your root detection or your code injection protection.

Let’s imagine one needs to test the protections against hooking techniques to inject some code.

hook-detection.jpg

On an emulator, if you’re protected against the emulation, all your tests would trigger the protection, making you confident about your protection level.

On a real device, you would test your protections layer by layer, passing through the emulation detection, the root detection, and the hook detection.

Long story short, running Dynamic Testing for the same application on an emulator or on a real device would end up in completely different results.

Don’t. Do. That.

 

Reason #2: Hackers love device emulators

Allowing your app to run on an emulated device is highly risky as it allows attackers to better handle the runtime environment, which makes reverse-engineering easier.

In your strategy to slow the work of attackers down, blocking emulators to run your app is essential.

 

Tip #1: Get your own devices

🚨 Disclaimer: to run your own dynamic tests on real devices, you need to be able to develop a custom ROM and manage the dynamic attacks yourselves. This part requires strong expertise. Believe me 🙂

It’s neither that complex nor that expansive to get your own devices to run dynamic attacks. If you can’t afford to buy some devices and pay them upfront, you can think of renting your fleet

 

Tip #2: Automate your Dynamic Tests

An even more efficient way to run dynamic tests is to automate them with MAST tools (Mobile Application Security Testing). At eShard, we released esChecker to automate hundreds of tests on behalf of our clients.

It’s an easy way for them to test their Android and iOS mobile apps every time a new app build is ready against top-market and cutting-edge static and dynamic tests.

app.jpg

Integrating the security verifications within your SDLC (Software Development Lifecycle) is the best way to make sure that every app update doesn’t push any protection regression in production. We highly recommend automating these tests within your CI/CD pipeline (using built-in plugins or APIs).

 

Takeaways

In a nutshell, here’s what you need to remember:

  • Protect your application against the use on emulated devices,
  • Run dynamic tests on real devices to evaluate your security policy (rent them or buy them on the second-hand market),
  • Automate your dynamic testing to make sure you don't miss any protection regression.

From our experience, it’s really hard to internalise this skill set. This is why we’ve built esChecker.

Do you want to see how it can help you automate your security testing? Give it a try for your iOS or Android applications.

Top 120 European Mobile Banking App Benchmark

Share

Categories

All articles
(77)
Chip Security
(21)
Corporate News
(7)
Mobile App & Software
(25)
Vulnerability Research
(25)

you might also be interested in

Mobile App & Software

Penetration Testing in the world of DevSecOps

4 min read
Edit by Hlib Budylo • May 5, 2023
CopyRights eShard 2023.
All rights reserved
Privacy policy | Legal Notice
SECURITY TESTING SOLUTIONS
Side Channel AnalysisLaser & EM Fault InjectionFirmware Security AnalysisSecurity Failure AnalysisVulnerability ResearchMAST: Mobile Application Security Testing
TECHNOLOGIES
Data Science PlatformesFirmware EngineesReven Engine
PROFESSIONAL SERVICES
Cybersecurity TrainingHardware Evaluation LabPenetration Testing for Backend and WebAppPenetration Testing for Mobile Applications
COMPANY
About usJoin our team!EventsBlog