Mobile application audits

Auditing of Android and iOS mobile applications

Mobile applications are being used more and more, as a complement to web applications. Therefore, they're also increasingly being targeted by attackers. We can audit your Android and iOS mobile applications with both a static and a dynamic analysis.

A mobile application often communicates with a server to exchange data. Unlike a web application, which is independent of the browser in which it runs, a mobile application is designed to meet a particular need. The big difference between web penetration testing and mobile application auditing is therefore in the reverse engineering phase and the analysis of the mobile application behavior.

OWASP Top 10 vulnerabilities in mobile applications

The OWASP Top 10 periodically assesses the most common vulnerabilities encountered. Here is the 2016 ranking for mobile applications.

1. Improper Platform Usage : errors or the lack of use of certain mechanisms specific to the mobile platform used. The use of local storage to back up sensitive data instead of using the KeyChain on iOS is a good example.
2. Insecure Data Storage : any problems resulting in a lack of security when storing data.
3. Insecure Communication : all situations where data is transmitted to and from the outside without being properly encrypted, regardless of the protocol or communication channel used.
4. Insecure Authentication : similar to web application auditing, this defect occurs when a user is able to perform actions under the identity of another user.
5. Insufficient Cryptography : this defect occurs mainly when the encryption protocol is poorly implemented, is obsolete, or the encryption key is placed in the application source code.
6. Insecure Authorization : this defect is due to a lack of checks when calling API functions.
7. Client Code Quality : defects identified during the analysis of the application code fall into this category, as well as the lack of code documentation
8. Code Tampering : there are mechanisms to detect if the application code has been modified, which happens especially during the static analysis phase.
9. Reverse Engineering : this defect is reported if the application file provides too much data too easily, without having sought to protect itself from the actions of an attacker.
10. Extraneous Functionality : concerns obsolete features or test functionalities, not visible to a user, but still present in the application code.

Main tools used

We use during our Android pentests and iOS pentests tools that are mainly open-source, with a high level of quality and a strong reputation in the cyber security community. We can quote, but not exhaustively:

• MobSF, Frida, JD-GUI, apktool, APKiD, cycript, PassionFruit for the static analysis of the application code.
• nmap, BurpSuite for auditing the server, if applicable.

Nous aimons mettre en avant la transparence des actions réalisées sur votre infrastructure. For this purpose, you will find in the appendix of our reports the list of tools that were used during the audit, as well as any script that we may have developed for a specific need.