With the wave of IT consumerism spreading across most enterprises, mobile apps have become ubiquitous – whether for banking, accessing news, corporate applications or others. Enterprises are recognizing the risks from introducing mobile apps into their business environment. Attackers are getting smarter these days by not going after organization’s well protected assets directly; rather they focus and target these mobile endpoints as well as the apps running on them.
Some of the well known mobile device threats are as follows:
- 0-day malwares
- Loss of device
- Unauthorized app installation
- Data and document storage abuse
- Malicious attachments
Our mobile security assessment methodology is based on OWASP Mobile Top 10 security assessment guidelines to test the mobile applications for following issues:
- Insecure Data Storage: Due to work pressure to quickly develop a working code for meeting deadlines, developers often neglect following secure coding practices. Since, insecure methods are used for storing the credentials by the developers; it is very easy to spot the common variables such as username, password, weak shared preferences or global permissions for credential harvesting in source codes.
- Weak Server Side Controls: Weak controls applied on server side trust heavily on client side data. Attacks usually originate from the client side only. Thus hardening server side validation controls for checking and granting access must exist to thwart attempts of SQL injections and Cross Site Scripting issues.
- Insufficient Transport Layer Protection: Since mobile is a open communication channel, attackers can easily use sniffers to capture unencrypted data travelling in cleartext to impersonate user identities. We must use strong encryption to resist brute force cracking.
- Client Side Injection: If weak application design exists , attackers can use classic XSS or Injection techniques to get unauthorized access to database or exploit user sessions to carry out toll fraud, fraudulent transactions and so on.
- Poor Authentication and authorization: Attackers may abuse hardware identifiers such as IMEI, IMSI, UUID used by applications to recognize a device for the app to function. These may be easily abused to launch preconfigured scripts to wipe data or restore it to factory settings.
- Improper Session Handling: Mobile sessions are typically longer that the traditional web session due to fluctuating network connectivity issues. Developers frequently use device identifier as user session which can be abused easily by an attacker to impersonate user and obtain unauthorized access.
- Security Decisions via untrusted inputs: Improper input sanitization can be leveraged to bypass permissions and security models. Malicious apps can cause nefarious activities to be executed on user’s behalf.
- Side Channel Data Leakage: Several features which are not really needed are enabled by default in mobile devices which leaves them vulnerable. Using this, an attacker can harvest user specific data via web caches, keystroke logging, logs etc.
- Broken Cryptography: Developers often resort to security by obscurity techniques to quickly implement quick fix solutions such as encoding, serialization and code obfuscation which can be easily be reversed or decoded as the presence of encryption key in not needed here.
- Sensitive Information Disclosure: It is easy for some mobile apps to be reverse engineered to reveal sensitive information such as API keys, passwords, source code business logic etc. Code obfuscation can make that difficult, but not risk free.
We specialize in mobile application security assessments, be it black-box mobile reverse engineering engagements or source code reviews. We also post our mobile security assessment BlueScopes on Checkmate blog. We have worked with some of the largest enterprises and helped them to secure their mobile applications. Further, we also carry out implementation, deployment, configuration and security assessment of Mobile Device Management (MDM) solutions for our partnering vendors such as MobileIron and Good Technologies.
Following are the services offered by us in mobile security assessment:
- Mobile Application Assessment:
If your company uses in-house applications for corporate data interchange; there exists a growing need to preserve confidentiality and integrity of such applications. Our security assessment team thoroughly assesses these mobile applications making sure that any malicious user is not able to abuse the application rights or compromise confidential clients’ information.
- Mobile Application Source Code Review:
Our team is well versed to review the source code of applications over different platforms such as – Blackberry OS, iOS, Android, Symbian, Windows etc. to discover underlying code level vulnerabilities which may not be apparent in the exposed UI.
- Mobile Device Management (MDM) Assessment:
Most corporate houses while allocating mobiles to their employees use MDM applications for provisioning / de-provisioning devices. Our security team can conduct security assessment of these MDM solutions to identify gaps in policies which are not in compliance with the organization security policy and national or state laws.
- Mobile Device Management (MDM) – Challenges and Solutions
- SMiShing – On My (An)droid
- Russian FruitNinja Backdoor Analysis
- Risk Analysis of Android Based Appliance