Mobile App Penetration Testing

Mobile devices are essential business tools that are now solidly integrated into organizational networks. These devices include Android, Apple iOS, BlackBerry, and others. Mobile devices are commonly overlooked by organizations as attack platforms used by hackers or as storage devices of sensitive information. Too often, people assume mobile device vendors have provided adequate device security; this is not always true, and if security is provided, it may not be appropriate for your specific use.

Mobile devices need to be assessed to ensure they cannot be compromised if lost or stolen. Mobile Device Penetration Testing will analyze the security features of the mobile device. Both organizations and mobile device vendors will benefit from a penetration test.

Overview

Mobile devices are essential business tools that are now solidly integrated into organizational networks. These devices include Android, Apple iOS, BlackBerry, and others. Mobile devices are commonly overlooked by organizations as attack platforms used by hackers or as storage devices of sensitive information. Too often, people assume mobile device vendors have provided adequate device security; this is not always true, and if security is provided, it may not be appropriate for your specific use.

Mobile devices need to be assessed to ensure they cannot be compromised if lost or stolen. Mobile Application Penetration Testing will assess the environment of the mobile application and determine the risks associated with the communications channels, data storage, and user interface.

Benefits

Mobile Device Penetration Testing will let you rest easy as employees move through their day – all while carrying with them access to your secure network. You will be provided a current state analysis of your mobile device security controls including the following assessment:


  • Acknowledge positive operating security controls
  • Identify improvement areas to achieve adequate security
  • Establish immediate strategic resolutions
  • Develop long-term strategic solutions to prevent weaknesses from recurring
  • Develop strategic solutions to prevent industry known issues from emerging
  • Evaluate the security of new mobile technologies prior to deployment
  • User awareness
  • Customized testing specific to your needs

Services

Silent Break Security will deploy a well thought out, effective plan to assess your mobile device security. The mission is to determine how your sensitive information can be compromised and obtain complete device compromise. The customized tests will range from simple device attacks such as passcode bypassto more advanced, targeted attacks such as “Rooting” or “Jailbreaking.”

The following is a summary of the common assessment areas; other assessments are available depending on your needs.

Authentication and Authorization: Examining implemented authentication protocols, certificate validation, password policy enforcement, and account lockout mechanisms. Authorization testing will also assess how data access controls are applied and whether or not authorization corner cases are present. During this testing phase, Silent Break Security will attempt to access hidden functionality in both the client and the server in addition to attempting to escalate their privileges.

Storage and transport controls:Data is stored on mobile devices intentionally, unintentionally, securely, and insecurely. This assessment will evaluate data protection controls by assessing management of sensitive information and storage of user credentials, personal information, and/or any other sensitive application data (includes device history, stored memory, etc).

Applications:

Session Management:

Mobile Device Deployment:

Remote Communication:

Error and Exception Handling:

Traffic analysis: will focus on uncovering vulnerabilities related to information disclosure, tampering, and spoofing.

determine how data is retrieved from the server for the different users and use this information to replay or manipulate the request to gain access to another user’s data

implement a session identifier to uniquely identify the user for the duration of the session. For such cases, Silent Break Security will examine the entropy, length, timeout, and rotation to determine the applications susceptibility to preset identifiers, brute force, session fixation, and other related vulnerabilities

Data validation: is another important aspect of our testing. Silent Break Security will identify any open ports, interfaces, IPC channels, or other input modes that can be leveraged by an attacker or malicious application. Fuzz testing will be performed on those interfaces that are exposed and examine how the application handles erroneous input. The objective of this process is to determine the extent the application is performing filtering, sanitation, and validation.

To learn more, contact us at:

info@silentbreaksecurity.com or (801) 855-6599


Contact Us