Mobile Application Penetration Test Training 7

1
ABOUT US

• SECURIUM FOX offers cyber security consultancy
  services with its expert and experienced team. We
  are providing consulting services to prevent
  cyber attacks, data leak and to ensure that our
  customers are ready and safe against cyber
  attacks, with more than 15 years of
  experience.In addition to pentests and
  consulting services, SECURIUM FOX prepares its
  customers and field enthusiasts for real life
  scenarios by providing trainings in the lab
  environment which was prepared by themselves,
  with its young, dynamic and constantly following
  team.Everytime that hackers are in our lives,
  there are always risks that we can face with a
  cyber attack. Over the years cyber security has
  become a critical precaution for all
  organizations and companies after the effects and
  number of attacks. SECURIUM FOX tests the weak
  points of customers for possible attacks and
  provides consulting services to eliminate these
  weak points.SECURIUM FOX team also offers
  support for the development of our country in
  this field by supporting free events being
  organized as a volunteer by the Octosec team.

2

• MOBILE APPLICATION SECURITY AND PENETRATION TEST
  TRAINING

3
Mobile App Security Testing

• securiumfoxtechnologies Mobile App Security
  Testing service provides a detailed security
  analysis of your phone or tablet based app. A key
  feature of this service is manual testing by
  experienced security professionals, which
  typically uncovers many more issues than
  automated tests alone.

4
Vulnerable apps fail to validate SSL certificates

• Mobile applications which send and receive
  sensitive information are tempting targets for
  man-in-the-middle (MITM) attacks where a
  correctly positioned attacker can view and
  manipulate traffic. Mobile applications use the
  same approach to securing communication as
  conventional web sites SSL/TLS. However, SSL
  certificate validation is far from trivial and
  mobile applications often fall short of the
  standard of certificate validation performed in
  mainstream browsers.

5

• Without sufficient validation of SSL certificates
  in a mobile app, an attacker can substitute a
  legitimate SSL certificate with one under his
  control and thus view or manipulate sensitive
  information submitted by the user. Mobile app
  users who regularly connect to untrusted public
  wireless networks are particularly at risk, both
  from rogue access points and from other users of
  the wireless network. Unlike with conventional
  phishing attacks, browser-based blocking of
  malicious websites is not sufficient to defend
  against this type of attack.
• securiumfoxtechnologies has discovered SSL
  certificates in the wild which may have been used
  in MITM attacks targeting banking applications,
  and has also discovered an invalid certificate
  masquerading as .itunes.apple.com (though iOS
  appears to behave correctly and rejects such a
  certificate). With billions of downloads of
  mobile apps from the Apple App Store, Google
  Play and BlackBerry World the attack surface is
  potentially huge and obviously attractive to
  fraudsters. In a study conducted in late 2012,
  more than 17 of tested Android applications
  failed to fully validate SSL certificates.

6
Mobile app and server testing

• When a customer uses an app to access your
  services over the internet, it is imperative to
  ensure security at both ends. It is pointless
  developing a highly secure app if there are
  gaping holes in the servers that store and
  process customer data conversely, even if your
  servers are completely secure, an insecure app
  could allow customer data to be retrieved or
  redirected to a remote attacker.
• Accordingly, securiumfoxtechnologies mobile app
  testing includes the following client-side
  activities

• Decompilation of the installed app
• Searching for sensitive information hard-coded
  within the app
• Verifying the security of locally stored
  credentials
• Checking that SSL certificates and signatures are
  properly validated
• Discovering insecure use of cryptography for
  transmitting data or for local storage
• Source code analysis (if appropriate)
• Checking that automatic updates do not provide a
  conduit for attackers to install arbitrary code
• Verifying all sensitive information is removed
  after uninstalling the app
• Looking for unintended transmission of data, such
  as the users phonebook when it is not required

7

• The app testing service also includes testing of
  the web services used by the app. The following
  aspects are examined in detail to ensure that the
  backend servers do not expose customer data to
  other parties
• Server configuration errors
• Loopholes in server code or scripts
• Advice on data that could have been exposed due
  to past errors
• Testing for known vulnerabilities
• Reducing the risk and enticement to attack
• Advice on fixes and future security plans

8
Typical issues discovered during a mobile app and
server test

• Vulnerability to man-in-the-middle (MITM) attacks
• Insecure storage of sensitive data on mobile
  devices
• Insecure use of cryptography
• Weak session management
• Unauthorised access to other users accounts
• SQL injection
• Server misconfigurations
• Command injection
• Well-known platform vulnerabilities
• Back doors and debug options
• Errors triggering sensitive information leaks
• Broken ACLs/Weak passwords

9
You can always contact with SECURIUM FOX. You can
contact us through our email addresses or by
using the contact form on the side.

• INFO
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,
• Gurunanak Nagar,Patamata,Vijyawada,
• Andhra Pradesh -520010
• 9652038194
• 08666678997
• info_at_securiumfoxtechnologies.com

10

• info_at_securiumfoxtechnologies.com
• Andhra Pradesh Office
• 91 8666678997,91 91652038194
• 3rd Floor,Lohia Towers,
• Nirmala Convent Rd,Gurunanak Nagar,Patamata,Vijaya
  wada,
• info_at_securiumfoxtechnologies.com
• UK Office
• 44 2030263164
• Velevate, Kemp House, 152 - 160,City Road,EC1V
  2NX
• London
• info_at_securiumfoxtechnologies.com
• Tamil Nadu Office
• 91 9566884661
• Kailash Nagar, Nagar, Tiruchirappalli, Tamil Nadu
  620019
• info_at_securiumfoxtechnologies.com

• Noida Office
• 91 (120) 4291672, 91 9319918771
• A-25, Block A,
• Second Floor,Sector - 3,
• Noida, India
• info_at_securiumfoxtechnologies.com
• USA Office
• 1 (315)933-3016
• 33 West,17th Street,
• New York,
• NY-10011, USA
• info_at_securiumfoxtechnologies.com
• Dubai Office
• 971 545391952
• Al Ansari Exchange, Ansar Gallery - Karama
  Branch, Hamsah-A Building - 3 A St - Dubai -
  United Arab Emirates