Date: Fri, 29 Mar 2024 12:10:33 +0000 (UTC) Message-ID: <1397458772.197.1711714233182@dce000fa298b> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_196_1312036868.1711714233182" ------=_Part_196_1312036868.1711714233182 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Mobile Reviewer is a worldwide brand of Security Reviewer offered on demand fo= r MAST= (Mobile Binary Analysis). A robust, = cloud infrastructure is behind this offer.
It provides:
The following languages are supported:
C/C++
GO
Rust
Python
Android JAVA
Kotlin
Android C++ SDK
With support of:
Unity
Corona SDK
Xamarin
Titanium
TheAppBuilder
PhoneGap
NativeScript
Ionic
Sencha Touch
React Native
JQuery Mobile
Sproutcore
Flutter
Cordova
iOS Objective-C and Objective-C++
iOS Swift
With support of:
Appium
Earlgrey
OCMock
Detox
XCTest and XCUITest
Further iOS libraries we support: = ;https://github.co= m/vsouza/awesome-ios
C#
Mobile Reviewer is enabling enterprises to get on-= demand security assessments of their Mobile Apps. Mobile security assessmen= t software can be expensive to purchase, and it needs constant upgrades to = keep up with ever-evolving threats. Today's corporate security groups are n= ot staffed to handle the specialized skills needed to perform code analysis= and security testing. For Static Reviewer users, Mobile Behavior A= nalysis additional feature is provide as Mobile Reviewer client.= p>
Mobile Reviewer frees enterprises from having to s= pend resources on the purchase of software or Mobile device simulators, on = hiring software security experts and consultants to operate it, and on cons= tant maintenance to keep effective. With Mobile Reviewer, enterprises simpl= y submit Apps through an online platform and quickly get back test results.=
Mobile Reviewer is easy to use and access, allowin= g enterprises to roll out Mobile security quickly and efficiently.
Mobile Reviewer now supports Static and Dynamic An= alysis of both Android and iOS apps. Reviewing Mobile Apps is time-consumin= g and difficult to make routine. Adopting an online Mobile scanning service= can save time by focusing human involvement on reviewing potential risks a= nd enhancing system stability with more accurate and usable results. <= /p>
Mobile Reviewer will do it for you. To perform the= audit we rely on the expertise of a dedicated staff from 2 to 5 auditors p= er Mobile App, and we based the analysis on the following test plan:
App enhanced decompiling: We use a combination of = technologies for decompiling and extracting configuration files from the Ap= p. Further we have our own code enrichment methodology, especially useful w= hen code has been obfuscated. This phase provides: seeking for unwanted add= itional code-variables-objects-parameters, executing decompiled code static= analysis, comparing respect than original source code (when available).
Permission analysis (Android): To make smartphone =
users aware of the personal information an App might access, the Android op=
erating system requires users to review and grant a set of permissions for =
the App to function. Android Apps must declare permissions for nearly every=
thing, from controlling vibration, Internet access, and writing to the SD c=
ard, to monitoring your location and sending SMS messages. However, researc=
h demonstrates that few users are well equipped to evaluate the set of perm=
issions requested by Apps, hence permissions are often ignored even though =
they might appear irrelevant to the proper function of the app. We studied =
500K+ apps, roughly 88% of 20+ Android marketplaces and we are able to reco=
gnize applications which might pose privacy risks and that this represents =
a large number of available applications (46% of the Apps collected). To di=
stinguish between low/no risk applications and those that have the potentia=
l to release sensitive data, we adopted a quantitative metric for character=
izing Apps, called Sensitivity Score.
Virus-Malware analysis: validates the use of poten=
tially dangerous code itself; that is, calls to vulnerable functions and pr=
ocedures. Part of the analysis is done with 50+ antiviruses, and part recog=
nizing malware patterns inside the code.
Screenshots capture: Capturing screenshots from ru= nning Apps is not only a graphical issue; it is also a demonstration of dif= ferent running phases that has been solicited from our tests. Using our pat= ented Dynamic Image Interpreter, Mobile Reviewer detects Async Inputs, Appl= ication Status Changes, Lost Connections, Unhandled Errors and Ransomware b= y interpreting the images dynamically.
Information Leakage. Lists all tainted information duri=
ng Apps execution, like IMEI, personal data, e-mail, external IP and DNS ac=
cess, File access, Hardcoded URL and URI, Encryption keys, phone calls, SMS=
/MMS sent, etc.
Structural analysis: detects problems due to incor= rect decisions in the organization of code.
Dead Code analysis: seeking for unused and/or unit= ialized code, variable, object and parameters that can be manipulated for h= iding dangerous code.
Fingerprint analysis: detects all vulnerable libra= ries and frameworks used by the application.
Certificates analysis: detects all invalid certifi= cates used by the application.
Encryption analysis: detects all invalid or weak e= ncryption used by the application.
Configuration files analysis: correspondence check= s b/w code and configuration files; seeking for dangerous configuration tag= s; unsecured cookies, environment variables, library and framework configur= ation, insecure authorizations and authentication; misconfiguration of appl= ication logic and data flows, code injection exposure.
Exception handling and Logging robustness check.= p>
Android Hardcoded Secrets: Rooted phone, Hard disk= forensics, adb backup, Debuggable application allowing run-as (mitigated b= y Android). Social engineering, Bug in application allowing for data exfilt= ration, Bug in application allowing arbitrary command execution (not mitiga= ted by Android).
Apple iOS Key Security Flaws: Limited benefit of e= ncryption for powered-on devices, Evidence of past hardware (SEP) compromis= e, Limitations of =E2=80=9Cend-to-end encrypted=E2=80=9D cloud services.
iOS IPA, APPX and APK/XAPK binary analysis: .ipa, = .appx, .apk, and .xapk files are just zipped files that include the applica= tion executable and a bunch of other stuff. In most cases they are not 100%= encrypted and contains images, web pages, db files, configuration files an= d even zipped source code.
Protocol testing: Find in the code references to s= ecurity protocols, execute Dynamic Analysis of TLS/SSL Security, SSL Pinnin= g Bypass, LGTM issues, and REST API exposed for TLS/SSL included.
Intent/app extension dumper: Through auxiliary Frida or Needle script.=
Correlation: Static and Dynamic analyses will be correlated using Dynamic Syntax Tree, combining, and = correlating the results. You are able to identify which vulnerabilities are= truly exploitable and should be at the top of your remediation list.
= li>These checks are first performed by automated procedures, then manual in= tervention will needed, taking into account the established risk on the app= lication.
Attackers can potentially use many different paths through your applicat= ion to do harm to your business or organization. Each of these paths repres= ents a risk that may, or may not, be serious enough to warrant attention.= p>
For further explanation, please see our Scientific A= rticle.
Identify and mitigate risk posed by all attackers, including malicious a= dvertising, to eliminate potential attacks that could affect the "brand" im= age of your company in the marketplace.
Decreased overall cost by identifying larger number of vulnerabilities= p>
Decrease risk by applying a unique methodology aimed at identifying deep= ly-rooted, major impact vulnerabilities that go undetected with other appro= aches.
Improved compliance with regulations and control frameworks, such as the= OWASP Top Ten Mobile 2016, Payment Card Industry Data Security Standard&nb= sp; PCI-DSS 3.2 , ISO 25010, ISO 27001, etc.
Executive and Detailed reports available in English, Spanish, Russian an= d Italian. We will translate those reports to your own language