Mobile Security Testing
Our mobile security testing team have the skills and experience to conduct mobile security reviews across a wide range of mobile devices and mobile applications on all modern platforms. While some areas of mobile security testing have similarities to web application penetration testing, our experienced team has specialist knowledge and internally developed methodologies that ensure coverage of mobile platform and device specific vulnerabilities.
Mobile Application Security Testing
Mobile application reviews include coverage of the three main areas of the mobile application environment. To ensure complete coverage a review will usually include a source code review, as well as active application testing within a test environment.
The mobile application is reviewed for application-based vulnerabilities that may expose sensitive data stored insecurely on the device, or weaknesses that may lead to unauthorised access to the application. Platform specific security controls are also reviewed and tested, such as the correct use of iOS keychain attributes; security of Android intents and components; and the security of custom URL schemes.
Analysis of the communication between the application and its associated endpoint services is performed to ensure that the application is enforcing strict controls to validate the authenticity of the connection, and to prevent interception of the network traffic.
While the mobile application may be used as a client to interact with the endpoint services, testing of the endpoint services follows a similar methodology that is applied to any API endpoints or web services. This ensures that authentication and authorisation is performed at the endpoint services, tests for state checking within application process flows, and provides coverage of relevant web application API layer security issues.
Mobile Device Security Testing
Mobile device security reviews focus on the configuration and deployment profiles associated with a device, normally deployed through mobile device management (MDM) platforms. The Insomnia Security testing team undertake a review to verify that the intended configuration is enforced on the target device models and attempts to identify methods that can circumvent those controls.
Additional services include reviewing devices for their exposure to compromise if they are lost or stolen, the security of device network layer services such as VPN and VoWIFI, and whether a device is susceptible to weaknesses allowing privileged access.