Mobile Technologies

Use Our Offense to Inform Your Defense

Mobile application security assessments help an organization gain a clear understanding of the risks facing their information assets where they are made accessible via mobile applications, as well as the risks to data entrusted to the organization by customers' use of applications. Similarly, mobile device and infrastructure assessments highlight issues raised by the decentralization of organization controls (over data, network access, and malware prevention) inherent in mobile device roll-outs. Mobile device assessments consider the risks to organization assets posed by lost, stolen, or compromised mobile devices.

Whether a high-level overview or a thorough, in-depth review is desired, DISD works with your staff to produce prioritized findings, recommendations, and remediation or mitigation steps to fit your organization's profile.

DISD performs mobile application security assessments according to a well-developed and refined methodology, in order to provide thorough, accurate, and reproducible results covering the application's local footprint, network communications, and interactions with backend services. Testing initially focuses on the application configuration and local storage, to identify sensitive data disclosure, client-side protection bypasses, and insecure storage practices. Consultants then focus on identifying, intercepting, examining, and manipulating network communications – uncovering potential issues with encryption implementations, certificate checking routines, and tamperable requests and responses. Reviewing the application-level protocols and interaction with backend services concentrates on areas such as input validation, session state management, and privilege escalation.

Areas of testing focus in a mobile application security assessment include, but are not limited to:

  • Identification of application and backend service technologies
  • Server configuration management analysis
  • Application configuration analysis
  • Runtime application filesystem analysis
  • Local credential storage analysis
  • Sensitive data storage analysis
  • Identification of administrative functionality
  • Application testing using emulated devices
  • Application testing using physical devices
  • Application testing using rooted devices
  • Static application analysis
  • Binary assurance checks (e.g., ARC, PIE, etc.)
  • Runtime application network analysis
  • Interception and evaluation of network communications
  • Data-in-transit encryption and certificate verification testing
  • Authentication methods review
  • Account harvesting attempts
  • Session state tracking analysis
  • Parameter tampering attempts
  • Horizontal and vertical privilege escalation attempts
  • Input validation mechanism testing
  • SQL injection testing
  • Cross-site request forgery (CSRF) testing
  • Command injection testing
  • Client-side injection testing

Mobile device and infrastructure testing requires a different approach – considering the risks to organizational assets stored on, and accessed by a wide variety of mobile devices, built on different platforms, and with varying management capabilities and security controls.

Areas of testing focus in a mobile device and infrastructure security assessment include, but are not limited to:

  • Baseline device security controls analysis
  • Mobile device policy and procedures review
  • Device rooting / jailbreaking tests
  • Lock screen bypass testing
  • Local storage sensitive data retrieval
  • Stored credential and certificate extraction attempts
  • Data storage encryption checks
  • External media data retrieval attempts
  • External backup / synchronization data access attempts
  • Message history, metadata, and content extraction
  • Supporting infrastructure security analysis
  • Internal application server security analysis
  • WiFi network communication analysis
  • Bluetooth, NFC communication analysis
  • VPN configuration analysis
  • TLS certificate verification analysis
  • Application approval and verification controls analysis
  • Enterprise application / data container analysis
  • Mobile Device Management (MDM) profile analysis

DISD works with our customers to identify the goals of security assessments prior to testing, and is available to assist in remediation efforts upon request.

Contact Us to Learn More, or Receive A Quote.