In mobile app security testing, we often overlook subtle yet critical issues such as data leakage in motion (over the air) and at rest (on the disk), misconfigurations, hardcoded credentials, and incorrect memory usage. These elusive vulnerabilities continue to undermine our apps' security.
Just as rigorous training leads to victory in sports, each small step towards cleaner code enhances the overall security of mobile apps.
In our latest on-demand webinar, Chief Evangelist Brian Robison and Security Researcher Steven Smiley discuss how Corellium MATRIXTM, an automated security testing and reporting solution, inspects code (both statically and dynamically) for threats – thus unlocking your time and effort.
Hardcoded credentials, inadequate security, and vulnerable authentication are the top three OWASP mobile app risks in 2024. Code hygiene and automated checks will help you identify and eliminate all three threats.
Unfortunately, the rabbit hole goes deeper. Symantec recently found 1,859 Android and iOS apps containing hard-coded AWS credentials. What’s worse, about 77% of these “apps contained valid AWS access tokens allowing access to private AWS cloud services.”
Corellium MATRIX™ seamlessly integrates mobile app security testing into your SDLC within CI/CD workflows, enabling automated security checks as frequently as needed, unlike the traditional annual or bi-annual penetration testing. By embedding security testing directly into the development process, Corellium MATRIX™ supports "shift-left" initiatives, ensuring that security measures are addressed early and consistently throughout the development lifecycle.
Here are five ways Corellium MATRIX™ enhances your penetration testing workflow:
Follow the below steps to run a MATRIX test on your mobile app (as shown in this webinar):
Create a virtual device on Corellium and install your app. By using virtual hardware, you bypass all the app security challenges that arise while working with physical devices. Choose the device and operating system combination you need to test and instantly gain jailbroken/root access.
Once the device runs and your app is installed, create a test. Corellium will use its built-in introspection capabilities to collect data and log traffic sources.
Most importantly, by providing MATRIX with a "keywords" file, the test can identify sensitive data within the app. This file contains strings or regex patterns representing sensitive information such as API keys, credentials, or personal/private data. If these patterns are detected in clear text, either over the air or on disk, they could indicate significant data leakage vulnerabilities.
Additionally, using the keywords file to specify strings sensitive to your organization significantly reduces false positives, ensuring that the security checks are more accurate and relevant to your specific needs.
Next, using the virtual device, begin a manual test case of using the app, such as signing in, adding items to the shopping cart, and checking out on the payment page.
Corellium MATRIXTM now runs tests to help you identify and address any findings. MATRIX leverages data gathered during app interaction and continues its analysis even after you've finished examining static source code and memory for comprehensive security insights.
The tests are designed to identify top OWASP mobile app risks, such as insecure data storage, insecure network communication, and insecure authentication.
The findings are displayed live on screen, allowing you to sort and filter by pass/fail status and severity. Offline reports are generated in both human-readable HTML and parsable JSON formats. Each report includes an overview of the app, device, app ID, device model, OS, test date, and other relevant details, along with a comprehensive list of the security issues identified during the checks.
Brian and Steven demonstrate the above five steps in the full webinar using the intentionally buggy Corellium Cafe app. Set up a meeting with one of our experts to discuss how Corellium MATRIXTM can advance your security research and pentesting program.