Mobile Application Security

Testing - Landscape Overview

The permanent and official location for the Mobile Application Security Testing (MAST) Working
Group is: https://cloudsecurityalliance.org/research/working-groups/mobile-application-security-
testing-mast/

© 2020 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 2

About the Mobile Application Security Testing (MAST) Working Group
(WG)
The MAST WG is a Cloud Security Alliance (CSA) research WG whose goal is to engender a safer
cloud ecosystem for mobile applications, by creating systematic approaches to application testing
and vetting that helps integrate and introduce quality control and compliance to mobile application
development and management. The WG hopes that more research into mobile application security
vetting and testing will help reduce the risk and security threats that organizations and individuals
expose themselves to when using mobile applications.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 3

Acknowledgments
Contributors:
Henry Hu
Michael Roza

Peer Reviewers:
Srinivas Naik
Giovanni Russello

CSA Analysts:
Hing-Yan Lee
Haojie Zhuang

CSA Global Staff:

AnnMarie Ulskey (Design)

© Copyright 2020, Cloud Security Alliance. All rights reserved. 4

Table of Contents
1. Introduction.....................................................................................................................................6
2. MAST Whitepaper Overview............................................................................................................7
3. Mobile Application Security Testing Landscape................................................................................8
3.1 Major Mobile App Stores..........................................................................................................9
3.2 App Testing Guides & Tools.................................................................................................... 12
4. Conclusion.....................................................................................................................................14

© Copyright 2020, Cloud Security Alliance. All rights reserved. 5

1. Introduction
The advent of mobile apps

It was only recently that whenever a new service was introduced, it would be provided via /
accompanied by websites that allow users easy access to the service, be it social media, online
banking, online grocery shopping, etc. A website was almost always mandatory. But with the
explosion of smart mobile devices ownership (approximately 3.5 billion smartphone users in 20201),
mobile applications (apps) have surpassed websites as the avenue of choice when it comes to
consuming services.

According to a study by eMarketer, approximately 90% of the time spent on smartphones is spent on
apps as opposed to websites2. ‘Do you have an app for that?’ is one of the common questions asked
by the digital native when introduced to a new service.

The following are some interesting statistics that further illustrate the prevalence and impact of
mobile apps in our everyday lives:

• Approximately 2.9 million apps are available on the Google Play Store in Dec 20193
• Approximately 1.8 million iOS apps are available on the Apple App Store in Jan 20204
• Consumers downloaded a total of 204 billion apps in 20195
• Consumers spent USD 462 billion on apps in 20196
• 60 to 90 apps are installed on the average smartphone7

Mobile apps, cloud & security

Cloud computing accelerates the development and real-time use of applications, which drives
personal productivity and business agility. However, with the proliferation of mobile apps and how it
intertwines with both work and play, new security challenges arise which need to be addressed. This
in turn has led to a vibrant and growing mobile app testing market. According to Market Research
Future Analysis, the ‘global mobile application testing services market reached USD 3.2 billion in 2018
and has been estimated to be valued at USD 13.6 billion by 2026 growing at 20.32 % CAGR during the
forecast period 2019–2026’8.

1
https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/
2
https://www.emarketer.com/content/us-time-spent-with-mobile-2019
3
https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/
4
https://www.lifewire.com/how-many-apps-in-app-store-2000252
5
https://www.statista.com/topics/1002/mobile-app-usage/
6
https://www.statista.com/topics/1002/mobile-app-usage/
7
https://buildfire.com/app-statistics/
8
https://www.marketwatch.com/press-release/mobile-application-testing-services-mar-
ket-global-segment-analysis-opportunity-assessment-competitive-intelligence-industry-out-
look-2020-2024-2020-06-19

© Copyright 2020, Cloud Security Alliance. All rights reserved. 6

Recognizing the importance for the cybersecurity community to work together in this domain, CSA
created the Mobile Application Security Testing (MAST) research working group (WG). The WG aimed
to engender a safer cloud ecosystem for mobile applications, through the creation of systematic
approaches to application testing and vetting that helps integrate and introduce quality control and
compliance to mobile application development and management.

In addition, CSA signed a Memorandum of Understanding with OWASP in 2019 with the aim to
collaborate towards improving and increasing open source security standards and testing for mobile
applications.

The next section briefly describes the key contribution from the MAST WG thus far.

2. MAST Whitepaper Overview

CSA’s MAST WG developed and released a MAST whitepaper9 in 2016 with the aim to define a
framework for secure mobile application development achieving privacy and security by design. This
whitepaper referenced NIST Special Publication 800-163 (now superseded by SP 800-163 Rev 110) as
the basis of consideration in determining classification levels for basic security vetting specifications.
These benchmarks provided third-party institutions with related application security vetting, vetting
result analysis, security risk assessments for mobile applications, and the respective security level
ratings, with the hope to enhance mobile application security.

