Mobile applications ("apps") that run on today's smart phones are also susceptible to many of the same security issues as web-based applications. These apps often build on existing web-based components such as HTTP and web services and then extend them with client-side processing and storage of application data on the device. The Clear Skies Mobile Application Assessment is designed to determine if these apps are designed using security best practices and demonstrate their susceptibility to potential attack.
The Clear Skies Mobile Application service can test apps written for all major smart phones to include iOS, Android, Windows Mobile, and Blackberry. This core service is delivered directly by Clear Skies employees, and utilizes manual application testing techniques to focus on ensuring the application security controls are adequate, that the app can not be made to do things it was not meant to do, and that the app logic does not allow unauthorized functionality.
All of the standard Authentication, Authorization, and Data Security controls testing associated with the Clear Skies Application Assessment are included along with additional Mobile-specific analysis to include:
- Evaluation of HTTP, HTTPS, and SSL communications
- Examination of Interprocess Communication Security (IPC interfaces and ricochet attacks)
- Push notification controls
- OS privilege controls
- On device data protection controls
The end goal of the assessment is to not only find potential vulnerabilities, but also to provide an analysis of the application's overall security risk. If any security concerns are identified, a detailed step-by-step narrative explaining what the issues are and how they might be exploited is provided.