apacciooutlook logo

Mobile Application Security Testing (MAST)

By Aloysius Cheang, Executive Vice President, Asia Pacific at Cloud Security Alliance

content-image

Aloysius Cheang, Executive Vice President, Asia Pacific at Cloud Security Alliance

The use of mobile applications has become unavoidable, almost a necessity, in today's world. More people are starting to question the security of mobile applications. With the emergence of cloud computing, organizational transformation is required to address this paradigm shift. Cloud computing accelerates real-time use of applications, which allows for business agility. However, with the proliferation of mobile applications, a new set of security challenges arises.

In order to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications, a framework for secure mobile application development, achieving privacy and security by design is required. Therefore, there is a need to implement Mobile Application Security Testing (MAST) and this will result in clearly articulated recommendations and best practices in the use of mobile applications. 

We need to make sure to take security seriously from the beginning of an application development to application data deletion. We can manage this in the form of a lifecycle; which involves development, testing, production, update, application removal and application data deletion. In the most recent mobile application security testing documents released by NIST (2015) and CSA (2016), there are a few major requirements one needs to look at when it comes to mobile application security. In short, permission misuse, improper information disclosure, API/LIB native risk, application collusion, development obfuscation, connection encryption strength, data storage and power consumption are the key controls identified. Next, one needs to address the issue of how to test the security of mobile applications. Mobile application security testing and vetting processes utilised through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. 

We should be aware that there are many other mobile application security concerns in the market and that we should make more effort to address these issues. The next journey in mobile application is to embark on developing mobile certification framework that will certify the security of mobile applications. The question is, will you be interested to be part of this?

Magazine Current Issue

magazine current issue

Leaders Speak

Andy Nallappan, VP & CIO,

The Industry Demands Quick Upgrade into Cloud

By Andy Nallappan, VP & CIO,

Global Information Technology, Avago Technologies

Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Embracing Advanced Tech-enabled Solutions that Foster Innovation and Growth

By Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Anil Khatri,

Trends that are on Every CIO's Watch-list

By Anil Khatri,

Head IT-South Asia,

SAP

James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Simplifying Infrastructure Management with Microsoft Solutions

By James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations,  Army & Air Force Exchange Service

Embracing Cloud Hosting Benefits

By Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations, Army & Air Force Exchange Service