Mobile Testing
Mobile
Application Security
Professional Consultancy & Managed Services
> Mobile users have zero patience for poor performing mobile apps.
> Fix it or they’ll delete you.
> Test mobile web applications faster, easier, and more comprehensively.
> Realistic User Acceptance Testing.
> Test and optimising applications for all network performance conditions before deployment, against real-world network performance conditions.
> Testing from the device to network communications to server.
Testing applications on Apple iOS, Google Android, Blackberry, and Microsoft Windows Phones for :
- OWASP top 10.
- Mobile static code analysis
- Mobile static API testing
- Web 2.0 Testing
- Mobile Service Simulation / Service Assurance
- Test mobile device connectivity volume / QoS on wireless networks.
- Test user experience / quality of service of applications over wireless / mobile devices.
- Automated Testing
- Interactive Testing
- Mobile Gateway Testing
- Performance Testing
- Network Virtualisation
Address PCI DSS requirements 6.5 and 6.6
Mobile Device Testing
Mobile Client evaluation, we test the following areas;
File-system:
Memory:
Sensitive data stored in memory should be scrubbed properly, including usernames, passwords, database connection strings, and so on.
Run-time tampering:
We interact with methods in real time. This allows us to test and bypass security controls like SSL, jailbreak detection, and anti-debugging.
Input validation:
Buffer overflows against text messaging, URL schemes, and Android intents.
Source code analysis:
Harvest URLs, format string vulnerabilities, secure coding guidelines, insecure data transmission, SQL injection, SSL issues, input validation, insecure logging, keychain use, cross-site scripting (XSS) in UIWebView, hardcoded credentials, and more.
Binary analysis:
This includes sensitive data extraction, use of dangerous libraries, weak binary protections, and more.
Inter-application communication:
Determine what interaction takes place between the tested application and others on the device.
Evaluate the network traffic sent from the mobile device to the server, covering the following key areas:
Transport layer security: This includes SSL certificate management, certificate pinning, and more.
Data stream analysis: Evaluate all data passing from the client to the server during normal operations, paying special attention to where sensitive data is being sent and how and where it is being stored.
Malware analysis: Analyse what is being sent, to where.
Host communication enumeration: All network traffic is captured and run through our toolset to find all hosts it spoke to (Android).
The server side is examined after, and leverages everything learned from, evaluation of the client and network portions of the application. All the URLs and parameters gathered from the static, binary, and data stream analysis are now used to evaluate the back end whether it is communicating with a Web application or Web services. Testing steps include:
Mobile Web application vulnerability assessment: Authentication, session management, access control, input validation, logic testing.
Mobile SOAP1 or REST2-based Web service testing: Finds vulnerabilities in the most common Web service-based mobile back ends.
Static analysis of any back-end code: Evaluates the source code of the mobile back end system.
Secure Mobile Development
Including regular security scans during development encourages secure coding, and the earlier the vulnerabilities are identified, the less costly they are to remediate. During development use a mobile scan to:
- Find vulnerabilities
- Identify critical flaws early in the development lifecycle
- Mitigate Risk
- Get detailed remediation recommendations
- Prioritise and assign remediation tasks
- Pinpoint potential coding weaknesses that need focus
Remediation guidance is offered via detailed vulnerability data, line-of-code details, and corrective advice.
Before each release, upload your desired application and our expert team will conduct a thorough audit of your application utilising the Open Web Application Security Project (OWASP) Top 10 and many other checks across the client, network, and server attack layers. Utilise this deeper level test to:
- Mitigate the security of apps that handle high risk information - banking, commerce and medical.
- Observe how an application will behave in a real-world situation.
- Fully test the security of a mobile application.
For apps procured through a third party, we can work with your vendor to assess apps you receive are secure.
The service checks mobile applications for behaviours that compromise privacy, identity, and system log information. It also analyses traffic endpoints—URLs, IP addresses, and hostnames—to determine if they are known malicious hosts or have a low reputation score. Just point us to the (free) application in the iTunes or Google Play app stores, or upload the application binary.
What we look for
Our broad range of checks look at how data is stored, accessed, and transferred. Examples include:
- Lack of proper exploit mitigations techniques (address space layout randomisation (ASLR), position independent executable (PIE), stack randomisation)
- Writing sensitive data to files
- Accessing or writing to public photo store
- Accessing the address book
- Accessing geo-location information
- Accessing or writing sensitive log information
- Using depreciated cryptographic libraries
- Writing sensitive data to insecure public directories
- Insecure keychain usage
- Client-side SQL injection
- Insecure HTTPs, SSL, and certificate usage Reputation analysis of traffic endpoints.
- Identification of URLs, IP addresses, and hostnames
- Reputation on discovered endpoints
Also See
Enquire about other application life cycle and project management solutions.
Contact us today to discuss your requirements in more detail.
Enquire about other application life cycle and project management solutions.
P: +44(0)7714 209927
S: +44(0)1273 329753
| 
info@securenetconsulting.co.uk
|