Being installed on a tablet or smartphone (ipad, iphone, android) does not make an application immune to cyber attacks.
The entire web platform is actually facing threats, except for non-connected apps like a very basic dictionary, where no data at all is being exchanged with the outside world and no server exists.
Very often, even the simplest applications, like those allowing you to take pictures, have additional functionalities like photos sharing or photos back-up on an external storage place.
Thus, the mobile application communicates with one or multiple servers, which can be attacked.
Let’s take the example of a quite recent app, with very limited features: Yo. This application, if you don’t know it, allows you to send “Yo” messages to your contacts, or to receive these same “Yo” messages from several services in case of some events…
The app doesn’t have many functionalities, is quite simple, but has been hacked just a few days after it became famous. Some students found a vulnerability in the application, allowing them to harvest phone numbers (Luckily the editor has been made aware of the flaw, and fixed the problem). Even a very simple app is at risk, for example for personal data, or the editor’s reputation.
The more complex the app, the more risky
An important concept in web security is the “attack surface”. The more elements you have in your applications portfolio, and the more functionalities your applications have, the bigger the attack surface is.
During the course of a web application security audit, that surface is looked into and analyzed thoroughly. In the case of a mobile application, security tests will focus on the different elements (webservices, APIs) managing the communication between the apps and the company’s servers.
Services usually in place for a connected app are :
- Personal data update
- Data back-up
- Social features (like sharing)
- Data retrieval (like articles, in case of a news application)
A penetration test on a mobile application will include, among other things, the ability to access other users’ personal data, the possibility to push harmful or unwanted content on the database and many other things like, why not, the ability to access the company’s sensitive data!