Testing security of your mobile application

Authors: Tomasz Soroka

01.07.2016

 In last days we did some testing of codified security service for finding security problems in mobile applications.  This tool works in very simple way and can be integrated with your continuous integration server. It can be used for find such flaws like:

  • finding sensitive data inside code of mobile application – API keys for example
  • finding not protected views
  • using not secure channels for transferring data
  • using well known accounts inside code

We found also some problems like showing as errors things which are for example typical for MvvmCross framework.

Like:

private const string SavedFragmentTypesKey = "__mvxSavedFragmentTypes"

private const string SavedTabIndexStateKey = "__savedTabIndex";

public const string ViewModelRequestBundleKey = "__mvxViewModelRequest";

 which are not security flaws.

After app testing you get a report, which  looks like here:


It can be exported to PDF and shared for example with customer.

Finally, we keep fingers crossed for developers of Codified Security for improvements of their solution. Now this solution is usable and we can recommend it to everyone, but we also see a lot of things which can be improved :) We also are convinced to use this tool in Leaware during development of mobile apps.

More information You can find on their website: https://codifiedsecurity.com