Mobile application audits

Auditing of Android and iOS mobile applications

Mobile applications are being used more and more, as a complement to web applications. Therefore, they're also increasingly being targeted by attackers. We can audit your Android and iOS mobile applications with both a static and a dynamic analysis.

A mobile application audit can be broken down into two phases.

  • The static analysis allows, in a first step, to audit the safety of the application as such. We're doing a reverse engineering phase in order to understand the application code, and study its interactions with the system. The application doesn't need to be launched or used for this : tools allow us to analyze its operation without having to install it.
  • In a second stage, the dynamic analysis allows to exploit the vulnerabilities we identified during the static analysis, but also to discover new vulnerabilities. We will study the data exchange with a possible server, and then try to attack it directly, without going through the application.

The prerequisite for this audit is to have the .apk (Android) or .ipa (iOS) installation file of the application. We can also retrieve the latest version of the application from the corresponding application store if you wish.

audit de votre application mobile android ou ios

A mobile application often communicates with a server to exchange data. Unlike a web application, which is independent of the browser in which it runs, a mobile application is designed to meet a particular need. The big difference between web penetration testing and mobile application auditing is therefore in the reverse engineering phase and the analysis of the mobile application behavior.

OWASP Top 10 vulnerabilities in mobile applications

The OWASP Top 10 periodically assesses the most common vulnerabilities encountered. Here is the 2016 ranking for mobile applications.

  1. Improper Platform Usage : errors or the lack of use of certain mechanisms specific to the mobile platform used. The use of local storage to back up sensitive data instead of using the KeyChain on iOS is a good example.
  2. Insecure Data Storage : any problems resulting in a lack of security when storing data.
  3. Insecure Communication : all situations where data is transmitted to and from the outside without being properly encrypted, regardless of the protocol or communication channel used.
  4. Insecure Authentication : similar to web application auditing, this defect occurs when a user is able to perform actions under the identity of another user.
  5. Insufficient Cryptography : this defect occurs mainly when the encryption protocol is poorly implemented, is obsolete, or the encryption key is placed in the application source code.
  6. Insecure Authorization : this defect is due to a lack of checks when calling API functions.
  7. Client Code Quality : defects identified during the analysis of the application code fall into this category, as well as the lack of code documentation
  8. Code Tampering : there are mechanisms to detect if the application code has been modified, which happens especially during the static analysis phase.
  9. Reverse Engineering : this defect is reported if the application file provides too much data too easily, without having sought to protect itself from the actions of an attacker.
  10. Extraneous Functionality : concerns obsolete features or test functionalities, not visible to a user, but still present in the application code.

Main tools used

We use during our Android pentests and iOS pentests tools that are mainly open-source, with a high level of quality and a strong reputation in the cyber security community. We can quote, but not exhaustively:

Nous aimons mettre en avant la transparence des actions réalisées sur votre infrastructure. For this purpose, you will find in the appendix of our reports the list of tools that were used during the audit, as well as any script that we may have developed for a specific need.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.