Developing and supporting mobile apps is a different concept from the development of regular software. The on-device app itself includes only a tiny percentage of all of the processes written for the tool.
You will have to host the microservices that provide all of the actual processing, and then you also have a decision to make about where system state variables should be stored. You will need to work out whether the app’s users need to set up accounts and where that data will be processed. Will you be using APIs provided by other companies? Will the app need to store data for its purposes and give the users access to their data stores? Will the app need to use the services of the device it is installed on, and should it offer links to other apps and websites?
After all of those design considerations for the app, you need to implement automated development pipeline systems and project management systems. Where should you insert a process for testing? Should security testing take place at the integration testing phase? Would rework for discovered security flaws introduce a high cost and timeline overhead?
Mobile app security testing tools provide testing services and guidance on where those tests should occur in your pipeline. In many cases, mobile app security testing tools offer a continuous testing service that is active throughout the development cycle.
Here is our list of the seven best mobile app security testing tools:
- Netsparker EDITOR’S CHOICE (ACCESS FREE DEMO) A continuous tester for integration into DevOps pipelines that can also run as a vulnerability scanner. This system performs static, interactive, and dynamic application testing. Available as a cloud platform service or for installation on Windows and Windows Server.
- Acunetix (ACCESS FREE DEMO) A vulnerability scanner is offered in three versions and includes options for in-demand application testing and continuous automated checks. Available as a hosted SaaS package or for installation on Windows, macOS, or Linux.
- QARK A free community-supported testing system for Android devices. The system includes both static scans through code and dynamic testing. Available for Windows, macOS, and Linux.
- Android Debug Bridge A free testing system that runs as part of the Android SDK Platform. This system can be downloaded with Google Android IDE onto Windows, macOS, and Linux.
- ImmuniWeb Mobile Suite ImmuniWeb offers an online platform for Web application vulnerability scanning, and this is a version built to examine mobile apps for weaknesses. This is a cloud-based system.
- Micro Focus Fortify on Demand This cloud platform offers a range of testing assessments, including dynamic and static tests and mobile app security testing.
- Codified Security A dedicated mobile app security testing platform that also recommends solutions to discovered problems. This is a cloud-based system.
Mobile app security standards
Security testing requires goals and benchmarks. In automated systems security testing, you also need a list of known flaws to look out for. The Open Web Application Security Project (OWASP) has gathered together a list of the greatest known threats to Web systems, the OWASP Top 10. In addition, OWASP now has a separate project for security issues that relate to mobile apps. This provides an excellent guide to security testing for mobile apps.
Within its mobile security testing remit, the OWASP Foundation has developed a Mobile Application Security Verification Standard (MASVS). This gives you a list of errors to look for when checking through mobile apps, both under development and those you buy off the shelf. Fortunately, the MASVS is also available to the providers of mobile app security testing systems. This means that you just need to look for an indication that the testing platform integrates MASVS however;, inwork out whether the tester provides sufficient checks.
The best mobile app security testing tools
There aren’t many options to seriously consider when looking for an automated mobile app security testing tool. This is because the development testing market is a very specialized area of IT security and mobile app security is an even smaller niche.
What should you look for in a mobile app security testing tool?
We reviewed the market for mobile app security testing platforms and analyzed the options based on the following criteria:
- A range of deployment options that include SaaS packages and on-site software systems
- A continuous testing service
- The option for on-demand mobile security testing checks that designated testers can run
- Total feedback on discovered weaknesses, including recommendations for remediation
- A service that can integrate with project management and issue tracking systems
- A no-cost assessment opportunity provided by a free trial or a demo system
- Value for money that matches an appropriate price to the number of services offered
We have found a range of tools suitable for use by DevOps managers and for IT departments that are trialing new apps to buy.
You can read more about each of these options in the following sections.
1. Netsparker (ACCESS FREE DEMO)
Netsparker has several deployment options. It can be used for continuous testing in a CI/CD pipeline or for Web application vulnerability testing by It operations teams. The vulnerability scanner can be run on-demand or on a schedule.
