Qualitrix Team delivers crucial benefits and solutions with Mobile Security Testing by providing key findings around critical privacy and security concerns for a large Personal Identity Management Platform.
Project Scope
The project involved a broad security assessment on Android and iOS mobile apps covering DAST & SAST, Vulnerability Assessment mapping had to be performed with OWASP and Cert-IN Standards, including the Malware and Spam Analysis.
Challenges
There were several challenges associated with the project scope involved. There was a requirement for a common platform that would allow individuals to access and manage details securely. As the application involves personal identity management, the challenges on data security and privacy increased too. These included protecting the application from unauthorized users access, and guarding the proprietary data against tampering and reverse-engineering. Along with the challenges mentioned above, a complete mobile security assessment of Android and iOS had to be conducted in a short span of time.
Solution
The solution involved implementation of the OWASP & CERT-IN based test framework for App-Sec at ASVS level 3. Tests pass specially crafted input data to web services, activities, content providers (logon screens, web front ends, forms) to discover all potential attack vectors. The security experts analyzed the mobile binary and identified business-critical vulnerabilities. The code review was conducted for mobile Android and iOS apps. And, performing Vulnerability Assessment/Penetration Testing using a combination of commercial and open source tools and manual penetration.
Business Benefits
The business benefits attained included a 10 Million+ secure installations of the app in production, a secured brand image due to high data criticality with pan-India usage across the entire population, building client trust by safeguarding the customer’s application and data along with value addition through deep diagnosis, remediation support and recommendations.
Tools
The following tools and technologies were deployed for the large-scale digital security testing of the application:
- Tools: Drozer, Genymotion, Burp Suite, Android tamer, Appie, iNalyzer, Testing tools from Cydia, Snoop-it, Xcode
- Technologies: Android Native Code, Java, PHP Restful web services
Key Findings
With the help of the numerous tools and technologies, we were able to conclude with several key findings. These include 34 vulnerabilities were found by using static and dynamic mobile security testing techniques (VA/PT) – across android and iOS apps.
We also attained Injection (SQL, LDAP) vulnerability in static code and that the Android app was storing user data locally in a clear text format. With Dynamic analysis, we found parameter tampering and updated any user information along with Internal path disclosure on error page response.