Penetration tests for mobile devices

​​​Penetration tests for mobile devices

When testing mobile applications, we look for errors in their implementation and in the devices themselves. For applications, we analyze possible risks and look for safe solutions for the use of mobile devices in the corporate environment. For mobile phones, we perform forensic analysis of devices that have been the target of hacker attacks. Using this experience, we help create secure applications.

 

Don't trust. Verify!

One of our leading clients asked us for penetration tests of a newly created mobile application that manages users' financial information. As the application was developed by a supplier company, in addition to verifying the security, we were also asked by the client to verify compliance with the criteria that the application was designed to meet.

During the penetration tests, we discovered several very serious vulnerabilities in the field of authentication and authorization, which could allow an attacker to access the profile and financial information of all users of the product. This very critical data could be used by hackers, for example, for phishing campaigns aimed at users, or directly in attacks on institutions. If this situation occurred already in real operation, the companies would be in danger of large financial losses, associated with the loss of the client base and damage to reputation. However, because the penetration tests took place in time for the publication of the application into real operation, this serious incident was prevented.

In addition, the analysis of the design and the real state of the application pointed to some deviations from the agreed requirements, for example in the area of ​​working with user documents, which is subject to the GDPR Act, which the supplier insufficiently secured in the application. The client was thus able to negotiate accelerated free repairs within the contract, and even increase the level of security of his mobile application.

Our Solution

Over the past few years, a lot of IT activity has shifted from computers to mobile devices. Smart devices monitor homes, mobile phones access financial accounts or company mail. As the amount of information available online is growing rapidly, so too are the demands on its security. Penetration tests on these devices help to expose serious flaws when using various applications, flaws that could do great damage if exploited by attackers. Our team of ethical hackers looks for security lapses and simulates attacks on both the application (client) and network (server) parts of the system. This tests their ability to withstand real cyber-attacks from outside.

Penetration tests on mobile apps

  • Application audits for iOS and Android operating systems.
  • Our own methodology based on OWASP Mobile Top10 and Mobile Application Security Verification Standard (MASVS), extended to encompass business logic tests and other scenarios making use of our many years of experience.
  • Using manual, automated and semi-automated techniques to uncover vulnerable parts of applications.
  • Penetration tests for a mobile client, transport layer and the application’s server side. Investigating the possibility of data leakage, privilege escalation, authentication issues and much more.
  • So we can adapt to customer needs, we offer two testing options:
        • Comprehensive (full scan): a full penetration test that scans all parts of the application in line with the complete methodology.
        • Rapid (quick scan): a reduced penetration test where we only focus on the application’s most important areas and the most common types of vulnerabilities. Usually half the workload of comprehensive tests.


Mobile Device Management (MDM) audits

  • Configuring the administration interface according to current security standards and practices,
  • setting up and configuring mobile devices according to company policies,
  • penetration tests for mobile applications with MDM and used in the corporate container,
  • consultation on and setting up BYOD policies.


Audits on mobile operating systems

  • Analysis of the operating systems’ critical areas,
  • consultation on possible solutions for the safe use of mobile devices in the corporate environment.


Forensic analysis of mobile devices

  • Analysing unusual application or system behaviour,
  • checking for the presence of harmful malware, possible security flaws and traces of penetration and data exfiltration from the device.


Penetration tests on IoT devices

  • Verifying the security of devices connected to a corporate or home network,
  • analysing the physical security, firmware, communication (including wireless) in the framework of the internal network or cloud,
  • smart home solutions, cameras, cars, routers, intercoms, smart cities and more.


Analysing source codes

  • A combination of static analysis using automated tools and a manual code review,
  • JAVA, C#, JavaScript, Kotlin and other languages.

Our advantages

  • We are a well-established Czech security company that has been successfully operating on the market for over 30 years.
  • We have more than 10 years of experience in the field of mobile application and platform security.
  • Our team is made up of specialists with experience from hundreds of mobile projects.
  • We hold the eMAPT, CISSP, OSCP, OSCE, CEH certificates and many others.
  • We run our own hacking lab to research mobility and IoT.
  • We listen to our clients and tailor the tests to their needs and time constraints.
  • We follow modern trends in mobile security and technology.
  • We emphasize a manual approach to testing, which leads to more bugs being revealed, especially in the applications’ business logic.

References

We have lots of experience with project for important companies in their branches, e.g.:

    • Škoda Auto a.s.
    • Komerční banka a.s.
    • Kooperativa pojišťovna, a.s.
    • SAZKA, a.s.
    • Raiffeisenbank a.s.
    • Generali Česká pojišťovna, a.s.
    • Novartis s.r.o.​

Contact us


Check: