Systematic Literature Review on Penetration Testing for Mobile Cloud Computing Applications

Mobile cloud computing (MCC) enables mobile devices to exploit seamless cloud services via offloading, and has numerous advantages and increased security and complexity. Penetration testing of mobile applications has become more complex and expensive due to several parameters, such as the platform, device heterogeneity, context event types, and offloading. Numerous studies have been published in the MCC domain, whereas few studies have addressed the common issues and challenges of MCC testing. However, current studies do not address MCC and penetration testing. Therefore, revisiting MCC and penetration testing domains is essential to overcoming the inherent complexity and reducing costs. Motivated by the importance of revisiting these domains, this paper pursues two objectives: to provide a comprehensive systematic literature review (SLR) of the MCC, security and penetration testing domains and to establish the requirements for penetration testing of MCC applications. This paper has systematically reviewed previous penetration testing models and techniques based on the requirements in Kitchenham’s SLR guidelines. The SLR outcome has indicated the following deficiencies: the offloading parameter is disregarded; studies that address mobile, cloud, and web vulnerabilities are lacking; and a MCC application penetration testing model has not been addressed by current studies. In particular, offloading and mobile state management are two new and vital requirements that have not been addressed to reveal hidden security vulnerabilities, facilitate mutual trust, and enable developers to build more secure MCC applications. Beneficial review results that can contribute to future research are presented.

[1]  Securing the mobile enterprise with network-based security and cloud computing , 2012, 2012 35th IEEE Sarnoff Symposium.

[2]  Ms Indu Sahu,et al.  Mobile Cloud Computing: Issues and Challenges , 2018, 2018 International Conference on Advances in Computing, Communication Control and Networking (ICACCCN).

[3]  Eliane Martins,et al.  A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing , 2015, IEEE Latin America Transactions.

[4]  Mohsen Guizani,et al.  Mobile application security: malware threats and defenses , 2015, IEEE Wireless Communications.

[5]  Puneet Sharma,et al.  Framework for testing cloud platforms and infrastructures , 2011, 2011 International Conference on Cloud and Service Computing.

[6]  Wenliang Du,et al.  Vulnerability Testing of Software System Using Fault Injection , 1999 .

[7]  James Won-Ki Hong,et al.  Monitoring and detecting abnormal behavior in mobile cloud infrastructure , 2012, 2012 IEEE Network Operations and Management Symposium.

[8]  Karen A. Scarfone,et al.  Technical Guide to Information Security Testing and Assessment , 2008 .

[9]  S. Shah A Modern Approach to Cyber Security Analysis Using Vulnerability Assessment and Penetration Testing , 2013 .

[10]  D. Anitha,et al.  A Review on Software Testing Framework in Cloud Computing , 2014 .

[11]  La'Quata Sumter Cloud computing: security risk , 2010, ACM SE '10.

[12]  Mohsen Hallaj Asghar,et al.  Ensemble based approach to increase vulnerability assessment and penetration testing accuracy , 2016, 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH).

[13]  Riccardo Scandariato,et al.  Static Analysis and Penetration Testing from the Perspective of Maintenance Teams , 2016, ESEM.

[14]  Jürgen Großmann,et al.  Online Model-Based Behavioral Fuzzing , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[15]  Bin Liu,et al.  SOA based mobile application software test framework , 2009, 2009 8th International Conference on Reliability, Maintainability and Safety.

[16]  Hamilton Allen Turner Optimizing, Testing, and Securing Mobile Cloud Computing Systems For Data Aggregation and Processing , 2015 .

[17]  P. S. Bangare,et al.  AUTOMATED API TESTING APPROACH , 2012 .

[18]  Pulei Xiong,et al.  Using TTCN-3 as a modeling language for web penetration testing , 2012, 2012 IEEE International Conference on Industrial Technology.

[19]  Anoop Singhal,et al.  VULCAN: Vulnerability Assessment Framework for Cloud Computing , 2013, 2013 IEEE 7th International Conference on Software Security and Reliability.

[20]  Ping Ping Tan,et al.  DESIGNING A MOBILE APPLICATION TESTING MODEL , 2012 .

[21]  Pearl Brereton,et al.  A Systematic Mapping Study of Empirical Studies on Software Cloud Testing Methods , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C).

