Smartphone Application Security Audit - Nethemba

Application security

Smartphone Application Security Audit

01
Suitable for:
  • any company that develops or operates its own mobile applications
Testing time:
1-3 weeks (depending on the complexity)

Smartphone security audit involves a technical security audit of the mobile application itself and appropriate server web services (REST / SOAP).

During testing we follow the OWASP Mobile Security Project mainly focusing on the Top Ten Mobile Controls:

  1. Identify and protect sensitive data on the mobile device.
  2. Handle password credentials securely on the device.
  3. Ensure sensitive data is protected in transit.
  4. Implement user authentication,authorization and session management correctly.
  5. Keep the backend APIs (services) and the platform (server) secure.
  6. Secure data integration with third party services and applications.
  7. Pay specific attention to the collection and storage of consent for the collection and use of the user’s data.
  8. Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc.)
  9. Ensure secure distribution/provisioning of mobile applications.
  10. Carefully check any runtime interpretation of code for errors.

Smartphone Application Security Audit

The smartphone application security audit consists of a practical verification of the mobile application security according to the Top Ten Mobile Controls. It involves mainly:

  • fuzzy testing of all user inputs, check if all input parameters are correctly validated
  • business logic testing
  • analysis if encryption and digital signing is used by the application
  • analysis of secure authentication between the mobile application and web services is used
  • check if a secure storage is used
  • if SSL client certificates are not used, analysis of the used password policy

Web services (REST / SOAP) Security Audit

Web services (REST / SOAP) security audit is performed as a “blackbox” security audit (without knowledge of XSD / WSDL schemas, credentials, etc.) and as a “whitebox” security audit (with knowledge of API and provided credentials) . In both cases, testing is performed according to the OWASP testing guide, section “Testing for Web Services“. The audit includes an execution of the following attacks.