Mobile Application Dynamic Pentration Testing | Android & IOS Pen Testing


DEDICATED PENETRATION TESTS FOR MOBILE APPLICATIONS ON ALL OPERATING SYSTEMS

Mobile security encompasses network security (i.e. mobile apps often operate on the public internet and connect to backend servers) and application/software security, among other things. It is important to thoroughly test the security of your mobile applications.

The great number of mobile platforms available on the market creates a multitude of different host environments that any given mobile application may be run on. Dynamic penetration testing is one of the most powerful techniques that your company may use to ensure complete data security on every mobile OS and platform.

Dynamic mobile testing comprises a myriad of testing mechanisms, including the testing of: authentication protocols, session management parameters, access control mechanisms, input validation implementation, device data storage, transport layer encryption, the feasibility of reverse engineering, and more. These testing techniques offer a full range of measures that can help to ensure that your mobile applications are safe, secure and will stand up to any offensive front. Below is a brief overview of each of these security testing mechanisms that make up dynamic mobile testing:

IN THIS AGE OF INFORMATION, MOBILE APPLICATIONS HAVE BECOME A PIVOTAL PART OF MANY ORGANIZATIONS AND BUSINESSES FOR SHARING DATA, COMMUNICATING, AND CONDUCTING EVERYDAY AFFAIRS.

AUTHENTICATION TESTING

Authentication Testing includes dynamically testing the implementation of protocols for gaining authorized access to the system via proper credentials (e.g. username, password, PIN), and is important to test in order to determine whether a malicious person can gain access to the system by inputting commands, utilizing malware, or by using automated software, etc. This also includes checking how data is pulled from back-end databases and how user input is parsed and pushed to the back-end, which can help to mitigate certain types of attacks that allow for bypassing authentication (e.g. SQL injection).

SESSION MANAGEMENT

Session management includes the proper use of cookies, session expiration, timeouts, session IDs/PINs, and cryptographic keys that are used in network data exchanges between a certain, authenticated user and the server. How the authenticated user's data is stored - and used later to identify that user - is very important, as malicious users can use the session data of an authenticated user to perform session hijacking and bypass authentication.

ACCESS CONTROL (AC)

Access control (AC) encompasses authentication, unique electronic identifiers, etc. and binds the aforementioned points together as a system that allows authorized users to access data on the server or to establish sessions with the server. It is imperative that your company utilizes and implements a robust access control system that allows only fully-authenticated, authorized users to gain access to the system.

INPUT VALIDATION

Input validation is the practice of validating user input before the data is parsed. This stops a user on the client side from using command injection in order to run malicious code on the server that could allow for a data breach or unauthorized access to the system. Many attack vectors (e.g. SQLi) can be mitigated by input validation since any malicious code would be rendered benign before it is passed to the database server. According to the Common Weakness Enumeration Report, SQL injection ranked among the highest security attack vector used against applications. OWASP ranks Injection as the most prevalent attack used against applications.

SECURE STORAGE OF DATA

The secure storage of data on mobile devices is very important, as everything from encryption to the database framework in use must be taken into account. In addition to this, the vulnerabilities that are common to the OS in use may present greater security flaws that can allow such mobile storage systems to be exploited. Embedded databases such as SQLite are known to have several security issues.

NETWORK SYSTEMS IN MOBILE APPLICATIONS

When dealing with network systems in mobile applications, a sufficiently strong cipher (e.g. AES instead of RC4) must be used with Transport Layer Security (TLS) for end-to-end encryption to ensure that data is kept private and fully secure. Data in transit over a public network must be encrypted so that any data that is sniffed does not appear in plain-text.

REVERSE ENGINEERING

Reverse engineering an application into source code can reveal many secrets about the application such as encryption ciphers used, backdoors that may be present, security vulnerabilities and language-specific weaknesses in the code that can be exploited, along with hard-coded secrets and more.

LEAKAGE OF APPLICATION DATA

The leakage of application data on a mobile device is very common according to the NowSecure Mobile Security report which indicates that many apps leak unique identifiers, personal user data, location data, and other private information, often in plain-text.

It is also important to note that many dynamic, automated scanning tools exist that offer only a partial understanding of your security posture. These often exist as basic scripts or even complex software that many non-professional "hackers" (e.g. "script kiddies") can use on your applications to compromise them without having detailed knowledge of application hacking. Thus it is very important to run penetration tests on your applications to "hack yourself first", especially since a more advanced hacker could use both automated tools and thorough manual hacking techniques to compromise your mobile applications.

There are many tools and mobile security frameworks in existence such as Drozer (Android) and Needle (iOS), that can allow both our team - and a team of malicious cyber-attackers - to penetrate your mobile applications.

Packet sniffers such as Wireshark, allow for the capture and analysis of data over a network, while application proxies allow for remote access to device systems, and debuggers/reverse engineering toolkits such as IDA and Hopper are all powerful tools that can be used to test your software before hackers use the same tools to compromise your applications.

It is important to note, however, that automated tools cannot differentiate between false positives, false negatives, and true positives. The detailed interpretation of results, complex workflow, access control mechanisms, the implementation of authorization and authentication, etc. cannot be understood or carried out efficiently by automated scanning tools. This can only be fully used and analyzed by a manual test in conjunction with a thorough review and interpretation by an experienced security engineer.

ANDROID APPLICATION PENETRATION TESTING

Android is a popular, open-source mobile OS built on the Java programming language, which is known for having several high-risk security flaws that cyber-attackers can exploit. Using frameworks such as Drozer we dynamically test Android apps. Testing is an important step in application development, as the NowSecure report shows that, among popular apps on the Google Play store, there was a total of 16,036 high-risk issues found.

IOS APPLICATION PENETRATION TESTING

iOS is a powerful, closed-source mobile OS built with the Objective C and Swift programming languages, along with other languages such as C++. The C-based languages are often susceptible to buffer overflows and other attack vectors. Utilizing frameworks such as Needle we can run dynamic, comprehensive security tests on your iOS apps.

WINDOWS APPLICATION PENETRATION TESTING

Windows mobile platforms are unique in being built on a variety of programming languages, which results in an uncommon security challenge for companies. Nevertheless, we are able to fully test your Windows mobile applications in order to mitigate common security flaws such as security holes that allow remote access to file systems on mobile devices, weak password systems that allow password-cracking tools to break passwords, and weaknesses that allow Denial of Service (DoS) attacks to compromise your business systems.

BLACKBERRY AND OTHER OPERATING SYSTEMS APPLICATION PENETRATION TESTING

We also offer complete dynamic penetration tests for Blackberry devices and other mobile platforms that are built on a variety of operating systems, programming languages and frameworks.

WE GENERATE A REPORT ON ALL VULNERABILITIES FOUND AND HOW TO PROTECT AGAINST EXPLOITS

We are not only able to produce a full, detailed report of the vulnerabilities discovered in your applications, but are also able to assist with the mitigation of these issues and establishing an efficient risk management system. Risk management includes identifying your company's assets, identifying threats to those assets, and mitigating those threats. In order to build a strong risk management foundation that can protect your company infrastructure we use the OWASP Risk Rating Methodology, which is a basic framework for the establishment of risk priorities so that high-level risks (e.g. imminent threats that are rated highest) – which are determined based on likelihood and impact - can be prioritized and mitigated before the lower-level risks. With this, we offer your software engineers detailed explanations of the vulnerabilities that we find in your mobile applications, along with remediation steps to minimize the risks and steps to produce securely coded apps that are devoid of critical security vulnerabilities. In doing so, you protect your company assets, your user base, and also satisfy the many legislative regulations requiring third-party security audits of your software and systems.