First Base Technologies

Contact Us
Phone 01273 454525
email

Mobile Application Penetration Testing & Security Reviews



  • The application will be tested using a layered approach:
  • Application functionality
  • Interaction with the device operating system
  • Interaction with remote services, such as web services and social media
  • We will manually verify all identified vulnerabilities to remove false positives and potential vulnerabilities are exploited to demonstrate the real risks and impact of an attacks.
  • Where appropriate, we will address application specific questions directly to the developers.
  • Our technical approach focuses on the following key areas:
Information Gathering Determine application functionality and workflow, analyse network traffic, secure protocols checks, interaction with other applications or services or data, other APIs in use, crawl exposed web resources
Application Analysis Application permissions and resources, errors in configuration files, examine libraries (both platform and third party) for security weaknesses, checks for rooted and jail broken devices, check for dynamically loaded files and libraries, hard coded secrets, entry points for untrusted data and access controls, validation and sanitisation
Authentication User impersonation via parameter tampering, replay attacks and brute force attacks, alternative means of authentication (visual swipe or touch passwords), single sign-on functionality, use of SMS and push notifications
Session Management Session time-outs (locally and server-side), sensitive information flushed from memory on session expiration
Authorisation Permissions for files created at runtime, privilege escalation, role-specific functionality, flags or values from any untrusted sources, path traversal , licensing security
Data Storage Encryption security, storage external to sandboxed locations, writing sensitive information to the file system, sensitive information written via platform exposed APIs (e.g. contacts)
Transport Layer Protection Certificate pinning, certificate validation, encryption transiting each interface
Information Disclosure Logging of sensitive information to shared logs, sensitive data leakage in crash logs, third party libraries and APIs disclosing sensitive data, permissions required
Client-Side Injection Potential data injection attack vectors


Hover over each segment of the diagram below to read about each stage of the testing process.

At First Base Technologies we pride ourselves in being with you every step of the way in securing your mobile applications from attack.


More Information

You can read our FAQ on penetration testing and vulnerability analysis here

See what our clients say about us here


Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant