Mobile Application Security Testing
Comsec offers Mobile Application Security Testing covering both iOS and Android and native, hybrid and web view applications, to assist the organization to identify application vulnerabilities which could lead to data disclosure or tampering and simulate real-life attack scenarios against its products and internal/external facing applications.
We work with the client to identify the key risks to which the application exposes the organization, potential scenarios by which these risks could occur, demonstrate whether these scenarios are possible or not and provide assistance in mitigating the issue.
The final report will include a high-level executive summary, an explanation of our methodology as well as detailed technical documentation of the findings. Every vulnerability is rated according to the likelihood of exploitation and the impact which is caused. The report will also contain mitigation recommendations per vulnerability to improve the component’s security level.
We are seeing more and more organizations storing and relying on sensitive data and at the same time data privacy and protection regulations are becoming more widespread and strict. This means that the reputational and regulatory cost of a data breach should be a key concern to any organization which stores or works with sensitive data.
Application Security is a particular area where we are seeing a rapid increase in new vulnerabilities alongside a significant shortage of skilled and experienced practitioners. Most organizations do not have the resources to discover and address these vulnerabilities which can endanger not just data stored by the specific application but other data assets on the same network.
Comsec’s Application Security Testing service includes testing web applications, mobile applications and thick client/client-server applications for vulnerabilities which could lead to data/network compromise or loss of availability. The team uses a similar approach, as shown below, in all cases although the specific tests will be customized based on the type of application being tested.
One of Comsec’s most unique values is that the security test is tailor-made to the client’s product. The team focuses on identifying the most critical risks and assets and ensuring they are considered throughout the testing phase. The team will always try to create a unique Proof of Concept exploit per vulnerability (whether it is a common vulnerability or not) in order to show the real business impact as an outcome.
Additional key points:
■ Understanding of the multiple attack surfaces in mobile applications including server-side, in transit and device-side as well as communications with 3rd parties in order to provide accurate appropriate results based on the relevant OS security model.
■ Emphasis on a high standard of reporting with every report going through at least one separate quality review by another experienced consultant.
■ Standardized testing plans based on standards such as the OWASP Mobile Security Testing Guide but customized to our needs to ensure that nothing is missed whilst allowing space for application specific tests.
■ Careful consideration of the real risk with the finding risk rating taking into account aggravating and mitigating factors.
■ We don’t want to deliver a report and leave, we want to support the client with how, where and when the fixes should be made and to ensure that they get implemented correctly.