Penetration Testing for Mobile Applications
As the world becomes increasingly reliant upon mobile computing, a solid mobile application security development strategy is vital to success. inet|Detect helps solve your problems, cost-effectively and painlessly.
We perform assessments for:
- Google Android™
- Apple iPhone® & iPad®
- Microsoft Windows® Phone
- RIM Blackberry®
We specialize in mobile application penetration testing, source code reviews, and threat modeling. Our services help clients achieve security goals at any phase of the development life cycle, cost-effectively. Using experience gained through our mobile assessments and research, we bring the skills needed to succeed. We identify as many risks as possible while helping your organization achieve compliance and meet deadlines for new releases.
Mobile Application Penetration Testing
Our penetration tests cover security issues within the OWASP Top 10 Mobile Risks and Controls. Testing is performed both against the client-side mobile application as well as the interactions between the client and server. We test to ensure that the privacy and security of your users and employees remain at an acceptable level.
Penetration Testing is an excellent way to gain insight into the security posture of the combined parts of your mobile application’s infrastructure. Security controls may be applied at various layers including leveraging device security features, OS security features, using a Web Application Firewall (WAF), or implementing a control in a remote service’s actual code. Penetration testing allows all or some of your security to be tested for precise vulnerability identification and remediation guidance.
Our Mobile Application Penetration Testing offering is designed to cover the entire attack surface within a mobile application’s architecture. We assess mobile applications in their native running environment. This includes device configuration and data storage on the local device. We thoroughly analyze the application’s runtime behavior for information leaked that could enable an attacker to discover clues about server-side weaknesses. We also test the remote services that the application communicates with to ensure that server-side controls are being properly mirrored to reflect local application authorization and business logic controls.
Mobile Security Code Review
Performing a Mobile Security Code Review will help identify risks contained with your application’s code. We work closely with your internal development teams to understand every aspect of your application. We perform comprehensive code reviews for Android™, iPhone®, iPad®, Windows®, and Blackberry® smart device applications. Our comprehensive reviews covers the areas most sensitive to a mobile application including secure data storage, authentication, data transmission, and access controls.
Throughout a review, we approach the application with an understanding of how an actual attacker or malicious entity may seek to inflict damage upon your brand and against your users. Our approach takes some of the following threat vectors into account:
- Carrier-level compromises
- Man-in-the middle attacks or traffic sniffing
- Malicious application users
- Compromised or stolen devices
- Remote or cloud-service initiated attacks
Mobile Threat Modeling
In order to protect your mobile application, your clients, and your overall architecture, you must first understand the areas where the greatest risks exist. Our threat modeling service allows us to learn how your application works, study the possible attack surface, and determine the most effective ways to apply security controls to your mobile application architecture.
Threat Modeling is a key part of effectively integrating security into the Software Development Life Cycle (SDLC), and should be performed early in an application’s design and development as well as in regular intervals as the application’s code matures. This helps maximize return on investment (ROI) by designing secure applications from day one rather than building security on top, which can become costly over time.
Threat Modeling allows for many applicable threats and risks to a system to be modeled in an organized manner. Using the output of a threat model, security controls can then be considered when development begins. The result is a reduced set of potential risks, along with cost savings due to a reduced number of security fixes during the system’s production lifetime.
