The usage of mobile applications instead of web applications introduces extra risk factors when it comes to IT security.
What are mobile applications?
Mobile applications are often developed in such a way that they are easy to use, authentication is painless and data is stored locally so that no permanent internet connection is required. As a result, sensitive data such as login details and personal data are often stored on the device. Mobile devices, more than computers, are prone to theft. The combination of these factors creates a different risk picture than traditional web applications.
How do we test?
In this phase, Secura investigates which vulnerabilities can be identified within the application, first without logging in, then with authorized user rights. Many manual tests are performed for this, but various tools are also used, including tools developed by Secura itself. Secura manually checks all results from the tools (if applicable) to remove false positives.
What can we find?
For example, with a vulnerability assessment we identify the following risks:
- Insecure use of security measures offered by the operating system, such as biometric authentication.
- Unencrypted storage of sensitive data on the device.
- Administration/management functionality that should not be accessible to normal users.
- Inadequate protection against reverse engineering.
- Client-side implementation of security measures.
- Insecure configuration of standard software, such as web, VPN, database and application servers.
- Information leakage (e.g., via "service banners").
- Vulnerable implementation of cryptographic functions such as setting up and using the TLS connection and encrypting local files.