SEWORKS-blog_banner.png

App Security Insights

An Introduction to Penetration Testing

Mar 21, 2018 8:45:18 AM / by AppSolid Team

An-Introduction-to-Penetration-Testing-Blog-IMG.jpg

If you wanted to assess whether your home was secure, you’d look at it from the point of view of criminals: where are the unlocked windows? How easily can the door be broken? When are people home? The same principle applies for mobile application security. Penetration testing is an authorized, legal process through which security experts attempt to break into an app to identify and correct points of security weakness. Sometimes called a pen test, penetration testing offers the most comprehensive security assessment possible, by looking at your application from a new perspective.

You’re probably already familiar with criminal hacking. Criminals who hack into mobile apps are known as black hat hackers. What you might be less familiar with is white hat hacking. White hats are the “good guys” of the hacking world. Penetration testing is just one example of the sort of hacking project they might undertake. Here’s what you need to know about this important strategy for securing your app.

Penetration Testing: The Basics

Penetration testing is sometimes confused with vulnerability scanning or threat assessment. Vulnerability scanning is simply the process of identifying potential vulnerabilities. It can be a cursory overview of the app’s areas of exposures, or include a complex analysis of areas of exposure. In either scenario, penetration testing goes much deeper.

Penetration testing does not rely on the theoretical effectiveness of security protocols you’ve put in place. Nor does it rely on bland reassurances from your security department. Instead, it makes your app a target to get a feel for what a real-world attack would look like. Unlike with a real-world attack, however, your app is not actually threatened. This makes penetration testing the gold standard for securing your app, understanding how a hack might affect it, and honestly assessing vulnerabilities.

Penetration testing isn’t just for mobile apps, either. Pen tests can also expose areas of vulnerability for web apps. For companies that produce both, penetration testing on each can offer a holistic view of security issues, and protect against issues that an app-only testing approach might miss.

So what are the benefits of penetration testing?

  • It shows you how a hacker might look at your app.
  • It can convince skeptical developers and business owners that, yes, their app too can be a target.
  • It may identify easily fixed security holes.
  • It gets your team to start thinking more comprehensively about security.

Penetration is so effective that some companies now encourage outsiders to attempt to penetrate their apps. This approach to penetration testing confers an additional benefit: the perspective of an outsider. Your in-house security team might have blind spots when it comes to your app. By recruiting outsiders, you circumvent those blind spots.

Google recently began offering $1,000 to hackers who could penetrate certain Android apps. That’s not a strategy every company can use. After all, inviting hackers to hack your app is also an invitation to criminals. And who wants to rely on data from outsiders? The better, safer strategy is a controlled penetration test.

How Does Penetration Testing Work?

how-does-pen-test-work-blog-img.jpg

So how does penetration testing work? Like any other security protocol, penetration testing is tailored to the goals and needs of the company using it.

The process generally goes as follows:

  1. Planning: During this stage, you identify the specific goals of penetration testing. What are you testing? Which security vulnerabilities are you most interested in? No single penetration test can test your app in its entirety. Setting clear goals can help you design the right test.
  2. Information gathering: Once you have an idea of what you want to test, you’ll begin gathering data about your app’s potential vulnerabilities. This can be a quick process that involves just a few simple facts about your app, or a detailed analysis that can take several weeks. It all depends on the goals you establish for penetration testing.
  3. Scanning for vulnerabilities: This is the process through which the penetration begins. You’ll begin scanning for potential soft spots using a variety of techniques. Those might include analyzing the code when the application is not running (static analysis), as well as analyzing code when it’s in an active state (dynamic analysis).
  4. Breaking into the app: This is the stage during which you mimic the behavior a criminal would engage in. You’ll enter the app, try to exploit various vulnerabilities, and see exactly how much damage you can do after breaking in. During this stage, you might test to see how easy it is to:
    • Steal user data.
    • Change privileges or lock out admins.
    • Intercept traffic

The final two steps are critical for understanding exactly how vulnerable your app really is.

Those include:

Maintaining Access

It takes companies an average of 208 days to detect a mobile application breach. This long delay allows hackers to do much more damage than they could do in just a few days. They’ll gain access to more user data, more private corporate data, and be able to analyze app-specific trends over time. They may also be able to access other apps.

Maintaining access to the app allows you to assess how long a breach can go undetected. This offers key insights into what you can do to detect breaches earlier. For many businesses, this phase of penetration testing offers a potent wake up call.

Analysis and Action Plan

A penetration test offers little value if you don’t act on it. During the analysis phase, you’ll get a detailed report on exploitable vulnerabilities. You may also identify areas for future testing. This can help you address security holes, potentially stopping an attack before it even begins.

One of the most effective tools for penetration testing is Pentoma, developed by SEWORKS. This artificial intelligence (AI)-powered testing tool makes assessing for potential security threats easy and intuitive. Rather than spending time and money devising complex tests, Pentoma guides testers through an intelligent process that can expose most vulnerabilities.

Types of Penetration Testing

Every app has numerous points of vulnerability. Indeed, most breaches come not from criminals on the outside, but from insiders. So the best security testing looks at areas of vulnerabilities from multiple perspectives. To get the most from penetration testing, you should try several approaches.

Those include:

  • Internal testing: This is testing that simulates an attack by a company insider, such as an employee or freelancer. It’s also a great way to assess the potential effects of an employee whose credentials are stolen. Many attacks are multi-pronged, and begin with phishing attacks on employees.
  • External testing: This tests attacks form the outside, such as attacks on the application, the company website, or DNS.

