• Do you know that mobile devices (smartphones and tablets)
    are perceived as IT security’s weakest link, closely followed by social media applications ?

    Did you notice that the majority of users
    i.e. 75% operate 3-4 devices on a daily basis ?

    Are you aware of the fact that 59% of respondents
    experienced an increase in mobile threats over the past year ?
  • Are you aware that human attack surface to
    reach 4 billion people by 2020 ?

    Did you know that cybercrime damage costs to
    hit $6 trillion annually by 2021 ?

    Do you know that cybersecurity spending to
    exceed $1 trillion from 2017 to 2021 ?

Mobile Application Security Testing

With the recent paradigm shift of all internet applications going on the mobile platform, this area has become very important for any business and so for the Hackers as well. With our robust mobile application assessment approach, we help you maximise the business surface and minimise the attack surface of your application on this platform. Our Mobile application assessment covers all mobile based operating systems including Android, ios, windows, blackberry, symbian and newer platforms like Tizen, sailfish and mozilla.

In this service we will check:

If an app contradicts the best practices recommended by the manufacturer, it will be exposed to greater risk. Some apps intend to do the right thing, but actually get some part of the implementation wrong. This could be a simple bug, like setting the wrong flag on an API call, or it could be a misunderstanding of how the protections work. Our team identifies the platform flaws and improve the security of your application.

Having identified particular vulnerabilities in your technology choices, we will follow specific architecture and design guidelines to combat those vulnerabilities. We follow the STRIDE and DREAD models for conducting Threat modelling of your application and brainstorm for vulnerabilities that may potentially arise when a defind business process would be penned down into a Functional Specification Document (FSD) or SRS. We would also perform the application architecture risk analysis and identify the dependencies for secure application integration across the environment.

During this phase, we would evaluat whether secure coding practices are implemented during the development of the payment application. Coverage would be also on the below points but not restricted to:

  1. Flow of cardholder data through the application
  2. Security features in the application:
    • Logging
    • User Authentication
    • Input Validation, etc.

Finally, once development is finished, a final secure code review along with manual testing can help detect logical code flaws and ensure that issues found during the development phase have been fixed correctly and new vulnerabilities have not been introduced. Testing tools can be programmed to look for clues in your code that point to vulnerabilities – things your developers may not have spotted during their code reviews. Static and dynamic testing tools can be huge assets in the fight for improved application security, but only if they’re used effectively. It’s essential to train your software engineers to use them properly – allowing them to weed out the false positives, and identify the real threats.

Failure to properly validate input leads to almost all of the major vulnerabilities in applications, such as interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data. We ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure, external entities or database systems.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This capability allows the attacker to realize the same traditional business threats as before (with web applications) but in genuinely new and unconventional ways. Our team has a better understanding of useful attack vectors to verify unauthorized code modification.

Reverse engineering is used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property. We understand the architectural features that should be embedded into code to prevent an attacker from reverse engineering.

There are two fundamental ways that weak cryptography is manifested within mobile apps. First, the mobile app may use a process behind the encryption / decryption that is fundamentally flawed and can be exploited by the adversary to decrypt sensitive data. Second, the mobile app may implement or leverage an encryption / decryption algorithm that is weak in nature and can be directly decrypted by the adversary. In order to exploit this weakness, we successfully return encrypted code or sensitive data to its original unencrypted form due to weak encryption algorithms or flaws within the encryption process.

As functionality is added to applications, thought must be given to how the function or feature can be manipulated to circumvent the business process, or abused to perform a function not intended by the developer. Robust threat modelling exercises are been performed by our team for each application feature to enumerate ways that attackers can abuse the feature. All functions and features of the application are tested against a comprehensive set of use and abuse cases to ensure that the application enables only the intended functionality and no more.

Mishandling private information, such as customer passwords or social security numbers, can compromise user privacy, and is often illegal. Programmers often trust the operating environment in which a program runs, and therefore believe that it is acceptable to store private information on the file system, in the registry, or in other locally-controlled resources. However, even if access to certain resources is restricted, this does not guarantee that the individuals who do have access can be trusted. It may also result in the following technical impacts: extraction of the app's sensitive information via mobile malware, modified apps or forensic tools.