Mobile Product Security and Privacy Testing Resources

Security testing is used to ensure that a mobile product does not pose a threat to agency IT systems and databases. In addition, privacy testing ensures that an app does not put the user’s personally identifiable information into a compromisable position.

This article was developed as part of the Mobile Application Development Program. See our general guidelines to testing article for more resources on mobile product testing.

Government Guidance

Please coordinate with your ISSO when creating mobile or digital products.

Resources Available

Listed below are resources available that further describe and conduct security and privacy testing. These services/companies or websites are offered as a sample of what is currently available for security and do not indicate an endorsement of them or their products and/or services.

Web Resources

Security

• Application Permissions and Platform Security – Link explains concept for Android
• Authentication and Authorization
• NIST Mobile Security & Forensics Page
• Open Web Application Security Mobile Security Project
• Timeouts and Session Management
• Web Application Security

GPS, IMEI, device numbers, and customer personal information all have privacy implications that must be noted. At a minimum, the security assessment should be accomplished through a data sensitivity impact level process and/or privacy impact assessment requirement. Agencies should:

• Handle Web history/caching

• Securely transmit login data

• Avoid “man-in-the-middle” attacks

• Securely transmit sensitive data

• Protect from session hijacking

• Permanently deletes data

• Securely handle interruptions

• Properly secure data in backups_Privacy_

• Important Mobile App Privacy Recommendations

Other issues to consider:

• Is private data kept private?
• Stored personal data is password protected and/or encrypted.
• Transmission of personal data from device to device is encrypted.
• Limit user privileges (i.e. limiting access to certain files).

Testing Services

These services/companies or web sites are offered as a sample of what is currently available and do not indicate an endorsement of them or their products and/or services.

• Fortify – Identifies security problems and prioritizes results
• IBM AppScan – Software designed to automate application security testing
• kryptowire – Provides static and dynamic analysis of Android applications
• Lint – Android tool that checks for for potential bugs and security optimization
• Nessus – Software identifies security and compliance exposure
• Selenium – Tools for automating web applications for testing purposes
• Veracode – Provides automated static and dynamic application security testing

Test Plans/Checklists available on GitHub

The Mobile Code Sharing Catalog has test plans or cases or checklists that have been uploaded to GitHub and are available as samples and/or for use._ Coqui Aspiazu, GSA; Ben Weaver and Lisa Wilcox, USDA, contributed to this post._