In mobile app security testing, we often overlook subtle yet critical issues such as data leakage in motion (over the air) and at rest (on the disk), misconfigurations, hardcoded credentials, and incorrect memory usage. These elusive vulnerabilities continue to undermine our apps' security.
Just as rigorous training leads to victory in sports, each small step towards cleaner code enhances the overall security of mobile apps.
In our latest on-demand webinar, Chief Evangelist Brian Robison and Security Researcher Steven Smiley discuss how Corellium MATRIXTM, an automated security testing and reporting solution, inspects code (both statically and dynamically) for threats – thus unlocking your time and effort.
Code-Level Mistakes Cause Most Breaches
Hardcoded credentials, inadequate security, and vulnerable authentication are the top three OWASP mobile app risks in 2024. Code hygiene and automated checks will help you identify and eliminate all three threats.
Unfortunately, the rabbit hole goes deeper. Symantec recently found 1,859 Android and iOS apps containing hard-coded AWS credentials. What’s worse, about 77% of these “apps contained valid AWS access tokens allowing access to private AWS cloud services.”
Automated Mobile App Security Testing Reduces Vulnerabilities
Corellium MATRIX™ seamlessly integrates mobile app security testing into your SDLC within CI/CD workflows, enabling automated security checks as frequently as needed, unlike the traditional annual or bi-annual penetration testing. By embedding security testing directly into the development process, Corellium MATRIX™ supports "shift-left" initiatives, ensuring that security measures are addressed early and consistently throughout the development lifecycle.
Here are five ways Corellium MATRIX™ enhances your penetration testing workflow:
- Continuous Integration: Automated security checks run with every build.
- Early Detection: Identifies vulnerabilities during development, not after release.
- Comprehensive Coverage: Checks for data leakage, misconfigurations, and hardcoded credentials.
- Efficiency: Reduces the need for extensive manual testing.
- Consistency: Ensures security is a constant focus, not a periodic concern.
How MATRIX™ Advances Your Mobile App Security Testing
Follow the below steps to run a MATRIX test on your mobile app (as shown in this webinar):
1. Setup Virtual Device
Create a virtual device on Corellium and install your app. By using virtual hardware, you bypass all the app security challenges that arise while working with physical devices. Choose the device and operating system combination you need to test and instantly gain jailbroken/root access.
2. Test Your App
Once the device runs and your app is installed, create a test. Corellium will use its built-in introspection capabilities to collect data and log traffic sources.
Most importantly, by providing MATRIX with a "keywords" file, the test can identify sensitive data within the app. This file contains strings or regex patterns representing sensitive information such as API keys, credentials, or personal/private data. If these patterns are detected in clear text, either over the air or on disk, they could indicate significant data leakage vulnerabilities.
Additionally, using the keywords file to specify strings sensitive to your organization significantly reduces false positives, ensuring that the security checks are more accurate and relevant to your specific needs.
3. Conduct User Interactions
Next, using the virtual device, begin a manual test case of using the app, such as signing in, adding items to the shopping cart, and checking out on the payment page.
4. Run Automated Mobile App Security Tests
Corellium MATRIXTM now runs tests to help you identify and address any findings. MATRIX leverages data gathered during app interaction and continues its analysis even after you've finished examining static source code and memory for comprehensive security insights.
The tests are designed to identify top OWASP mobile app risks, such as insecure data storage, insecure network communication, and insecure authentication.
5. Get Actionable Results
The findings are displayed live on screen, allowing you to sort and filter by pass/fail status and severity. Offline reports are generated in both human-readable HTML and parsable JSON formats. Each report includes an overview of the app, device, app ID, device model, OS, test date, and other relevant details, along with a comprehensive list of the security issues identified during the checks.
Brian and Steven demonstrate the above five steps in the full webinar using the intentionally buggy Corellium Cafe app. Book a meeting with one of our experts to discuss how Corellium MATRIXTM can advance your security research and pentesting program.
