close

Mobile App Security – iOS and Android App Backgrounding

appSecurity

Security testing is a big piece for mobile apps testing. More and more personal information is gathered by these devices without much of the user’s knowledge. A funny thing is, your device doesn’t have to be hacked to get your personal information. A tool like iExplorer can get some of your app data even though your phone is locked or pass code protected.

You must be curious about what data it will gather?
Have you heard about App backgrounding? Both iOS and Android capture screenshot of your app when you try to push it to the background to do other task. This helps these operating systems give a pseudo multitasking opportunity. So, next time you try to bring your app from the background, it will show that image as if it was running in the background.

This is good. What’s the problem here?
Imagine, you are using a bank application and you push the app to the background. All a hacker needs to do is get hold of your device and connect iExplorer to find that screenshot and know your bank account details. Scary?
The list goes on. Think about health care apps that have crucial PHI information or, banking and finance apps, photos (the naughty kind) and many more.

What’s the solution?
Luckily, both iOS and Android provide a way to avoid backgrounding screenshots. Your developer can add an overlay image in iOS and blur the background image in Android. Usually this takes care of the problem.

What will happen to backgrounding screenshots if there are modal views like system alerts, calendar dialogs, picker views and such?
Unfortunately, your developer’s backgrounding code will not work. To solve this concern, you will have to dismiss the alerts or other modal view when the app goes into the background. For some of the controls, you can call the dismiss function on them. Others, like in iOS Alert View, the developers have to create a custom alert that’s called in the app instead of over the app to be able to dismiss the control before going into the background.

But, if you are a SUPER TESTER then you go a level up, you need to make sure your app is secure by testing for app backgrounding in both iOS and Android

Steps:
1. Push your app to background and make sure the OS is not storing the screenshot
2. Test your app data with apps like iExplorer to make sure sensitive user data is not captured
3. As a SUPER TESTER, make sure your backgrounding solution works even when there are Modal Views like System Alerts, Calendar views, Pickers etc.

With the overall increased use of mobile phones and people “living on their smartphone,” security testing is a big piece for mobile apps testing. As a SUPER TESTER you can do your part.

Katie Cochran

The author Katie Cochran

Leave a Response