+44 (0)113 3280104 | Email Us

Mobile Application Testing

The rapid adoption of mobile devices has created a significant security challenge for the majority of organisations.  Recent analytic reports found that people spend on average 127 minutes a day on their mobile device (up 35% from 2011), while desktop web use dropped 2.4% to on average 70 minutes a day.

With this rapid uptake of mobile devices and applications it’s highly likely that individuals and organisations will be the victim of a successful mobile attack, the question is not if, but more like when.   Most organisations simply don’t have the resources and skills to thoroughly assess the risks and potential threats that the rapid mobile deployment model brings and the impact to their businesses.

The following points highlight some of the key areas to consider when developing or using mobile applications in any business environment:

  • Confidentiality – Does the app keep private data private?
  • Integrity – Can the data be trusted and verified?
  • Authentication – Does the app check to see if you are who you say you are?
  • Authorization – Does the app properly limit privileges?
  • Availability – Can an attacker take the app or service offline?
  • Non-Repudiation – Does the app keep a record of events for later verification?

As part of the Red-Team Mobile Application testing process, we use a variety of tools and techniques to perform thorough mobile application security assessments, this includes;

  • Decryption of mobile apps
  • Disassembling and De-compilation
  • Study artefacts (files, databases, etc.)
  • Interception of network traffic (MITM attacks)
  • Web service attacks
  • Keychain decryption
  • Passcode cracking
  • Dynamic injection of code

A bit about devices…

iOS

iOS has many security features baked into both the operating system and devices such as encryption and application sandboxing.  However, we find that not all developers choose to use these features and some of the features have limited use (i.e. only effective on locked devices).  It is important that organisations consider implementing strict policies governing the use of third party applications on corporate devices.

Android

Being more open than iOS means Android app developers are under less official scrutiny.  Android does have its share of built-in security features but again, we often find these are not implemented or implemented poorly as developers are rapidly creating apps and bringing them to market.

Mobile Web

Mobile websites are susceptible to all the same attacks and vulnerabilities as traditional websites, so it’s important that all web applications that are ported across to the mobile environment are thoroughly tested for common attacks like SQL Injection, Cross-Site Scripting, Buffer Overflow as well as general vulnerabilities.   It is also important that strong password policies are enforced together with encrypted data storage.


Get in touch to find out more >>