Apps and smartphones are a valuable target for hackers. Building and maintaining secure mobile applications is more important than ever. We have the knowledge and tools to keep your apps and APIs secure.
We know the ins and outs of the latest mobile threats and security measures in modern apps. One of the reasons most of the Dutch big banks work with us on keeping their banking apps secure.
New mobile threats are emerging and mobile development teams have a hard time keeping pace with them. During a Mobile Security Test we test your apps on all current mobile threats relevant to your platform, frameworks and libraries. Including the 91 issues as reported in the latest 2016 OWASP Mobile Checklist.
We see many different mobile frameworks. All of them have their particular security features and pitfalls. During the years we have tested and reviewed a large number of different implementations of security components such as device registration, authentication, key exchange, PIN/TAN systems, session management, local data storage and network transport. Let us help you to verify the security level of your apps and advise you on how to build highly secure apps too.
Mobile security research can be time consuming, especially when source code is not available. In order to speed up our research we have created a custom Mobile Security Testing Framework (MSTF). This framework allows us to log, analyze and modify security relevant operations of apps on the platform level. Including file, network, crypto, keychain, config and logging operations. It also allows us to modify/patch apps to easily bypass certificate pinning or other security checks that might slow down our research.
Although many things can go wrong in the app (client side) itself, the biggest security concerns/risks remain in the mobile service and API layer. This is the layer that should defend your environment from critical security vulnerabilities such as wide-scale unauthorized access to your backend. Don't focus on your apps only, often it's the API layer where we identify the most critical vulnerabilities.
During the intake (free of charge) we discuss your project and tell you more about us and our modus operandi. The main purpose is to collect all the information we need to create our proposal (plan of action).
You will receive our proposal, including a detailed overview of the activities, deliverables, planning and costs.
When the proposal is accepted, we deliver a list of all the things that need to be prepared for the testing activities.
The scheduled security testing activities will be executed in the planned time window. During the test frequent updates of findings and progress will be shared.
Once all testing activities have been executed, a findings meeting will be arranged to explain, demonstrate and discuss findings, impact and fixes.
The results of the assessment will be reported in detail. Each finding will consist of a description of the risk, instructions on how to reproduce and verify the finding, and a recommendation on how to resolve the finding or to mitigate the risk.