Mobile applications penetration testing

With the expansion of the functionality of smartphones and rapid penetration of their operating area into the world of the Internetand the serious application-banking (smart banking) or financial services, the mobile application edge ahead into the focus of professional attackers primarily targeted at a profit.

At the same time, it is a matter of principle weakens the possibility of dual authorization transactions to or activities, since the confirmation SMS message is directed to the same device, from which the request was sent to the transaction or other activity.

For this reason, it is appropriate to pay security mobile applications even more attention than the security of Web applications. We perform tests for iOS (iPhone, iPad) and Android.

This test is a simulated attack on the mobile device and the application of the customer from the external environment. The consultant simulates the actions of a potential attacker, performs an attack from the Internet or another mobile device.

Anatomy of a Mobile Attack

The attack can be directed to the mobile device (smartphones, tablets (iPad)), to the network of transmitting data to/from your mobile device, or on the server’s parts of the application in the datacenter in many different ways:

Attacks on the browser

• Phishing

• Framing

• Clickjacking

• Man-in-the-Mobile

• Buffer Overflow

• Data caching

Attacks on the application

• Sensitive data storage

• No encryption/Weak encryption

• Improper SSL validation

• Config. malfunction

• Data caching

Attacks on the database

• SQL Injection

• Privilege escalation

• Data dumping

• Weak input validation

• OS command execution

Attacks on the webserver

• Platform vulnerabilities

• Server misconfiguration

• XSS, CSRF

• Weak input validation

• Brute force attack

Attacks on the network

• Wi-Fi no/weak encryption

• Rogue Access Point

• Sniffing

• Man-in-the-Middle (MITM)

• Session Hijacking

• DNS Poisoning

• SSLStrip

• Fake SSL certificate

Testing of mobile applications is aimed at a wide range of specific vulnerabilities, custom only for the applications of this type. Therefore is necessary use a slightly different methodology and procedures than for the standard testing of www applications.

The procedures used to test mobile applications are based of constantly updated internal methodology is continually fed by on the results/recommendation OWASP Mobile Security project and, in order to cover the latest trends in testing the security of mobile devices.

Since our goal is perform of the security test mobile applications so as to be able to determine precisely as possible the real vulnerabilities of application against the real attacks, we try applying possible successful procedures. For this reason we test of resistances of the various components in the various stages of its application.

Two-thirds of mobile applications, which the DCIT company has tested contained serious error incompatible with safe operation of the application. It is clear that, unlike the classic Web applications is the safety of those mobile applications only at the beginning.