Mobile Banking Application Security Testing

21-07-2013

MBSL Testing Framework

Mobile applications are developed for almost every activity, which initially were developed for web based.

21-07-2013

With varying physical devices, operation systems and architecture, do the same with the mobile

Dynamic Analysis of the Mobile Application, with Android as Operating System Mercury is the Framework used here to perform the Dynamic Analysis.

21-07-2013

The Analysis reports the interconnectivity and actions of the individual application that resides in the mobile device.
3

Mercury provides a wide range of commands for investigating the security posture of an Android app. These are presented as modules in the console.

21-07-2013

Example : Analysis of BAJAJ FINSERVinteractive This LENDING Mobile Application application gives you easy

access to your transactions, loan history, payment schedules and more.

It also allows you to apply for exclusive products & services offered by Bajaj Finance.
21-07-2013 5

Analysis of BAJAJ FINSERV LENDING This application has only two Mobile Application
permissions: Internet Access to Network State This is a Web based Application: It is accessible through Mobile Browser. It Interfaces with External Servers. This Application doesnt have any Content Providers and hence no content is exported or shared with other applications. The application connects to the server via mobile and all the data resides in the 21-07-2013 server.

Analysis of BAJAJ FINSERV LENDING Mobile Application using MERCURY Framework

21-07-2013

OWASP Mobile Security Project The work is in line with the OWASP (Open Web Application Security Project ) Mobile Security Project.

21-07-2013

This is an open project, in which many developers, experts are included globally to describe and develop the standards and common methodologies to test the application software security

OWASP TOP 10 Mobile Risks OWASP provides a list of Mobile risks for every
alternate year. If these risks are covered, it implies that, more than 90% of security concerns are covered. M1: Insecure Data Storage
M2: Weak Server Side Controls M3: Insufficient Transport Layer Protection M4: Client Side Injection M5: Poor Authorization and Authentication M6: Improper Session Handling M7: Security Decisions Via Untrusted Inputs M8: Side Channel Data Leakage M9: Broken Cryptography M10: Sensitive Information

21-07-2013

MBSL TEST ENGINE Open Source Tools Proprietary Tools

HP Fortify IBM Appscan IDRBT Tools

Mercury Framework

(Android, Dynamic Analysis)

Burp Suite

( Capture Network Traffic)

(Capture Air Traffic )

Wire shark APK Analyzer Agnitio

21-07-2013

10

Work done till date: Studied and Analyzed MERCURY Framework to perform Dynamic Analysis over Mobile Applications. (Android Specific) Dynamic Analysis on Samsung Galaxy II, with Android OS. Exposed interconnectivity issues within the applications. Future Work: Trying to analyze more tools from HP and IBM.
21-07-2013

11