When Nesparker is working as a development testing tool is provides Dynamic Application Security Testing (DAST). It also offers code scanning assessments in a static (SAST) and interactive (IAST) format. When developing a mobile app, teams can use the system to scan for weaknesses in third-party APIs before deciding to integrate them. Each service that builds up the backend of a mobile app can be tested in isolation for potential weaknesses. Integration testing examines potential security weaknesses in communications between modules.
While scanning for known weaknesses that commonly allow hackers in, Netsparker also uses its method of heuristics to spot where likely loopholes in security could occur. This is ideal for testing partial developments that cannot be entirely subjected to a standard list of common Web application vulnerabilities.
Netsparker can integrate issue tracking and project management tools, such as Bugzilla, Jenkins, and JIRA. This makes it easy to build testing phases into your development lifecycle.
Pros:
- A system that can be used for on-demand or scheduled vulnerability testing
- Integration into CI/CD pipeline possible
- Deployment options for cloud or on-premises hosting
- DAST, SAT, and IAST services
- Integrates with project management and issue tracking systems
Cons:
- Doesn’t include error correction mechanisms
Netsparker is available as a hosted SaaS platform, and it is also possible to get it as a software package for installation on Windows and Windows Server. In addition, you can assess Netsparker for free by accessing its demo system.
EDITOR’S CHOICE
Netsparker is our top pick for a mobile app security testing tool because it is offered in several deployment options. It can test operational mobile apps and their supporting services through its Web application vulnerability scanning function. It can also integrate into the development cycle for the production of new mobile apps. Netsparker can be used for on-demand tests; vulnerability scans on a schedule or continuous testing.
Access free demo: netsparker.com/get-demo/
Operating system: Cloud-based or available for install on Windows and Windows Server
2. Acunetix (ACEESS FREE DEMO)
Acunetix can operate as a vulnerability scanner or as an integrated testing platform for development pipelines. Within this service is a code checker called AcuSensor. This can comb through JavaScript, PHP, and .NET code to identify problems. This is a great support tool for developers.
System testers in a development team and operation staff, dealing with live mobile apps, get DAST, SAST, and IAST services to check the security of their mobile systems. When used as a development tester, Acunatix can integrate with Bugzilla, Azure DevOps, GitLab, Jenkins, and JIRA for development management and issue tracking.
When used as a vulnerability manager for Web applications, this scanner will search for the OWASP Top 10 and 7,000 other known weaknesses. There is also a vulnerability scanning option for networks with the Acunetix system that scans for more than 50,0000 weaknesses. So, the Acunetix system can be deployed in multiple functions throughout the organization.
There are three editions of Acunetix: Standard, Premium, and Enterprise. For mobile app security testing during development, you would need to go for the Enterprise plan. The Standard program offers on-demand vulnerability scanning, and the Premium plan is designed for operations teams to check on Web application and network security.
Pros:
- Options for automated or on-demand vulnerability scanning
- A service that can be integrated into CI/CD pipelines
- Continuous operation for every stage in the development process
Cons:
- It doesn’t include fixes for detected problems
Acunetix is offered as a hosted SaaS testing platform. However, it is also possible to get the system as a software package to install on Windows, macOS, and Linux. In addition, you can assess Acunetix by accessing the demo system.
Access free demo: acunetix.com/web-vulnerability-scanner/demo/
3. QARK
QARK is a free testing platform for Android apps. It can drill through to the code of any given mobile app intended to run on Android, and it will then scan for security errors. The tool can also work through supporting APIs and spot connectivity security weaknesses.
As a community-supported system, QARK is not strong on usability. However, this is suitable for installation and use by highly skilled technical support staff. At the end of a scan, QARK will produce a report that details any discovered weaknesses and add recommendations on how to fix those problems. QARK can be installed on Windows, macOS, and Linux.
Pros:
- Scans through code to spot programming errors
- Produces recommendations on how to fix problems
- Performs integration testing from a generated APK test shoe
Cons:
- No professional support
- Not easy to set up
4. Android Debug Bridge
The Android Debug Bridge is a free tool that Google provides, the owners of Android. As the name suggests, this tool is intended to debug mobile apps for Android and detect security problems.
