Benefits

Performing vulnerability assessment of Mobile applications, either Android apps security or iOS app security, there is a set of benefits as an outcome. Below points outline why we perform a security scan for the apps. Both business and public organizations today are using mobile apps in new and compelling ways, from banking applications to healthcare platforms. Managing security risk is a growing challenge on these platforms, with new vulnerabilities found every day. Is your mobile app safe from attackers?

• At a high level following are the benefits
• Identify and remediate iOS, Android, and Windows Phone application risks
• Assess and report on mobile application security to executive management and other stakeholders
• Identify critical information exposures attributed to mobile apps in your environment
• Evaluate the security posture of new mobile technologies in development

Insecure Data Storage, as the name says, is about the protection of the data in storage. Mobile applications are used for all kinds of tasks, such as playing games, fitness monitors, online banking, stock trading and so on, and most of the data used by these applications is stored in the device itself inside SQLite files, XML data stores, log files, and so on. Or, they are pushed on to cloud storage.

The types of sensitive data stored by these applications may range from location information to bank account details. Application programming interfaces (APIs) that handle the storage of this data must securely implement encryption/hashing techniques so that an adversary with direct access to these data stores via theft or malware will not be able to decipher the sensitive information stored in them.

Certain functionalities of mobile applications may place sensitive data of the users in locations where it can be accessed by other applications or even by malware. These functionalities may be there in order to enhance usability or user experience but may have adverse effects in the long run.

Actions such as OS data caching, key press logging, copy/paste buffer caching, and implementations of web beacons or analytics cookies for advertisement delivery can be misused by adversaries to gain information about victims.

This relates to weak controls that are used to protect the data. The usage of weak cryptographic algorithms, such as RC2, MD5, and so on, that can be cracked by adversaries will lead to encryption failure.

Improper encryption key management when the key is stored in locations accessible to other applications or the use of a predictable key generation technique will also break the implemented cryptography techniques.

The implementation of certain functionalities such as use of hidden variables to check the authorization status can be bypassed by tampering them during transit via web service calls or inter-process communication calls. This may lead to privilege escalations and unintended behavior of the mobile application.

Mobile application source code is available to everyone. An attacker can reverse engineer the application and insert malicious code components and recompile them.

If these tampered applications are installed by a user, they would be susceptible to data theft, become victims of unintended actions, and so on. Most of the applications do not ship with mechanisms such as checksum controls, which help in deducing whether the application is tampered or not.