Mobile application tests

Why to do mobile app tests?

All mobile apps that store confidential or sensitive user information should operate in a trusted environment. And most mobile apps hold such data. Cybercriminals are not only trying to steal our money. They are also looking for points from loyalty programmes, discount card data or cryptocurrency wallets.

 

Even using official shops does not guarantee the safety of a downloaded app.

What do I get after the Tests?

Together with a discussion of the test results, you will receive a report with identified areas for security improvement. All vulnerabilities found will be grouped by risk (CVSS standard) and flagged in the most popular standards (OVAL, CVE). The report will also include, if necessary, a list of notifications subject to guarantee from the current vendors.

CyberClue does not leave you with the report alone. We can also help you make all the necessary corrections and changes.

  •  Application notifications
  •  Text messages
  •  PIN codes
  •  Screen locking patterns
  • Two-factor authorisation codes
  •  Contact list
  •  Access data for other applications

Another threat is a real-time access to the victim’s screen. The cybercriminal can then see everything we do on our smartphone screen. There is also the threat of replacing a window, e.g. for logging in, with a fake window capturing the login and password. These are just some of the possible scenarios, which is why it is so important that apps are regularly checked and monitored.

Mobile application security testing, as required, includes:

  •  Analyse how sessions are handled on the mobile app
  •  Verification of how the application stores credentials
  •  Verification of how files are stored on local storage
  •  Attempt to decompile the application (in order to detect an easy way to analyse the application / access the application’s client business logic)
  •  Analysis of the way in which authorisation mechanisms are implemented in the application (local vs. server-based and checks for the server part)
  •  Analysis of the connection to the backend component (ensuring confidentiality / integrity of transmission)
  •  Analysis of shared elements in the backend component – including detection of possible information leaks (only applies to URLs referenced by the application)
  •  Analysis of technical injections into backend components
  •  Device-side processing of protected data – its encryption, storage, processing within memory or classes/methods/functions
  •  Ways of communicating with the server – security of transmission, possibilities of impersonating the server
  •  Analysis of the cryptographic security of the application – selection and correct implementation of the algorithms
  •  Security analysis of the external libraries used
  •  Security testing of the protocols used
  •  Detection of logical errors on the application side – possibilities to bypass authentication, authorisation, impersonation of other users, bypassing of implemented controls
  •  Security check of the implemented push mechanisms,
  •  Detection of vulnerabilities to known types of attack, e.g. use of uninitialised memory areas, “stack/heap overflow”, “integer overflow”, “memory leaks”, “double free” and others depending on the technology used
  •  Checking the protection against information leakage
  •  Analysis of the privacy of application users
  •  Vulnerability detection on the side of the server serving the application

We carry out Android and iOS (iPhone, iPad) application tests.