Mobile applications penetration testing
With the expansion of the functionality of smartphones and rapid penetration of their operating area into the world of the Internetand the serious application-banking (smart banking) or financial services, the mobile application edge ahead into the focus of professional attackers primarily targeted at a profit.
At the same time, it is a matter of principle weakens the possibility of dual authorization transactions to or activities, since the confirmation SMS message is directed to the same device, from which the request was sent to the transaction or other activity.
For this reason, it is appropriate to pay security mobile applications even more attention than the security of Web applications. We perform tests for iOS (iPhone, iPad) and Android.
This test is a simulated attack on the mobile device and the application of the customer from the external environment. The consultant simulates the actions of a potential attacker, performs an attack from the Internet or another mobile device.
Anatomy of a Mobile Attack
The attack can be directed to the mobile device (smartphones, tablets (iPad)), to the network of transmitting data to/from your mobile device, or on the server’s parts of the application in the datacenter in many different ways:
Attacks on the browser
Attacks on the application
Sensitive data storage
No encryption/Weak encryption
Improper SSL validation
Attacks on the database
Weak input validation
OS command execution
Attacks on the webserver
Weak input validation
Brute force attack
Attacks on the network
Wi-Fi no/weak encryption
Rogue Access Point
Fake SSL certificate
Testing of mobile applications is aimed at a wide range of specific vulnerabilities, custom only for the applications of this type. Therefore is necessary use a slightly different methodology and procedures than for the
standard testing of www applications.
The procedures used to test mobile applications are based of constantly updated internal methodology is continually fed by on the results/recommendation OWASP Mobile Security project and, in order to cover the latest trends in testing the security of mobile devices.
Since our goal is perform of the security test mobile applications so as to be able to determine precisely as possible the real vulnerabilities of application against the real attacks, we try applying possible successful procedures. For this reason we test of resistances of the various components in the various stages of its application.
Two-thirds of mobile applications, which the DCIT company has tested contained serious error incompatible with safe operation of the application. It is clear that, unlike the classic Web applications is the safety of those mobile applications only at the beginning.