It’s important that testing be unbiased. Some security personnel have a vested interest in making an app seem more secure than it actually is. Even well-meaning testers can be subtly biased by previous experiences. For instance, if the only hack your company has ever experienced has targeted company email, the natural inclination is to prioritize this sort of attack. But there may be another more obvious vulnerability that you miss with this short-sighted approach. That’s why the most effective penetration testing implements specific procedures to reduce the risk of bias.

Testing is sometimes blind or double-blind. In a blind test, the tester knows only the name of the targeted company. In a double-blind test, security testers have no knowledge about the enterprise or previous attacks. Both approaches can reduce the risk of bias.

Why Do Penetration Testing?

why-do-pen-testing-blog-img.jpg

Penetration testing is the gold standard for protecting sensitive apps. The U.S. General Services Administration (GSA) has implemented clear standards for the process. If the government suggests doing penetration testing to protect against hackers, shouldn’t your business follow suit?

Let’s consider why penetration testing is different from other security measures.

App developers, the businesses who hire them, and the security experts who support them often commit a fatal error: they look at the app from the perspective of a law-abiding person. Sure, they put some thought into password rules, firewalls, and other miscellany of security. But they never give much thought to how their app looks to a criminal.

If you really want to protect your app, you must get inside the mind of someone who wishes to compromise it. After all, you can’t learn much about black hat hacking from people who don’t do it and never think about it. Just as a political leader tries to get inside the minds of adversaries from other nations, an app developer must consider the vulnerabilities their app presents from the perspective of a criminal or other person who wishes to compromise the app.

Many developers and businesses operate under the misapprehension that their app is uninteresting to criminals. They think criminals target bigger apps, or apps that house more secure data. The truth is that any app, no matter how small and no matter what data it houses, can be a target. Hacking is a crime of opportunity.

The easier your app is to hack, the more likely it is to become a target. Apps that offer something enticing -- sensitive data, access to credit cards, a chance to penetrate other apps -- are doubly valuable, and criminals are willing to spend more time breaking into them.

Some questions to ask that can guide your security protocols and help you implement effective penetration testing include:

  • What information does this app store? What is the value of that information?
  • If someone hacked into this app, what could they see about my company or my customers?
  • How much customer data is at stake? The more users you have, the more valuable a hack of your app becomes.
  • What are the biggest areas of security exposure in my app?
  • Have I done anything to protect against user error?
  • How much money could a catastrophic hack cost? How much money will penetration testing and full security cost?
  • How much time would a hacker need to spend to exploit my app’s most obvious vulnerabilities?
  • Have apps similar to mine recently been hacked?
  • Does my app rely on other apps or software that could be hacked? For example, apps that use a third-party payment provider may be more vulnerable.
  • Could hacking my app provide a hacker with access to other data? A password storage program, for instance, is a highly desirable target.

Any app can be hacked, but those that are the most desirable include:

  • Apps with any marketable information. Apps that collect lots of demographic data are particularly desirable.
  • Apps that may offer access to emails or other apps.
  • Apps with payment information or bank details.
  • Apps that store potentially embarrassing information.
  • Apps that include healthcare data.
  • Apps that are linked to email, or to other apps.

However, the single best predictor of whether an app will be hacked is whether or not it is secure. Every app -- even the simplest, apparently most trivial game -- can become a valuable source of information. Insecure apps are always going to be a target, so don’t pretend otherwise. Convincing yourself your app can hide amid a sea of bigger apps, or that obscurity or anonymity will prevent you from becoming  a target is a fool’s errand.

If you have an app, you are a potential target. And that’s really all you need to know.

What Are the Risks of Poorly Secured Apps?

What-Are-the-Risks-blog-img.jpg

In today’s competitive mobile application development environment, everyone wants to turn around their apps as quickly as possible. The pressure to stay ahead of the curve can be overwhelming. That’s why so many developers forget about security. In the rush to make their apps available, they forget a key component -- protecting their customers.

This decision can haunt you for years to come. If you don’t secure your apps:

  • You miss out on a powerful marketing opportunity. Consumers want secure apps. If a competitor can guarantee greater security, they are more likely to choose that competitor.
  • You subject yourself to the perils of bad publicity. Do you really want your company to become synonymous with a major hack? Consider how much time you spend marketing your products. Think about how all those efforts could be undermined by a devastating hack.
  • You could face legal action, including extremely costly lawsuits.
  • You might face government investigations and fines.
  • You could lose your competitive edge. Hackers increasingly target corporate secrets and other data. If you have a very popular app, your competitors may try to learn as much about it as they can, so they can copy it and market it for a fraction of the cost.

The cost of securing your app is minimal compared to the enormous costs you can incur if your app is insufficiently secure. Consider penetration testing an investment in the long-term profitability of your business and success of your mobile applications. Failsafe security is no longer optional. It’s the single best thing you can do to protect your business. So don’t put it off any longer.

You Don’t Have to Do it All (or Do it Alone)

Penetration testing is no small undertaking. Though it may prove vital to the safety and security of your application, it can also be a lot of work.

That’s where many companies find themselves in trouble. They know they need to do comprehensive testing. They know they need to update their security protocols and continually respond to real-world threats. But they can’t justify the time and expense it all demands. Or they lack the expertise. So they let themselves remain at risk.

It doesn’t have to be this way. AppSolid works with developers and businesses to test for vulnerabilities, fix security holes, and continually respond to today’s ever-evolving landscape of threats. Security isn’t something you do once. It’s a process that’s constantly evolving. We stay ahead of the curve, and help you reassure users that they can safely use your apps.

Topics: Penetration Testing

Written by AppSolid Team