SERVICES
Mobile Application Security
Invest in building and deploying world-class mobile applications for your organization while we handle your mobile app security. Our team of security experts performs both dynamic and static testing of mobile applications for all platforms and environments.
PROCESS FLOW
Our process flow is smooth and simple.
Schedule
A Meeting
Scope Assessment
And Timeline
Payment
for Services
Security
Audit
Draft
Report
Retesting
Final
Audit Report
Mobile Application Security
| S.NO | Audit Category | Audit Category Checklist |
|---|---|---|
| 1 | Data Storage and Privacy | |
| Testing Whether Sensitive Data Is Exposed via IPC Mechanisms | ||
| Testing the Device-Access-Security Policy | ||
| Testing for Sensitive Information in Auto-Generated Screenshots | ||
| Testing Whether Sensitive Data Is Sent To Third Parties | ||
| Testing for Sensitive Data Disclosure Through the User Interface | ||
| Testing For Sensitive Data in Local Data Storage | ||
| Testing For Sensitive Data in Logs | ||
| Testing Whether the Keyboard Cache Is Disabled for Text Input Fields | ||
| Testing user education | ||
| Testing for Sensitive Data in Backups | ||
| Testing for Sensitive Data in Memory | ||
| 2 | Resiliency Against Reverse Engineering | |
| Testing Debugging Defenses | ||
| Testing Jailbreak Detection, Testing Root Detection | ||
| Testing Device Binding | ||
| Testing Simple Emulator Detection | ||
| Impede Comprehensive Analysis | ||
| Testing Run-Time Integrity Checks | ||
| Testing Detection of Reverse Engineering Tools | ||
| Testing Obfuscation | ||
| Testing File Integrity Checks | ||
| Testing Simple Obfuscation | ||
| 3 | Network Communication | |
| Testing Custom Certificate Stores and SSL Pinning | ||
| Testing for Unencrypted Sensitive Data on the Network | ||
| Verifying that Critical Operations Use Secure Communication Channels | ||
| Verifying the TLS Settings | ||
| Testing Endpoint Identify Verification | ||
| Verifying the Security Provider | ||
| 4 | Code Quality and Build Settings | |
| Testing for Weaknesses in Third Party Libraries | ||
| Testing for Debugging Symbols | ||
| Testing for Memory Management Bugs | ||
| Testing for Debugging Code and Verbose Error Logging | ||
| Verifying That the App is Properly Signed | ||
| Verifying usage of Free Security Features | ||
| Testing If the App is Debuggable | ||
| Testing Error Handling in Security Controls | ||
| Testing Exception Handling | ||
| 5 | Cryptography | |
| Verifying the Configuration of Cryptographic Standard Algorithms | ||
| Testing Random Number Generation | ||
| Verifying Key Management | ||
| Testing for Custom Implementations of Cryptography | ||
| Testing for Insecure and/or Deprecated Cryptographic Algorithms | ||
| 6 | Platform Interaction | |
| Testing For Sensitive Functionality Exposure Through IPC | ||
| Testing Input Validation and Sanitization | ||
| Testing WebView Protocol Handlers | ||
| Testing App Permissions | ||
| Testing Whether Java Objects Are Exposed Through WebViews | ||
| Testing for Object (De-)Serialization | ||
| Testing Custom URL Schemes | ||
| 7 | Authentication and Session Management | |
| Testing 2-Factor Authentication | ||
| Testing the Password Policy | ||
| Testing Step-up Authentication | ||
| Testing Excessive Login Attempts | ||
| Testing Stateless Authentication | ||
| Testing the Session Timeout | ||
| Verifying that Users Are Properly Authenticated | ||
| Testing Session Management | ||
| Testing Biometric Authentication | ||
| Testing the Logout Functionality | ||
| Testing Login Activity and Device Blocking | ||
| 8 | Architecture, design and threat modelling | |
| All app components are identified and known to be needed. | ||
| A high-level architecture for the mobile app and all connected remote services has been defined and security has been addressed in that architecture. | ||
| Security controls are never enforced only on the client side, but on the respective remote endpoints. | ||
| Data considered sensitive in the context of the mobile app is clearly identified. |
