Mobile Application Security
Application Security consists of protecting the information that is located on the user’s device and how it interacts with other devices and applications. Our application security assessment consists of three activities: Application Decompiling, Network Traffic, and Permission Misuse.
Application decompiling is a serious attack vector when secure coding practices are not employed during application development. Typically, application decompiling is focused on Android Application Packages (APKs) due to the nature of the platform.
BC Security will evaluate the application’s security posture and search for opportunities to exploit the user application in isolation in order to circumvent security measures. Specific items that will be identified during the user application bytecode analysis will be code obfuscation, hard-coded passwords and keys, firmware repositories, and over-the-air updates.
Network Traffic Analysis
Network traffic analysis requires setting up a network tap and analyzing the encrypted and unencrypted traffic to and from the application. This analysis will help build the foundation for how the application may interact with the server Application Programming Interface (API). The most common vulnerabilities identified during this test is degraded encryption schemes which may leak Personal Identifiable Information (PII), such as credit card or personal information.
Permission misuse involves evaluating the interactions the application has with other processes. In certain instances, permissions are granted to allow data leakages or elevated permission through other applications. This can be a serious security concern due to another application being used as a pivot point into applications.