Mobile application
During a mobile application audit, the objective is to verify:
- The security of user data within the phone which can be exposed to a hostile environment in the following cases :
- Phone theft
- Installation of malicious third-party application
- Using the application on a dangerous wifi network
- The robustness of the servers on which the application connects
Our audits concern mobile applications intended for Android or iOS terminals. Here are some examples of points verified by our auditors :
Android
- Data storage
- Preference files
- Permissions Analysis
- Log files
- Misuse of the platform
- Analysis of the manifest
- Webview audit
- Clipboard management
iOS
- Data storage
- Database
- Permissions
- Data in memory
- Misuse of the platform
- Custom url schemes
- Webviews
- Local authentication systems
Common
- Authentication and session management
- Static and dynamic analysis
- Hijacking session
- Anti-bruteforce mechanisms
- Management and storage of session variables
- Encryption
- Encryption keys present / hardcoded in the code
- Using the Keystore / Keychain
- Size of the various keys
- Robustness of used algorithms
- Analysis of network communications
- Dynamic analysis of connections and exchanged data
- Verification of certificates
- SSL Pinning