Mobile Applications Penetration Testing

1. https://www.briskinfosec.com Briskinfosec Technology and Consulting Pvt Ltd Mobile: 8608634123 https://www.briskinfosec.com https://www.facebook.com/briskinfosec https://twitter.com/briskinfosec Mobile applications penetration testing

2. https://www.briskinfosec.com Mobile applications penetration testing Audit of Android and iOS mobile applications Mobile applications are increasingly used, in addition to web applications. In fact, they are also increasingly targeted by attackers. We can audit your Android and iOS mobile applications, both through static analysis (reverse engineering) and dynamic analysis (penetration testing). A mobile application audit is divided into two phases. The static analysis makes it possible, initially, to audit the security of the application as such. We proceed to a phase of reverse engineering to understand the code of the application, and to study its interactions with the system. The application does not need to be launched or used for this phase: tools allow us to analyze its operation without having to install it. In a second time, the dynamic analysis consists in exploiting the vulnerabilities that we have identified during the static analysis, but also in discovering new vulnerabilities. We will study the data exchanges with a server, then try to attack the latter directly, without going through the application. The prerequisite for this audit is to have the .apk (Android) or. iPad (iOS) installation file of the application. We can also fetch the latest version of the application from the corresponding application store if you wish. A mobile application often communicates with a server to exchange data. Unlike a web application, which is independent of the browser in which it operates, a mobile application is designed to meet a particular need. The big difference between the web penetration test and the mobile application audit is therefore in the reverse engineering phase and the analysis of the behaviour of the mobile application.

3. https://www.briskinfosec.com Top 10 OWASP Vulnerabilities in Mobile Applications The OWASP TOP 10 periodically assesses the most common vulnerabilities encountered. Here is the 2016 ranking for mobile applications. ✓Incorrect use of the platform: errors or lack of use of certain mechanisms specific to the mobile platform used. Using local storage to back up sensitive data instead of using the "Key Chain" on iOS is a good example. ✓Unsecured data storage: all issues resulting in a lack of security when storing data. ✓Unsecured communications: all situations where data travels to and from the outside without being properly encrypted, regardless of the protocol or communication channel used. ✓Authentication mishandling: Like web application auditing, this flaw occurs when a user can per- form actions under the identity of another user. ✓Insufficient cryptography: This defect occurs when the encryption protocol is poorly implement- ed, outdated, or the encryption key is placed in the source code of the application. ✓Lack of access control: this flaw comes from a lack of checks when calling API functions. ✓Poor code quality: Defects identified during application code analysis fall into this category, as well as lack of code documentation. ✓Modification of the code: certain mechanisms make it possible to detect if the code of the appli- cation has been modified, which happens during the static analysis phase. ✓Reverse engineering: this defect is signalled if the application file provides too much data too easily, without having sought to protect itself from the actions of an attacker. ✓External functionalities: concerns obsolete functionalities or test functionalities, not visible to a user, but still present in the code of the application.

4. https://www.briskinfosec.com Main tools used During our Android and iOS mobile application penetration testing, we use mainly open-source tools, benefiting from a high level of quality and a strong reputation with the cybersecurity community.