A typical mobile application comprises two parts, the app itself installed on the mobile device and a web service exposing actions via an application API. During a mobile application security review it is important to consider both parts of this equation.
The objective of a mobile application security review is to provide assurance over the security controls in place in both the mobile app itself and, optionally though ideally, the service as a whole.
A mobile device, contrary to common opinion, is not a black box into which you cannot pry. It is essentially a small version of your desktop computer and, with the right skills can be accessed in just the same way. So the risks to mobile applications are essentially the same as to any other where assumptions are made about the security of the end user system.
Some examples of common weaknesses include:
The obvious difference between a mobile device and a traditional PC is that it's...mobile and at greater risk of physical theft. Our security reviews provide assurance about the possibility of data loss.
Mobile devices means wireless network usage. Know whether your application data is at risk when travelling over these networks.
Typically we are provided with a developer version of a mobile app for testing prior to its release however, it is not uncommon to also perform testing on apps already released to their respective App Store. Using jailbroken or rooted mobile devices we remove the first “barrier” to security testing and are able to access local storage, configuration files and typically we can also reverse engineer the majority of mobile applications.
Through a combination of dynamic and static analysis plus the use of intercepting network proxies and our wireless testing lab we are able to fully inspect, interact and tamper with mobile applications and view their web service calls, if relevant. Just the same way a malicious attacker would.
As with our penetration testing we follow a formal methodology to provide consistent high quality across engagements. For mobile application security reviews we have aligned our methodology to the OWASP Mobile Security Project combined with our experience and formal training.