In this paper, we present a holistic framework for robust mobile application security testing. The proposed approach helped to design a security testing pipeline based on discovering common mobile application vulnerabilities using compiled outputs from static analysis, dynamic analysis, and interactive application security testing for demonstrating an orchestrated workflow. An implementation was created to corroborate how the methodology can produce comprehensive vulnerability analysis using the source code from an insecure Android application, commonly known as DIVA. Our resulting product is a proof-of-concept that shows practical potential for integrating orchestrated security testing within the software development life cycle, extended upon to include more security tools, and replicated to support multiple mobile operating systems. This proof-of-concept demonstrated that orchestration increases the number of distinct vulnerabilities found outside of single-dimensional testing, determines overlapping findings from automated security testing scripts, and maps these findings to publicly documented fixes to provide a baseline for test cases specific to mobile application weaknesses.

Author: Jessy Ayala

Published in: World Congress on Internet Security (WorldCIS-2021)

  • Date of Conference:  7-9 December 2021
  • DOI: 10.20533/WorldCIS.2021.0007
  • ISBN: 978-1-913572-40-2
  • Conference Location: Virtual (London, UK)