MOBILE APPLICATION ASSESSMENT
Mobile applications (“apps”) that run on today’s smart phones are also susceptible to many of the same security issues as web-based applications. These apps often build on existing web-based components such as HTTP and web services and then extend them with client-side processing and storage of application data on the device. The Clear Skies Mobile Application Assessment is designed to determine if apps are built using security best practices and demonstrate their susceptibility to potential attack.
The Clear Skies Mobile Application service can test apps written for all major smart phones to include iOS, Android, Windows Mobile, and Blackberry. This core service is delivered directly by Clear Skies employees, and utilizes manual application testing techniques to focus on ensuring the application security controls are adequate, that the app can not be made to do things it was not meant to do, and that the app logic does not allow unauthorized functionality.
All of the standard Authentication, Authorization, and Data Security controls testing associated with the Clear Skies Application Assessment are included along with additional Mobile-specific analysis to include:
- Evaluation of HTTP, HTTPS, and SSL communications
- Examination of Interprocess Communication Security (IPC interfaces and ricochet attacks)
- Push notification controls
- OS privilege controls
- On device data protection controls
The end goal of the assessment is to not only find potential vulnerabilities, but also to provide an analysis of the application’s overall security risk. If any security concerns are identified, a detailed step-by-step narrative explaining what the issues are and how they might be exploited is provided.
Clear Skies’ methodology of Application Testing combines extensive technical testing with specialized analysis of findings to present a comprehensive view of the risks associated with each identified vulnerability. An Application Assessment from Clear Skies incorporates extensive technical vulnerability testing utilizing multiple user perspectives, manual logic bypass testing, as well targeted source code review for a comprehensive evaluation of the application’s security controls. Many companies that claim to do Application Assessments only do automated vulnerability scanning using commercial security scanners with no manual analysis. This manual analysis of the application’s execution logic is critical to properly assess the overall security of the application. Regardless of how well the application code is written, if the underlying business logic is flawed, data leakage or access privilege execution may occur. These are conditions that automated scanners simply cannot be programmed to examine. The Clear Skies Application Assessment will examine the entire application environment using a combination of automated scanners, manual exploitation techniques, and targeted source code review as well as technical testing of the systems and devices that support the application environment. Upon completion of the testing, all identified vulnerabilities are documented with a detailed description of the issues, as well as recommended corrective actions to help eliminate the risks going forward. Each vulnerability’s risk is evaluated from business and technical perspectives, and an overall risk rating is provided. The end goal of the assessment is to not only find the vulnerabilities, but also to provide an analysis of the application’s data that is at risk. If application or system exploitation is successful, a detailed step-by-step narrative explaining how the exploits actually worked and what data could be compromised is provided. Screen captures are utilized to illustrate and showcase the entire process so that the issues may be re-created, if necessary.