One way to avoid this risk is to make sure that mobile apps have been properly pen tested against security vulnerabilities.
A mobile application penetration test emulates an attack specifically targeting a custom mobile application (iOS and/or Android) and aims to enumerate all vulnerabilities within an app, ranging from binary compile issues and improper sensitive data storage to more traditional application-based issues such as username enumeration or injection. This document outlines the standards, tools used, and process that Armour InfoSec’s engineers will follow while completing an assessment according to our mobile application penetration testing methodology.
We also examine the API backend using our full API methodology which covers all of the OWASP top 10 vulnerabilities, common misconfigurations and in depth business logic testing.
Our Mobile Application Security service would be delivered as part of the Amour Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.
|
Top 10 Mobile Risks - 2014
|
Top 10 Mobile Risks - 2016
|
|---|---|
|
M1: Weak Server Side Controls
|
M1: Improper Platform Usage
|
|
M2: Insecure Data Storage
|
M2: Insecure Data Storage
|
|
M3: Insufficient Transport Layer Protection
|
M3: Insecure Communication
|
|
M4: Unintended Data Leakage
|
M4: Insecure Authentication
|
|
M5: Poor Authorization and Authentication
|
M5: Insufficient Cryptography
|
|
M6: Broken Cryptography
|
M6: Insecure Authorization
|
|
M7: Client Side Injection
|
M7: Client Code Quality
|
|
M8: Security Decisions Via Untrusted Inputs
|
M8: Code Tampering
|
|
M9: Improper Session Handling
|
M9: Reverse Engineering
|
|
M10: Lack of Binary Protections
|
M10: Extraneous Functionality
|
*Highlighted text are tested for mobile pentesting.
Before an application assessment can take place, Armour Infosec defines a clear scope of the client. Open communication between Armour Infosec and the client organization is encouraged at this stage to establish a comfortable foundation from which to assess.
Our engineers collect as much information as they can on the target, employing a myriad of OSINT (Open Source Intelligence) tools and techniques. The assembled information will assist us with understanding the working states of the association, which permits us to evaluate the risk precisely as the engagement progresses.
At this stage, we consolidate computerized contents and instruments, among different strategies in further developed data gathering. Our experts closely inspect any conceivable assault vectors. The accumulated data from this stage will be on the basis for exploitation in the upcoming stage.
In this step, we initiate both manual & automated security scan to find all possible attack vectors & vulnerabilities. After this, we run exploits on the application to evaluate its security. We use different methods and open-source scripts and in-house tools to gain a high degree of penetration. All these are done cautiously to secure your application and its information
This is the final stage of the whole assessment process. In this stage, the Armour's analysts aggregate all obtained information and provide the client with a thorough, comprehensive detailing of our findings. Our team will discuss the report and find the appropriate solutions for the bugs located. After that, a comprehensive discussion will be carried out to fix these vulnerabilities .
Discovery
Intelligence gathering is the most important stage in a penetration test. The ability to discover hidden cues that might shed light on the existence of a vulnerability might be the difference between a successful and unsuccessful pentest.
Open Source Intelligence (OSINT)—Searches the Internet for information about the application, leaked source code through source code repositories, developer forums.
Understanding the Platform—Understand the mobile application platform, even from an external point of view, to aid in developing a threat model for the application. The internal structures and processes are also taken to account.
Client-Side vs Server-Side Scenarios—The penetration tester needs to be able to understand the type of application (native, hybrid, or web) and to work on the test cases.
Assessment/Analysis
The process of assessing mobile applications is unique because it requires the penetration tester to check the applications before and after installation.
Exploitation
Thoroughly performed intelligence gathering guarantees a high chance of successful exploitation hence a successful project. The pentester attempts to exploit the vulnerability in order to gain sensitive information or perform malicious activities, then finally performs privilege escalation to elevate to the most privileged user (root) so as to not face any restrictions on any activities being performed.
Reporting
A good report communicates to management in simple language, clearly indicating the discovered vulnerabilities, consequences to the business and possible remediation or recommendations. The vulnerabilities must be risk rated and proper technical communication done for the technical personnel, with a proof of concept included to support the findings uncovered.
Armour Infosec provided to the point and in-depth vulnerabilities details, which was greatly beneficial to us. We are an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.