Mobile application tests

Why to do mobile app tests?

All mobile apps that store confidential or sensitive user information must operate in a trusted environment. And most mobile apps do hold such data. Cybercriminals are not only targeting financial information but are also seeking access to loyalty program points, discount card details, or cryptocurrency wallets.

Even downloading apps from official stores does not guarantee their safety.

What do I get after the Tests?

Along with a discussion of the test results, you will receive a report highlighting areas for security improvement. All identified vulnerabilities will be grouped by risk (according to the CVSS standard) and flagged in the most widely recognized standards (OVAL, CVE). The report will also include, if applicable, a list of warranty notifications to be submitted to current vendors.

CyberClue doesn’t just provide you with a report—we also offer assistance in implementing all the necessary corrections and improvements to ensure your systems are secured.

  •  Application notifications
  •  Text messages
  •  PIN codes
  •  Screen locking patterns
  • Two-factor authentication codes
  •  Contact list
  •  Access data for other applications

Another significant threat is real-time access to the victim’s screen. This allows cybercriminals to see everything happening on the smartphone in real time. Additionally, there is the risk of a legitimate window, such as a login screen, being replaced with a fake one designed to capture login credentials. These are just a few examples of the potential risks, which is why it is crucial to regularly check and monitor apps for vulnerabilities.

Mobile application security testing, as required, includes:

  •  Analyse how sessions are handled on the mobile app
  •  Verification of how the application stores credentials
  •  Verification of how files are stored on local storage
  •  Attempt to decompile the application (in order to detect an easy way to analyse the application / access the application’s client business logic)
  •  Analysis of the way in which authorisation mechanisms are implemented in the application (local vs. server-based and checks for the server part)
  •  Analysis of the connection to the backend component (ensuring confidentiality / integrity of transmission)
  •  Analysis of shared elements in the backend component – including detection of possible information leaks (only applies to URLs referenced by the application)
  •  Analysis of technical injections into backend components
  •  Device-side processing of protected data – its encryption, storage, processing within memory or classes/methods/functions
  •  Ways of communicating with the server – security of transmission, possibilities of impersonating the server
  •  Analysis of the cryptographic security of the application – selection and correct implementation of the algorithms
  •  Security analysis of the external libraries used
  •  Security testing of the protocols used
  •  Detection of logical errors on the application side – possibilities to bypass authentication, authorisation, impersonation of other users, bypassing of implemented controls
  •  Security check of the implemented push mechanisms,
  •  Detection of vulnerabilities to known types of attack, e.g. use of uninitialised memory areas, “stack/heap overflow”, “integer overflow”, “memory leaks”, “double free” and others depending on the technology used
  •  Checking the protection against information leakage
  •  Analysis of the privacy of application users
  •  Vulnerability detection on the side of the server serving the application

We carry out Android and iOS (iPhone, iPad) application tests.