Smartphone security audit involves a technical security audit of the mobile application itself and appropriate server web services (REST / SOAP).
During testing we follow the OWASP Mobile Security Project mainly focusing on the Top Ten Mobile Controls:
- Identify and protect sensitive data on the mobile device.
- Handle password credentials securely on the device.
- Ensure sensitive data is protected in transit.
- Implement user authentication,authorization and session management correctly.
- Keep the backend APIs (services) and the platform (server) secure.
- Secure data integration with third party services and applications.
- Pay specific attention to the collection and storage of consent for the collection and use of the user’s data.
- Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc.)
- Ensure secure distribution/provisioning of mobile applications.
- Carefully check any runtime interpretation of code for errors.
Smartphone Application Security Audit
The smartphone application security audit consists of a practical verification of the mobile application security according to the Top Ten Mobile Controls. It involves mainly:
- fuzzy testing of all user inputs, check if all input parameters are correctly validated
- business logic testing
- analysis if encryption and digital signing is used by the application
- analysis of secure authentication between the mobile application and web services is used
- check if a secure storage is used
- if SSL client certificates are not used, analysis of the used password policy
Web services (REST / SOAP) Security Audit
Web services (REST / SOAP) security audit is performed as a “blackbox” security audit (without knowledge of XSD / WSDL schemas, credentials, etc.) and as a “whitebox” security audit (with knowledge of API and provided credentials) . In both cases, testing is performed according to the OWASP testing guide, section “Testing for Web Services“. The audit includes an execution of the following attacks.