Mobile Application Security Assessment
Mobile devices such as smartphones and tablets have become common “tools” in both private and professional environments. Consequently, a large variety of mobile applications (apps) is available. The functions range from simple information retrieval to the processing of financial transactions and mobile access to internal company ERP systems. The apps are often integrated into complex IT environments such as application servers and middleware systems which are in turn frequently exposed to the Internet.
Owing to their mobile operation and the new access methods via public networks as well as dynamic and less tested operating environments, the use of mobile applications bears many, and sometimes also completely new threat scenarios in regard to information and IT security.
Identification of vulnerabilities in mobile applications and assessment of risks with regard to specific threat scenarios
How secure is the mobile application? What can external attackers or malicious users achieve in the worst case?
Mobile applications including their interfaces as well as base and backend systems
In a Mobile Application Security Assessment (MASA), the mobile application is analyzed together with relevant backend systems and interfaces regarding existing vulnerabilities. The auditor assumes the perspective of external attackers as well as privileged and unprivileged users. Examples of attempted attacks range from carrying out unauthorized actions, through man-in-the-middle attacks, to attacks on backend systems via the exploitation of vulnerabilities in exposed interfaces.
In general, the assessment is based on the approach of an examination that is as comprehensive as possible. However, depending on the type of application or system and the relevant threats, a risk-based approach is also possible (comparable to a penetration test ). In this case, the focus is on particularly security-critical or endangered areas, whereby the scope of the test is determined by the time budget agreed upon in advance.
With regard to mobile application security, we comply with the guidelines issued by the internationally recognized OWASP Mobile Security Project.
In general, the following points will be covered by the MASA:
- Assessment of the application level (impact of the app on the security features of the smartphone, manipulation of the app, as well as process and transaction procedures, etc.)
- Assessment of the communication level (interception or manipulation of data streams, etc.)
- Assessment of the server level (vulnerability of server-side application and interfaces, etc.)
- Examination regarding vulnerabilities with focus on the OWASP Mobile Top Ten
- Extended attacks and exploitation of identified vulnerabilities
- Documentation incl. risk assessment and description of measures
As a result of the assessment we will provide a detailed report. Depending on the type and scope of the project, the final report will include the following parts:
- Management summary with a description of the results and the security level
- Description of the project approach, scope, schedule and methodology
- Detailed description of identified vulnerabilities in order to understand underlying issues and to enable reconstruction of possible attacks (where necessary with proof-of-concept implementation)
- Detailed description of the iterative exploitation process when using chained vulnerabilities
- Risk assessment of identified vulnerabilities taking into account the IT environment or the application context (risk classification: low, medium, high, critical)
- Description of measures to remedy the vulnerabilities
- If necessary, a description of higher-level strategy, concept and process-related measures or optimization suggestions.