[22]  Arvinder Kaur,et al.  Systematic Literature Review on Regression Test Prioritization Techniques , 2012, Informatica.

[23]  Syed Ahmad Aljunid,et al.  Mobile Cloud Computing Testing Review , 2013, 2013 International Conference on Advanced Computer Science Applications and Technologies.

[24]  Angelos Stavrou,et al.  Behavioral Analysis of Android Applications Using Automated Instrumentation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[25]  Zhen Ming Jiang,et al.  Automated analysis of load testing results , 2010, ISSTA '10.

[26]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[27]  Han Qi,et al.  Research on mobile cloud computing: Review, trend and perspectives , 2012, 2012 Second International Conference on Digital Information and Communication Technology and it's Applications (DICTAP).

[28]  Abu Bakar Rohani,et al.  Analyzing requirement prioritization techniques based on the used aspects , 2016 .

[29]  Byung-Gon Chun,et al.  CloneCloud: Boosting Mobile Device Applications Through Cloud Clone Execution , 2010, ArXiv.

[30]  Timo Paananen Smartphone Cross-Platform Frameworks : A case study , 2011 .

[31]  Azizah Abd Manaf,et al.  Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing , 2013 .

[32]  Wenjuan Xu,et al.  Penetration testing on cloud---case study with owncloud , 2016 .

[33]  Babu M. Mehtre,et al.  Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology , 2015 .

[34]  David M. Nicol,et al.  Fast model-based penetration testing , 2004, Proceedings of the 2004 Winter Simulation Conference, 2004..

[35]  Liam Peyton,et al.  Model-Based Penetration Test Framework for Web Applications Using TTCN-3 , 2009, MCETECH.

[36]  Thaier Hayajneh,et al.  Penetration testing: Concepts, attack methods, and defense strategies , 2016, 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[37]  Hamid Harroud,et al.  Mobile cloud computing for computation offloading: Issues and challenges , 2018 .

[38]  Kendra Deptula Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model , 2013 .

[39]  Fadhl Hujainah,et al.  Software Requirements Prioritisation: A Systematic Literature Review on Significance, Stakeholders, Techniques and Challenges , 2018, IEEE Access.

[40]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.

[41]  Riaz Ahmad,et al.  A review on software testing approaches for cloud applications , 2016 .

[42]  Clive Blackwell Towards a Penetration Testing Framework Using Attack Patterns , 2014, Cyberpatterns.

[43]  Ahmad Salah Al-Ahmad,et al.  Fuzz Test Case Generation for Penetration Testing in Mobile Cloud Computing Applications , 2018, ICIC 2018.

[44]  Xiang Long,et al.  Adaptive random testing of mobile application , 2010, 2010 2nd International Conference on Computer Engineering and Technology.

[45]  Alessandro Orso,et al.  Penetration Testing with Improved Input Vector Identification , 2009, 2009 International Conference on Software Testing Verification and Validation.

[46]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[47]  Parvin Ami,et al.  Seven Phrase Penetration Testing Model , 2012 .

[48]  Eric Eide,et al.  Potassium: penetration testing as a service , 2015, SoCC.

[49]  Konstantinos Xynos,et al.  Penetration Testing and Vulnerability Assessments: A Professional Approach , 2010 .

[50]  C. Costea,et al.  Applications and Trends in Mobile Cloud Computing , 2012 .

[51]  Adtha Lawanna A Model for Test Case Selection in the Software-Development Life Cycle , 2014 .

[52]  Jing Zhang,et al.  Design and Implementation of an XML-Based Penetration Testing System , 2010, 2010 International Symposium on Intelligence Information Processing and Trusted Computing.

[53]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[54]  Kiwon Lee,et al.  Preliminary Performance Testing of Geo-spatial Image Parallel Processing in the Mobile Cloud Computing Service , 2012 .

[55]  Wei Tian,et al.  Attack Model Based Penetration Test for SQL Injection Vulnerability , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops.

[56]  J. Wenny Rahayu,et al.  Mobile cloud computing: A survey , 2013, Future Gener. Comput. Syst..

[57]  Jiann-Min Yang,et al.  Analysis on Cloud-Based Security Vulnerability Assessment , 2010, 2010 IEEE 7th International Conference on E-Business Engineering.

