We are excited to announce the launch of mobile application security testing. iViZ shall provide the most comprehensive mobile application security testing by combining static application security testing, dynamic application security testing and manual validation. The solution is aimed to provide zero false positive and business logic testing covering most of the WASC v2 threat classes. Due to the increased sophistication of mobile platforms and the proliferation of mobile applications, an organization’s mobile infrastructure represents yet another attack surface on an enterprise network. iViZ distinguishes itself in this space through its active research in mobile application security and an unique approach of threat surface analysis.
The Key Highlights of our solution are:
- Combination of SAST and DAST
- Zero False Positive Guarantee
- Business Logic Testing
- Top 10 OWASP Mobile Application Threats
Static Application Security Testing
SAST involves testing various aspects of the client application that is deployed in the device as a native application or accessible by the browser as an HTML/HTML5 Application
Dynamic Application Security Testing
DAST involves discovery of remote end-points with which the target Android/IOS Application communicates over the network. Usually the protocol used for such communication is HTTP (REST/SOAP) based Web Services.
Zero False Positive Guarantee
We ensure false positive removal by combining automated approach with manual validation.
Business Logic Testing
We detect business flaws through the hybrid approach of combining automated testing with manual validation
Top 10 OWASP Mobile Application Threats
We cover all the Top 10 OWASP Mobile Application Threats.
How does our solution work?
iViZ‘s mobile application test involves high level phases of Penetration Testing Process. The test involves 2 primary components:
- Client Side Testing
- Server Side Testing
Client side Testing
iViZ begins the assessment by evaluating data protection controls on the client device. In particular, we examine where and how the application manages sensitive information, whether the application is properly utilizing native APIs for features like key stores, and whether dangerous client artifacts such as user credentials, personal information, and/or any other sensitive application data are unintentionally or insecurely stored on the phone. As part of this analysis, consultants will also examine memory to ensure sensitive data is properly erased by the application. For open mobile platforms such as Android, mobile applications are also decompiled to maximize understanding and testing coverage. For closed platforms such as iOS, source code is often requested to accompany the engagement or binaries can be reversed at runtime.
Server Side Testing:
The discovery methodology involves configuring the System to use a custom HTTP based proxy server such as OWASP ZAP or Burp Suite. The target application is then used as per its expected functionality. The network activity generated by the application is recorded by the external proxy, analyzing which the server end-point interfaces are enumerated. If the Server End-Point uses HTTP based Web Services for communication then most of the Threat Classes described in WASC TC v2 will be applicable for the scope of the test.
Upon completion of the assessment iViZ shall provide a single PDF report. The report will provide an analysis of the current state of the assessed security controls.
Few screen shots from our sample report
Figure: Screen shot of test details and summary of results
Figure: Screen shot of detailed description of vulnerabilities based on severity with recommendations
To know more about this solution click here