The CSA believes that implementation of recommendations in the 2016 MAST whitepaper will result
in clearly articulated best practices in the security testing of mobile applications.

To re-cap, the whitepaper covered the following:

• Section 1: introduced the paper’s purpose and scope; normative references; and a preliminary
study
• Section 2: examined the key areas of concerns and challenges during mobile application
security vetting
• Mobile computing and app security challenges
• Third-party app-derived security challenges
• Mobile app development management challenges
• Mobile app security vetting concerns
• Section 3: discussed mobile application security management lifecycle and security
recommendations from development to completion - including usage and off-the-shelf
phases
• Development
• Testing
• Production
• Update

9
https://cloudsecurityalliance.org/artifacts/mobile-application-security-testing/
10
https://csrc.nist.gov/publications/detail/sp/800-163/rev-1/final

© Copyright 2020, Cloud Security Alliance. All rights reserved. 7

 • App removal
• App data deletion
• Section 4: outlined proposed CSA mobile application security testing scheme
• Types of security vetting
• Mobile application security requirements
• Mobile application security vetting methodology

Privacy Handling Native Security Protection Requirement

Permission Misuse: API/LIB Native Risk: Connection Encryption Strength:

Improper permission requests Potential API Risks Connection protection

for malicious purposes
Potential LIB Risks Cryptographic strength and
Intended hidden permission multifactor authentication
usage Injection Risks
Data Storage:
Custom-built permission Application Collusion Activity:
Storage mechanism and
Improper Information Disclosure: Data source/destination location
collusion
Improper surrounding Private and sensitive
information disclosure Broadcast Receiver information protection
components or equivalent
Application internal activities
Data creation/modification/
deletion
Execution Environment
Development obfuscation
Concern: Power Consumption:
Summary of Mobile
Native code execution CPU utilization rate
Application Security obfuscation
I/O Issue
Requirements
Call mapping issues

Recreational obfuscation

Figure 1. Summary of Mobile Application Security Requirements in the MAST Whitepaper

3. Mobile Application Security Testing

Landscape
In addition to the whitepaper publication mentioned earlier, it serves us well to be informed of
practices and efforts in the industry for security testing and vetting of mobile apps, and how even
the most well-resourced app stores can inadvertently allow malicious apps to slip through the cracks
once in a while. With the number of official and third-party mobile app stores available in the market,
it is not possible to comprehensively cover all of them here.

© Copyright 2020, Cloud Security Alliance. All rights reserved. 8

3.1 Major Mobile App Stores
A common practice among popular mobile app stores is that they do not publicize the types of
security review and testing performed on applications submitted to them. Rather than a ‘security
by obscurity’ mindset, the reason for non-disclosure is more likely to do with the number of new
vulnerabilities discovered each day (leading to new tests), and that some of the vetting tools are
machine-learning based and dynamic in nature.

Google Play Store

Before Google Play accepts an app, it is scanned for potential security issues under Google’s App
security improvement program11. The program continues to re-scan apps on Google Play even after
they are accepted, as the threat landscape and known vulnerabilities evolve continuously.

Once an app is installed on an Android device, Google uses Play Protect12, its built-in machine-
learning-based malware protection for Android to keep the device, data, and apps safe. This is
especially useful as there remain numerous third-party Android app stores that users can use to
download and install untrusted apps that were previously blacklisted on the official Play Store, and
are likely to be dangerous13.

How Google Play specifically tests and reviews apps for security is largely proprietary information. It
is however not without flaws, as apps loaded with malware manage to sneak past Google’s defenses
from time to time. For example, the Tekya family of malware generates fraudulent clicks on ads and
banners found in 56 apps on Google Play Store in 202014.

Apple App Store

While Apple provides a set of App Store Review Guidelines15, they are high-level and principles-based
(eg. ‘Apps should implement security measures to ensure proper handling of user information…’).

11
https://developer.android.com/google/play/asi
12
https://www.android.com/play-protect/
13
https://www.forbes.com/sites/zakdoffman/2020/03/07/this-is-androids-most-alarming-malware-
threat-new-report-warns-of-61669-malicious-apps/#144f1bed4a36
14
https://arstechnica.com/information-technology/2020/03/found-malicious-google-play-apps-
with-1-7-million-downloads-many-by-children/
15
https://developer.apple.com/app-store/review/guidelines/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 9

Similar to Google Play Store, the actual process that Apple adopts to test an app for security is
proprietary information.

As secure as the iOS is touted, malicious apps do still slip through the review process, such as the
‘clicker trojan’ module found in 17 approved apps that were approved16. They were subsequently
discovered and removed from the App Store.