[58]  Ahmad Salah Al-Ahmad,et al.  Test case selection for penetration testing in mobile cloud computing applications: A proposed technique , 2018 .

[59]  Jianming Zhao,et al.  Penetration testing automation assessment method based on rule tree , 2015, 2015 IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems (CYBER).

[60]  Shilpa Bahl,et al.  Literature Review of Mobile Applications Testing on Cloud from Information Security Perspective , 2013 .

[61]  Babak D. Beheshti,et al.  A study on penetration testing process and tools , 2018, 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT).

[62]  Jorvekar Priti Prakash,et al.  VULNERABILITY ASSESSMENT AND PENETRATION TESTING AS CYBER DEFENCE , 2019, International Journal of Engineering Applied Sciences and Technology.

[63]  Kamlesh Dutta,et al.  A cloud based software testing paradigm for mobile applications , 2011, SOEN.

[64]  Greg Jones Penetrating the cloud , 2013, Netw. Secur..

[65]  M.I.P. Salas,et al.  Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security , 2014, CLEI Selected Papers.

[66]  Lionel C. Briand,et al.  An enhanced test case selection approach for model-based testing: an industrial case study , 2010, FSE '10.

[67]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[68]  Wei-Tek Tsai,et al.  Cloud Testing- Issues, Challenges, Needs and Practice , 2011 .

[69]  Liam Peyton,et al.  A model-driven penetration test framework for Web applications , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[70]  Franck Barbier,et al.  A model-driven approach for automating mobile applications testing , 2011, ECSA '11.

[71]  Gustavo Alonso,et al.  Calling the Cloud: Enabling Mobile Phones as Interfaces to Cloud Applications , 2009, Middleware.

[72]  Saravanan Nagenthram,et al.  Cloud security: Can the cloud be secured? , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[73]  Muhammad Ali Babar,et al.  On Searching Relevant Studies in Software Engineering , 2010, EASE.

[74]  Bao Rong Chang,et al.  Access Security on Cloud Computing Implemented in Hadoop System , 2011, 2011 Fifth International Conference on Genetic and Evolutionary Computing.

[75]  Porfirio Tramontana,et al.  Considering Context Events in Event-Based Testing of Mobile Applications , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[76]  Navpreet Kaur Walia,et al.  Survey on Mobile Cloud Computing , 2024, Advances in Robotic Technology.

[77]  Zhibin Zhou,et al.  Efficient and secure data storage operations for mobile cloud computing , 2012, 2012 8th international conference on network and service management (cnsm) and 2012 workshop on systems virtualiztion management (svm).

[78]  Daniel Geer,et al.  Penetration testing: a duet , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[79]  Wei-Tek Tsai,et al.  Testing as a Service over Cloud , 2010, 2010 Fifth IEEE International Symposium on Service Oriented System Engineering.

[80]  Elizabeth Anne Halash Mobile Cloud Computing: Case Studies , 2010 .

[81]  B. Kirubakaran,et al.  Mobile application testing — Challenges and solution approach through automation , 2013, 2013 International Conference on Pattern Recognition, Informatics and Mobile Engineering.

[82]  Ramachandran Baskaran,et al.  A Model of Cloud Based Application Environment for Software Testing , 2010, ArXiv.

[83]  Ge Chu,et al.  Penetration Testing for Internet of Things and Its Automation , 2018, 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[84]  Daniela Cruzes,et al.  How is Security Testing Done in Agile Teams? A Cross-Case Analysis of Four Software Teams , 2017, XP.

[85]  Vinit B. Mohata Cloud Based Testing: Need of Testing in Cloud Platforms , 2013 .

[86]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[87]  Wenliang Du,et al.  Testing for software vulnerability using environment perturbation , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[88]  Thomas McGuire,et al.  Cloud Penetration Testing , 2012, CloudCom 2012.

[89]  Kumar Naresh,et al.  Penetration Testing of Android-based Smartphones , 2011 .

[90]  Chan Wai Conducting a Penetration Test on an Organization , 2020 .

[91]  Prof. S. D. Gaikwad,et al.  Cloud Computing Applications and their Testing Methodology , 2016 .

[92]  Isak Färnlycke An approach to automating mobile application testing on Symbian Smartphones : Functional testing through log file analysis of test cases developed from use cases , 2013 .