I wrote recently about performing source code analysis for mobile apps. I'm seeing some crazy stuff that I didn't think I'd see in mobile apps (but I'm not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.
But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.
But there's another side to mobile app security assessments - it's simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren't uncovered in traditional user, functional, and QA testing. In recent application assessments, I've found things like:
- login-related weaknesses
- information mishandling
- insecure interactions with external applications/systems
- exploits in general functionality that put PII at risk
Like I say about a lot of things related to information security...do it yourself, allow me to help, or hire someone else - just do something.