Microsoft Store

The Microsoft Store puts submitted apps through its App Certification Process17. However, it similarly
does not disclose the specific tests and only mentions that the test “checks app’s packages for
viruses and malware”.

The Microsoft Store is also not spared from malicious apps. In 2019, Symantec found eight apps on the
store that secretly mined for cryptocurrency by hijacking computing resources on users’ devices18.

Amazon AppStore

The Amazon AppStore provides developers with a pre-submission checklist19. This checklist,
however, does not make much mention in terms of security testing, except for stating that ‘if your
app uses the Amazon Device Messaging API, be prepared to associate your app with a security profile
as part of the submission process,’ which is a requirement for OAuth rather than for security testing.

Amazon does provide a ‘Privacy and Security Policy’20 that explains relevant principles apps need to
adhere by, and also provide examples of app scenarios that violate these policies and will be rejected
by the AppStore. As with its peers, it does not disclose specific tests performed on apps.

Because the use of Amazon AppStore requires Android users to allow installation of apps from
unknown sources, concerns have been raised21 about weakening Android’s security posture by
potentially allowing apps rejected by Google Play Store to make their way onto users’ devices via
alternative avenues.

16
https://9to5mac.com/2019/10/25/malware-iphone-apps/
17
https://docs.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process
18
https://news.softpedia.com/news/malicious-windows-10-apps-found-in-the-store-possibly-down-
loaded-by-thousands-524980.shtml
19
https://developer.amazon.com/apps-and-games/app-submission
20
https://developer.amazon.com/docs/policy-center/privacy-security.html
21
https://www.zdnet.com/article/amazons-app-store-puts-millions-of-android-devices-at-risk/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 10

Samsung Galaxy Store

Samsung’s Galaxy Store provides developers with checklists and guidelines22 for apps that are
submitted to the store. These checklists are principles-based, stating only that ‘Apps must not
include malware or viruses’, without providing further elaboration on how the Galaxy Store ensures
this is adhered to.

We were not able to find reports of malicious apps on the Galaxy Store, likely due to it being the less-
used cousin of the Google Play Store.

BlackBerry World

While app security testing and reviewing details or statistics concerning app malware incidents could
not be located, BlackBerry does provide a Secure Development Platform, that allows developers to
build secure mobile apps.

The platform includes tools such as BlackBerry Unified Endpoint Manager (UEM) - used to manage
users, groups, policies, apps, and app configurations; BlackBerry Workspaces -- where documents
can be securely stored, shared and synchronized across all enterprise platforms and devices;
BlackBerry Enterprise Identity -- an Identity-as-a-Service (IDaaS) that can also be used to federate
identities for SaaS services; BlackBerry two-factor authentication technology that leverages user
mobile devices, avoids PINs and codes; BlackBerry Spark Communications Services -- used to
develop real-time, end-to-end secure messaging capabilities; and BlackBerry Analytics -- which
includes Intelligent Security APIs that can report a user’s current risk level23.

Huawei AppGallery

Huawei, while not disclosing app security testing details, does provide AppGallery Review Guidelines
which consist of:

1. App Information
2. App Security

22
https://developer.samsung.com/galaxy-store/distribution-guide.html
23
https://developers.blackberry.com/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 11

 3. App Function
4. App Content
5. In-App Advertisement
6. App Payment
7. User Privacy
8. Developer’s Behavior

Also included in the package are the Developer’s guide and a Guide to Huawei Mobile Services 4.0
which incorporates security detection, dynamic tag management, fast identity online (FIDO)
authentication, location services, and user identification. Many of these security service offerings
also integrate Huawei’s collaborative chip-device-cloud technology, addressing user privacy and data
security protections24.

Huawei states, but does not provide details that the AppGallery ensures app downloads are secured
using: integrity verification, signature verification, threat detection, AI-enabled safeguards, and other
measures that prevent malicious tampering. Additionally, Huawei describes that during installation,
AppGallery protects app data from being read and avoids loss caused by user data leakage via procedures
such as sandboxing, memory protection, periodic backtesting, and customer service feedback25.

3.2 App Testing Guides & Tools

Other than the MAST Whitepaper26 which provides a high-level mobile app security testing
framework, there are also detailed testing guidelines from OWASP, and software tools from a variety
of vendors to automate app security testing.

OWASP Mobile Security Testing Guide (MSTG)

OWASP’s Mobile Security Testing Guide (MSTG) is a ‘comprehensive testing guide that covers the
processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set
of test cases that enables testers to deliver consistent and complete results’27.

Specifically, the MSTG provides a guide for the security testing of apps in the development lifecycle,
covering both basic static and dynamic security testing, among others.

