Cloud Security Alliance Issues Mobile Application Security Testing Report

The Cloud Security Alliance has released a new report surrounding its Mobile Application Security Testing Initiative. The purpose of the report is to provide the Alliance’s insight into building out a roadmap for establishing a more secure cloud ecosystem to protect mobile applications.

The Alliance’s Mobile Application Security Testing (MAST) Initiative offers research to the cloud industry reduce the possible risk exposures and security threat in using mobile applications. MAST defines a framework for secure mobile application development, achieving privacy and security by design. Ultimately MAST will provide clearly articulated recommendations and best practices in the use of mobile applications.

Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. 

These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. 

It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response.

The report details the issues of mobile app vetting from a life-cycle perspective, mobile app development management, mobile app coding, and audit management security issues. The Alliance plans to create a follow up assessment and certification scheme white paper based on NIST special publication 800­163: "Vetting the Security of Mobile Applications" and also set up a vetting plan for a mature model and mobile apps security.  

Also planned is the establishment of a vetting plan for mobile apps and guidance to allocate resources to resolve potential security problems or certification-period incidents.