The application will be tested using a layered approach:
- Application functionality
- Interaction with the device operating system
- Interaction with remote services, such as web services and social media
The application will be tested using a layered approach:
We will manually verify all identified vulnerabilities to remove false positives and potential vulnerabilities are exploited to demonstrate the real risks and impact of an attacks.
Where appropriate, we will address application specific questions directly to the developers.
Our technical approach focuses on the following key areas:
Information Gathering | Determine application functionality and workflow, analyse network traffic, secure protocols checks, interaction with other applications or services or data, other APIs in use, crawl exposed web resources |
Application Analysis | Application permissions and resources, errors in configuration files, examine libraries (both platform and third party) for security weaknesses, checks for rooted and jail broken devices, check for dynamically loaded files and libraries, hard coded secrets, entry points for untrusted data and access controls, validation and sanitisation |
Authentication | User impersonation via parameter tampering, replay attacks and brute force attacks, alternative means of authentication (visual swipe or touch passwords), single sign-on functionality, use of SMS and push notifications |
Session Management | Session time-outs (locally and server-side), sensitive information flushed from memory on session expiration |
Authorisation | Permissions for files created at runtime, privilege escalation, role-specific functionality, flags or values from any untrusted sources, path traversal , licensing security |
Data Storage | Encryption security, storage external to sandboxed locations, writing sensitive information to the file system, sensitive information written via platform exposed APIs (e.g. contacts) |
Transport Layer Protection | Certificate pinning, certificate validation, encryption transiting each interface |
Information Disclosure | Logging of sensitive information to shared logs, sensitive data leakage in crash logs, third party libraries and APIs disclosing sensitive data, permissions required |
Client-Side Injection | Potential data injection attack vectors |