Mobile Product Security and Privacy Testing Resources
Security testing is used to ensure that a mobile product does not pose a threat to agency IT systems and databases. In addition, privacy testing ensures that an app does not put the user’s personally identifiable information into a compromisable position.
This article was developed as part of the Mobile Application Development Program. See our general guidelines to testing article for more resources on mobile product testing.
Please coordinate with your ISSO when creating mobile or digital products.
Listed below are resources available that further describe and conduct security and privacy testing. These services/companies or websites are offered as a sample of what is currently available for security and do not indicate an endorsement of them or their products and/or services.
- Application Permissions and Platform Security – Link explains concept for Android
- Authentication and Authorization
- NIST Mobile Security & Forensics Page
- Open Web Application Security Mobile Security Project
- Timeouts and Session Management
- Web Application Security
GPS, IMEI, device numbers, and customer personal information all have privacy implications that must be noted. At a minimum, the security assessment should be accomplished through a data sensitivity impact level process and/or privacy impact assessment requirement. Agencies should:
Handle Web history/caching
Securely transmit login data
Avoid “man-in-the-middle” attacks
Securely transmit sensitive data
Protect from session hijacking
Permanently deletes data
Securely handle interruptions
Properly secure data in backups_Privacy_
Other issues to consider:
- Is private data kept private?
- Stored personal data is password protected and/or encrypted.
- Transmission of personal data from device to device is encrypted.
- Limit user privileges (i.e. limiting access to certain files).
These services/companies or web sites are offered as a sample of what is currently available and do not indicate an endorsement of them or their products and/or services.
- Fortify – Identifies security problems and prioritizes results
- IBM AppScan – Software designed to automate application security testing
- kryptowire – Provides static and dynamic analysis of Android applications
- Lint – Android tool that checks for for potential bugs and security optimization
- Nessus – Software identifies security and compliance exposure
- Selenium – Tools for automating web applications for testing purposes
- Veracode – Provides automated static and dynamic application security testing
Test Plans/Checklists available on GitHub
The Mobile Code Sharing Catalog has test plans or cases or checklists that have been uploaded to GitHub and are available as samples and/or for use._ Coqui Aspiazu, GSA; Ben Weaver and Lisa Wilcox, USDA, contributed to this post._