The Mobile Application Security Testing is an Application Security Assessment service proposed by ISGroup for the iOS and Android platforms. It is adapted according to the programming language used for the development of native apps (Objective-C, Swift, Java, Kotlin) or apps built with hybrid frameworks (such as React, React Native, Cordova, Xamarin, Titanium Appcelerator, Ionic, PhoneGap).
There are many companies that have invested in mobile applications but there is often little attention to security because the vulnerabilities and the related possibilities of attack by a malicious user are less known.
The ISGroup team is constantly updated on the latest developments in Mobile Security, both from the attacker's and the developer's point of view, in order to provide the best possible analysis service for its customers.
Through the use of manual techniques and advanced tools, the tester is able to perform static and runtime analysis of the application, in order to bypass any limitations or any implemented business logic.
The mobile applications are by their nature also subjected to client-side vulnerabilities related to the interaction of the application with the operating system and the underlying device. For example, the application may not check if the phone or tablet is jailbroken or rooted, or if it stores sensitive or important data in an unsafe manner.
Finally the auditor takes care of the verification related to the interactions between the application and the remote server, which may be subjected to vulnerabilities similar to those affecting web applications (Authentication and Authorization checks, SQL Injection).
A Mobile Application Security Testing activity represents the simulation of an attacker against an application which is directly downloadable from the official stores (AppStore and PlayStore) or provided in an alternative way for internal use.
The test can be carried out in Grey Box or Black Box mode.
In the first case the tester analyzes the application code that the customer provided in order to fully identify the vulnerabilities that could otherwise be hidden by code obfuscation. Then he continues with the client-side runtime analysis of the application and the interactions with the server-side services exposed.
In the case of the black box analysis, the tester finds himself in the situation of an attacker who analyzes the application downloaded from the store, like a normal user.
Since the client application code is on the device, the tester tries to reverse engineer it and attempts to verify the presence and strenght of any countermeasures implemented to prevent theft of intellectual property and the knowledge of any security mechanisms that could then be bypassed this way.
Subsequently is verified the possibility of application manipulation during its execution. Finally all the parameters identified in the requests are tested, both manually and by the use of tools.
Depending on the type of application and on the level of access obtained, the tester will try to modify the application flow and to manipulate and exploit the data saved locally and on the remote server.
The Report is a simple and detailed document that summarizes the results of the activity and it is divided in three different areas, as previously described:
It is placed at the beginning of the Report and is no longer than one page. It consists in a non-technical overview, and is dedicated to Management.
It consists in a technical part describing the discovered vulnerabilities and their impact in detail. It is dedicated to the Security Manager.
A technical section with detailed and precise instructions on how to resolve the identified problems. It is dedicated to the Developers.
Working with us is pretty simple, just call the number (+39) 045 4853232 or send an e-mail so that we can get to know each other and discuss about your IT Security needs.