Mobile Application Security Assessment

Mobile devices such as smartphones and tablets have become common "tools" in both private and professional environments. Consequently, a large variety of mobile applications (apps) is available. The functions range from simple information retrieval to the processing of financial transactions and mobile access to internal company ERP systems. The apps are often integrated into complex IT environments such as application servers and middleware systems which are in turn frequently exposed to the internet.

Owing to their mobile operation and the new access methods via public networks as well as dynamic and less tested operating environments, the use of mobile applications bears many, and sometimes also completely new threat scenarios in regard to information and IT security. An app can put the security of the device it is accessed with at risk. Data streams may potentially be manipulated and the theft of data is also possible. In addition, systems and interfaces with exposure to the internet are vulnerable to the typical attack scenarios in this environment.

In a Mobile Application Security Assessment the defined threat scenarios are analyzed on all relevant levels:
  • Application level (impact of the app on the security features of the smartphone, manipulation of the app, as well as process and transaction procedures, etc.)
  • Communication level (interception or manipulation of data streams, etc.)
  • Server level (vulnerability of server-side application and interfaces, etc.)

During the assessment the auditor not only considers the potential for external attacks but also takes the inappropriate conduct of privileged users into account.

Mobile application security assessments generally follow a comprehensive approach. However, depending on the type of application and relevant threats, a risk-based approach (similar to a penetration test) is also possible. The focus will thereby be on particularly security-critical and/or vulnerable parts of the application. The scope of the assessment depends on the time budget agreed with you.

With regard to Mobile Application Security we comply with the guidelines issued by the internationally recognized Open Web Application Security Project - OWASP.

As a result of the assessment, you will receive a comprehensive evaluation of your application security as well as the programming quality. A catalogue detailing prioritized counter-measures and specific solutions for all identified vulnerabilities is an additional integral part of the final report.