This system is a command-line tool. It operates a client-server system to sends messages to an app under development to launch different functions and test its responses. You can install the mobile app on a device and connect it to your testing computer by a USB cable. It is also possible to perform tests over a WiFi link. The software for Android Debug Bridge is part of the Android SDK. This can be installed on Windows, macOS, and Linux.
Pros:
- Free to use and community-supported
- Excellent online guides on usage from Google
- Integrated into the development environment for Android apps
Cons:
- No GUI environment
5. ImmuniWeb Mobile Suite
ImmuniWeb Mobile Suite is a purpose-built system for mobile app security testing. In addition, ImmuniWeb produces other systems for general Web applications testing. This service is delivered from the cloud.
The testing system doesn’t rely on a series of known weaknesses. Instead, it uses a machine learning process that probes each element in a mobile app, trying out all possible operating options and looking for errors.
The ImmuniWeb platform offers a series of pen testing services for mobile apps, and these can also be strung together to get a series of checks performed on one app or a collection of mobile systems. ImmuniWeb analysts run the tests, so this is a good service for users who don’t have the technical skills to run penetration testing tools. Each test ends with a report that includes recommendations on how to fix the problems that were discovered.
Pros:
- A package that is specifically designed for mobile app penetration testing
- Test results that include suggestions for repair
- On-call analysts to assist with solutions
Cons:
- The Mobile Suite plan can’t be used to check for security errors in other types of system
Subscription plans for ImmuniWeb Mobile Suite also include the services of on-call analysts for assistance. In addition, you can ask for an assisted demo to assess the system.
6. Micro Focus Fortify on Demand
Micro Focus Fortify on Demand is an online service that provides a range of testing services include DAST and IAST services for Web applications and tailored mobile app testing systems.
A prepayment system pays for the Fortify on Demand service. You buy a package of test credits and then call them off. Micro Focus pen testers run the tests. The service runs dynamic and static tests according to the order. When the results of these tests come back, they are shown in the service dashboard. The report also includes recommendations on corrections to the mobile app that will address the uncovered weaknesses during the tests.
As it is a human-based service, the Fortify on Demand system doesn’t operate like a quick check that a developer can run in a minute. However, the service is accustomed to working on code under development, so a call to a Micro Focus test can be scheduled and added to the project plan.
Pros:
- Human-based – draws from varying levels of expertise
- Pre-paid system lets you pay for what you need
Cons:
- Time-lag to complete the whole process
Essentially, under the development scenario, Micro Focus Fortify on Demand represents outsourced testing. You can try the service on a 15-day free trial.
7. Codified Security
Codified Security is entirely dedicated to mobile app security testing. This is one of the most detailed services available for verifying mobile apps and particularly lends itself to the developers of mobile apps.
Unlike the previous two options in this list, Codified Security is a platform of tools that can be run directly by the development team. In addition, it offers a range of testing facilities that are suitable for use by developers to check on code as it is completed and before it is passed on down the pipeline. There are also DAST services available to test any API that the project is going to use. In addition, the package includes IAST tools for system testers and integration testing.
The test processing offered by the Codified Security platform is fast, and results are delivered immediately. In addition, the system works as a testbed. That means you don’t call in a test onto your computer but instead load your code up into the platform for a test run. Finished apps can be tested by loading up an APK. The tests that the system’s performance can be adjusted by specifying any security requirements, such as data privacy standards, in the settings for the test.
The results for each test produce a risk analysis that, for full apps, includes the risks presented by connectivity between modules. In addition, the report consists of recommendations for alterations to procedures that can improve the security of the mobile app. This service can test Android and iOS mobile apps plus Web functions.
Pros:
- A range of mobile app tests for developers through to acceptance testers
- A cloud-based testbed
- Recommendations on improvements
Cons:
- Not available as an on-premises package
L’article 7 Best Mobile App Security Testing Tools in 2021 est apparu en premier sur Comparitech.
0 Commentaires