MOBILE APPLICATION DYNAMIC PENETRATION TESTING
| ANDROID & IOS PEN TESTING
DEDICATED PENETRATION TESTS FOR MOBILE APPLICATIONS
ON ALL OPERATING SYSTEMS
IN THIS AGE OF INFORMATION, MOBILE APPLICATIONS HAVE BECOME A PIVOTAL PART OF MANY ORGANIZATIONS AND BUSINESSES FOR SHARING DATA, COMMUNICATING, AND CONDUCTING EVERYDAY AFFAIRS
Authentication Testing includes dynamically testing the implementation of protocols for gaining authorized access to the system via proper credentials (e.g. username, password, PIN), and is important to test in order to determine whether a malicious person can gain access to the system by inputting commands, utilizing malware, or by using automated software, etc. This also includes checking how data is pulled from back-end databases and how user input is parsed and pushed to the back-end, which can help to mitigate certain types of attacks that allow for bypassing authentication (e.g. SQL injection).
Access control (AC) encompasses authentication, unique electronic identifiers, etc. and binds the aforementioned points together as a system that allows authorized users to access data on the server or to establish sessions with the server. It is imperative that your company utilizes and implements a robust access control system that allows only fully-authenticated, authorized users to gain access to the system.
Input validation is the practice of validating user input before the data is parsed. This stops a user on the client side from using command injection in order to run malicious code on the server that could allow for a data breach or unauthorized access to the system. Many attack vectors (e.g. SQLi) can be mitigated by input validation since any malicious code would be rendered benign before it is passed to the database server. According to the Common Weakness Enumeration Report, SQL injection ranked among the highest security attack vector used against applications. OWASP ranks Injection as the most prevalent attack used against applications.
SECURE STORAGE OF DATA
The secure storage of data on mobile devices is very important, as everything from encryption to the database framework in use must be taken into account. In addition to this, the vulnerabilities that are common to the OS in use may present greater security flaws that can allow such mobile storage systems to be exploited. Embedded databases such as SQLite are known to have several security issues.
NETWORK SYSTEMS IN MOBILE APPLICATIONS
When dealing with network systems in mobile applications, a sufficiently strong cipher (e.g. AES instead of RC4) must be used with Transport Layer Security (TLS) for end-to-end encryption to ensure that data is kept private and fully secure. Data in transit over a public network must be encrypted so that any data that is sniffed does not appear in plain-text.
Reverse engineering an application into source code can reveal many secrets about the application such as encryption ciphers used, backdoors that may be present, security vulnerabilities and language-specific weaknesses in the code that can be exploited, along with hard-coded secrets and more.
LEAKAGE OF APPLICATION DATA
The leakage of application data on a mobile device is very common according to the NowSecure Mobile Security report which indicates that many apps leak unique identifiers, personal user data, location data, and other private information, often in plain-text.
It is also important to note that many dynamic, automated scanning tools exist that offer only a partial understanding of your security posture. These often exist as basic scripts or even complex software that many non-professional ``hackers`` (e.g. ``script kiddies``) can use on your applications to compromise them without having detailed knowledge of application hacking. Thus it is very important to run penetration tests on your applications to ``hack yourself first``, especially since a more advanced hacker could use both automated tools and thorough manual hacking techniques to compromise your mobile applications. There are many tools and mobile security frameworks in existence such as Drozer (Android) and Needle (iOS), that can allow both our team - and a team of malicious cyber-attackers - to penetrate your mobile applications. Packet sniffers such as Wireshark, allow for the capture and analysis of data over a network, while application proxies allow for remote access to device systems, and debuggers/reverse engineering toolkits such as IDA and Hopper are all powerful tools that can be used to test your software before hackers use the same tools to compromise your applications. It is important to note, however, that automated tools cannot differentiate between false positives, false negatives, and true positives. The detailed interpretation of results, complex workflow, access control mechanisms, the implementation of authorization and authentication, etc. cannot be understood or carried out efficiently by automated scanning tools. This can only be fully used and analyzed by a manual test in conjunction with a thorough review and interpretation by an experienced security engineer.
PENETRATION TESTING FOR
MOBILE APPLICATION OPERATING SYSTEMS
ANDROID APPLICATION PENETRATION TESTING
IOS APPLICATION PENETRATION TESTING
WINDOWS APPLICATION PENETRATION TESTING
BLACKBERRY AND OTHER OPERATING SYSTEMS APPLICATION PENETRATION TESTING
WE GENERATE A REPORT ON ALL VULNERABILITIES FOUND
AND HOW TO PROTECT AGAINST EXPLOITS
REPORTS & RECOMMENDATIONS TO PROTECT AGAINST EXPLOITS
These steps are necessary to fully discover security holes in your applications which could allow an attacker to discover and exploit weak cryptographic ciphers & backdoors, bypass authentication protocols, and exploit