Florin Coada: MOBILE TESTING - A SIMPLE SOLUTION TO YOUR MOBILE SECURITY TESTING
1. Mobile testing
IAST – A Simple Solution To Mobile Security Testing
Florin Coada
IBM Security
2. 2 IBM Security
About the speaker
Florin N. Coada
IBM Security
United Kingdom
Features:
1. 4.5 years with IBM doing security
2. Likes video Games
3. Will not answer random emails
3. 3 IBM Security
What’s IAST?
• Interactive Application Security Testing
̶ Not quite DAST and not quite SAST
̶ “Behavioural analysis”
• Analyse an application in an instrumented environment and observe the behaviour to
detect potential vulnerabilities
ASoC - Mobile Analyser
Instrumented environment
4. 4 IBM Security
Terminology
• SAST = Static Application Security Testing
• DAST = Dynamic Application Security Testing
• SDLC = Software Development Lifecycle
• ASoC = Application Security on Cloud
• Noise = findings that are not interesting
• False positive = False finding reported by the tool
5. 5 IBM Security
Mobile Apps
• So… there’s more than 1 type of apps
Native Apps Hybrid apps Web view apps
6. 6 IBM Security
& Web ServicesMobile Apps
• Most web apps will have some form of business logic provided by a back end service
Business logic
Presentation
•Device Authentication
•Environment analysis
•Runtime protection
•Device Authentication
•Serve dynamic content
•Improves app rendering
•Basically a bookmark
Authentication
7. 7 IBM Security
Testing strategies: {sast}
• Native layer code can be handled with SAST
• Pros:
̶ Can run it shortly after building the app
̶ Fast (once you set it up)
̶ Could potentially test both the service and the app
• Cons:
̶ Takes a while to set up
̶ Doesn’ttake into account the platform
̶ Can’t keep up with the language updates
̶ Noise and false positives
̶ Not a lot of value for web view apps
Data Source Sink
8. 8 IBM Security
Testing strategies: {dast}
• Web services logic can be tested using DAST
• A running web service
• Test account
• Disable 3rd party security systems
• Access from the test system to the
app
9. 9 IBM Security
Testing strategies: {dast}
• Web services logic can be tested using DAST
• Pros:
̶ Can find vulnerabilities in the logic layer
̶ Language agnostic
̶ Can be automated without using the app
• Cons:
̶ You’re not actually testing the app
̶ Noise and false positives
̶ Not a lot of value for native apps
Proxy
DAST Scanner
Recorded data
10. 10 IBM Security
Testing strategies: {iast}
• IAST will enable you to test both parts of the app at the same time
• Pros:
̶ Testthe app and some of the back end at the same time
̶ Easy to run (drag and drop)
̶ Can detected issues in the context of the platform being used
̶ Can be automated
• Cons:
̶ Complexlog-in mechanisms are hard to scan
ASoC - Mobile Analyser
Instrumented environment
12. 12 IBM Security
Choosing the right one for you
• SAST : Difficult but works on both
• DAST : Fairly easy to set up, but only for web service
• IAST : Does a bit of both, very easy to use
• More “actionable” results
• Easier to understand
• Does a combination of both of the above
• Very easy to use