According to Statista, 3.8 billion people in the world today are smartphone users and they spend almost 90% of their time on apps. The mobile app industry is thriving and expected to generate over $935 billion dollars by 2023. The unstoppable growth of this industry also brings a lot of security related issues due to the rush release of mobile app without adequate security testing and protection.
ECQ offers Mobile App Security Assessment service to test mobile app and its architecture for potential security vulnerabilities. The Consultants also develop Proof-of-Concept or exploit to validate high risk vulnerabilities and help an organization to prioritize remediation efforts.
ECQ follows its in-house RAPID penetration test framework combined with OWASP Mobile Top 10, and OWASP Mobile Security Testing Guide (MSTG) to carry out all of the assessment activities.
Recon
In this phase, ECQ performs reconnaissance against the target mobile app to understand more about its architecture such as language, libraries, API, security protections, as well as technical specifications and manual. ECQ Consultants will also carry out OSINT (Open Source Intelligence) gathering activity to search for current and past released versions, possible source code or sensitive leaks of technical information, and look up vulnerability database for known issues related to the target mobile app.
Analyze
There are three main activities typically involved in this phase: Static Analysis, Dynamic Analysis, and API Analysis.
Static Analysis
ECQ attempts to decompile or reverse engineer the mobile application to gain in-depth understanding of the functionality, hidden functions, libraries, and IPC (Inter-Process Communication) endpoints. The process also involves analysis of insecure cryptography services such as hardcoded keys, insecure algorithm usage, insufficient protection of sensitive data, and so on.
For application that has multiple roles with complex authentication and authorization matrix, the Consultants will carry out post-authentication security analysis to discover improper permission assignments and security issues related to business logics.
In parallel with manual static analysis, the Consultants also puts the decompiled source code through Static Application Security Testing (SAST) tool for further analysis and to ensure better code coverage analysis.
Dynamic Analysis
This phase normally requires to look at the application from a more Black Box approach in which the ECQ has to execute techniques to assess and try to bypass those binary protections that detect jailbreak or root devices. The Consultants then perform deeper analysis and look for vulnerabilities that are related to insecure data storage, information disclosure, certificate pinning, IPC and network communication, and more.
API Analysis
All the API endpoints communicating with the mobile app are also analyzed for potential security issues. API security analysis allows ECQ to test not only the mobile app itself but the architecture and server-side that it is relying on. Security issues such as broken authentication and authorization of users, objects, functions, security misconfiguration, SQL injection, and command injection are normally discovered during this phase.
Besides manual API analysis, ECQ also uses Dynamic Application Security Testing (DAST) tool to perform dynamic application analysis and ensure complete coverage of OWASP API Top 10.
Penetrate
This is the phase where ECQ Consultants develop PoC or exploit code and validate those high risk security vulnerabilities to provide an organization with a definite answer of whether this vulnerability is exploitable and its impact. Exploits normally developed in this phase include binary exploits, parameter tampering, injections, business logics, and protection bypasses.