Growing demand for mobile apps and lack of skilled security pros creates lucrative opportunities for qualified mobile app pen testers. Last year consumers and businesses downloaded more than 200 billion mobile apps from the Google Play and Apple App stores creating $111 billion in revenue. In reality the mobile app stores cannot cover every angle of mobile app security and privacy. Security analysts, security-minded developers and those responsible for internal pen testing efforts must quickly add mobile expertise to keep up with rapid growth in mobile apps.
Security professionals already familiar with web app pen testing can upskill to mobile app testing to advance their careers. Web pen testers who may already work with in-house pen testing teams can add mobile app security skills to add value to their organizations and grow their careers and even their salary. AppSec professionals who pivot to mobile app pen testing will find they are in great demand as billions of new apps are introduced every year and there’s a major shortage of mobile-skilled pen testers.
So how can web pen testers gain mobile pen testing expertise? It all starts with understanding the critical differences between web and mobile testing.
Understand web vs. mobile and IoT
Pen testers looking to learn more about mobile app pen testing should start by examining how mobile and IoT app architectures fundamentally differ from web app architecture. Web apps run on a server and users access them through a browser. All code sits on a server behind a firewall and the browser handles secure communications. So 90% of the code is protected and web apps use a fairly consistent set of tools and infrastructure that update infrequently.
By contrast, mobile apps and IoT-connect mobile apps run on mobile devices with 100% of the code in the wild and easily reversable. In addition, mobile apps don’t follow the more limited web environment with multiple operating systems that update frequently, thousands of development tools/frameworks/sdk’s and can even include device-specific functionality.
Mobile apps and IoT devices use and collect a lot of data that web apps don’t. With most of the code running in the wild on these unprotected mobile and IoT devices, this creates a much larger and easier attack surface for hackers to exploit and increases the complexity of penetration testing. Mobile pen testers need to understand the unique complexities of multiple mobile OS, code languages, storage, and communications with ingenuity and reversing skills.
Leverage learning resources
Web pen testers interested in mobile pen testing should consult several trusted and valuable resources to learn about mobile app security. They should become students of mobile project at The Open Web Application Security Project (OWASP) and the ioXt Alliance. Both are non-profit organizations of industry experts that focus on improving software security. Here are some resources to check out:
- OWASP: OWASP offers essential resources, including the and the OWASP Mobile App Security Verification Standard (MASVS) standard. These standards provide a roadmap for mobile pen testers, software architects and developers seeking to deliver secure mobile apps. By following OWASP standards, security testers gain confidence and create consistency in test results. MASVS establishes a security baseline for mobile apps by outlining the different verification requirements for basic mobile app security, defense-in depth app security and reverse engineering resilience.
OWASP also publishes the Mobile Security Testing Guide (MSTG), a thick manual security analysts use to test mobile applications to verify they fulfill MASVS requirements. The OWASP Mobile Security Testing Checklist spreadsheet outlines specific MASVS requirements to pass or fail when performing mobile app assessments. Finally, OWASP and others have created a collection of mobile app reverse engineering challenges on Github called crackmes. Found throughout the MSTG, the challenges offer a way to test your skills or just have fun.
- ioXt Alliance: For IoT, the developers, security analysts and testers should familiarize themselves with the efforts of ioXt Alliance. Here all can find baseline security requirements for IoT devices and IoT-connected mobile apps, as well as a program for certification of IoT devices and apps. With the rapid adoption of IoT devices, it’s become a critical security area and it’s still in the early stages. Anyone who wants to add pen test smart home devices should consult these ioXt Alliance resources.
- Industry Training: Along with OWASP and ioXT, NowSecure Academy offers an abundance of free courses to get web application security analysts up-to-speed on mobile and build knowledge. For those new to mobile appsec, the Mobile AppSec 101 course offers a great place to start. The Hacker101: Mobile Hacking course offers a deeper dive on Android and iOS hacking. In addition, the SANS Institute offers an extensive mobile pen testing and hacking course for those who can commit the time and money.
Because we consider mobile app pen testing part art and part science, it takes a special set of skills and personality attributes to succeed. Anyone looking to become a pen tester should develop skills such as patience, creativity and attention to detail. Most of all, they should show determination and persistence throughout a long, complex learning process.
On the technical side, some of the best mobile pen testers come from bug hunting or bug bounty programs. It’s also important to have forensics and reverse engineering knowledge, such as the use of open-source tools Frida and Radare, as well as experience developing and/or debugging mobile applications. Offensive security certifications don’t hurt either, and those with technical writing experience will have ample opportunities.
With the rapid deployment and adoption of mobile apps in virtually every area of our lives, security analysts and web pen testers should consider mobile pen testing opportunities. As our digital lives become more mobile and interconnected, the need for mobile pen testers—those who understand the unique challenges—will grow exponentially.
Security analysts and web pen testers who bring mobile appsec knowledge to their teams add value, increase security and prepare organizations for our mobile future. To succeed they must become champions of emerging mobile standards, arm themselves with unique knowledge of mobile architecture and remain ever curious about where we—and our mobile data – are headed.
Brian C. Reed, chief mobility officer, NowSecure