As an extension from the MSTG, OWASP also developed the Mobile Application Security Verification
Standard (MASVS), which ‘can be used by mobile software architects and developers seeking to
develop secure mobile apps, as well as security testers to ensure completeness and consistency of
test results’28.

24
https://developer.huawei.com/consumer/en/doc/30202
25
https://consumer.huawei.com/en/press/news/2020/how-does-huawei-appgallery-protect-us-
er-privacy-and-security/
26
https://cloudsecurityalliance.org/artifacts/mobile-application-security-testing/
27
https://owasp.org/www-project-mobile-security-testing-guide/
28
https://mobile-security.gitbook.io/masvs/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 12

Accompanying the MSTG and MASVS is the Mobile App Security Checklist that can be used in
security assessments of mobile apps.

Mobile App Security Testing Tools

There is a multitude of mobile app security testing tools (e.g., ImmuniWeb MobileSuite, Zed Attack
Proxy) available in the market29. Many of these tools are open-source, maintained by hundreds of
volunteer security professionals, support both Android and iOS platforms, and generate reports
about potential vulnerabilities with recommendations on how to fix them. The following briefly
introduces some of the popular and open-source tools in use (descriptions referenced from the tools’
official webpages):

• Drozer30: An open-source security testing framework for Android. It searches for security
vulnerabilities in apps and devices by assuming the role of an app and interacting with
Android’s Dalvik Virtual Machine (now no longer used in newer Android versions), other apps’
inter-process communication endpoints, and the underlying operating system. The tool helps
users to use, share, and understand public Android exploits.
• MobSF31: Short for Mobile Security Framework, MobSF is an automated, all-in-one application
(Android / iOS / Windows) penetration testing, malware analysis, and security assessment
framework capable of performing static and dynamic analysis. Users can purchase self-paced
e-Learning courses & certifications to demonstrate competencies in the use of the tools at
nominal fees.
• QARK32: Short for Quick Android Review Kit, this open-source tool is designed to look
for common security-related Android app vulnerabilities in either source code or Android
Application Packages (APKs). It is also able to create proof-of-concept deployable APKs and/
or Android Debug Bridge commands to exploit any vulnerabilities that it may find. Rooting of
test devices is not required as the tool focuses on vulnerabilities that can be exploited under
more secure conditions.
• Zed Attack Proxy33: Open source security tool facilitating the automatic discovery of
application vulnerabilities. It has an API that developers through a desktop interface can
automate pentesting and security regression testing of an application in the CI/CD pipeline.
The following are some of the features provided by ZAP: Intercepting Proxy, Active and
Passive Scanners, Traditional and Ajax Spiders, Brute Force Scanner, Port Scanner, Web
Sockets. Proxy, Active and Passive Scanners, Traditional and Ajax Spiders, Brute Force
Scanner, Port Scanner, Web Sockets.

29
https://www.softwaretestinghelp.com/mobile-app-security-testing-tools/
30
https://github.com/FSecureLABS/drozer/wiki
31
https://mobsf.github.io/docs/#/
32
https://github.com/linkedin/qark
33
https://www.zaproxy.org/

© Copyright 2020, Cloud Security Alliance. All rights reserved. 13

Often app developers tap multiple tools34 (e.g., static app security testing, dynamic app security
testing, forensics analysis) to automate their security testing workflow to catch as many red flags as
possible, which improves the chances of their app passing the app stores’ review and approval process.

4. Conclusion
CSA’s MAST WG in reviewing the current landscape for mobile app security testing found that:

• Users place a good deal of trust in app stores’ abilities to review, test, flag, and block apps that
exhibit undesirable behavior. However, even with the best expertise and resources touted by
the most popular and established app stores, along with the extensive experience gained from
testing and reviewing a large number of mobile apps, malware still manages to slip through
their defenses from time to time, making the headlines.
• These app stores are currently not transparent in the nature and types of security testing
conducted on submitted apps. Transparency could be a two-edged sword (benefiting
threat actors as well), but the WG opines that greater transparency for app developers and
collaboration between app stores can result in stronger defense against malware.
• Existing efforts by OWASP provide the industry with a detailed step-by-step guide and
checklists to enhance the security posture of mobile apps²².
• There are a healthy number of software tools available that are maintained by the community
and vendors to conduct security testing on mobile apps²³.

With no obvious and pertinent gaps in the mobile security testing landscape at the moment that
the WG can help to address, the WG will be temporarily suspended, but continue to keep a look-
out for potential security gaps that arise from the emergence of trends such as Beacon Technology,
Wearables, and 5G/6G wireless35

34
https://insights.sei.cmu.edu/sei_blog/2018/07/10-types-of-application-security-testing-tools-
when-and-how-to-use-them.html
35
https://www.mobileappdaily.com/mobile-app-development-trends

© Copyright 2020, Cloud Security Alliance. All rights reserved. 14