App enhanced decompiling: We use a combination of technologies for decompiling and extracting configuration files from the App. Further we have our own code enrichment methodology, especially useful when code has been obfuscated. This phase provides: seeking for unwanted additional code-variables-objects-parameters, executing decompiled code static analysis, comparing respect than original source code (when available).
Permission analysis (Android): To make smartphone users aware of the personal information an App might access, the Android operating system requires users to review and grant a set of permissions for the App to function. Android Apps must declare permissions for nearly everything, from controlling vibration, Internet access, and writing to the SD card, to monitoring your location and sending SMS messages. However, research demonstrates that few users are well equipped to evaluate the set of permissions requested by Apps, hence permissions are often ignored even though they might appear irrelevant to the proper function of the app. We studied 500K+ apps, roughly 88% of 20+ Android marketplaces and we are able to recognize applications which might pose privacy risks and that this represents a large number of available applications (46% of the Apps collected). To distinguish between low/no risk applications and those that have the potential to release sensitive data, we adopted a quantitative metric for characterizing Apps, called Sensitivity Score.
Virus-Malware analysis: validates the use of potentially dangerous code itself; that is, calls to vulnerable functions and procedures. Part of the analysis is done with 50+ antiviruses, and part recognizing malware patterns inside the code.
Screenshots capture: Capturing screenshots from running Apps is not only a graphical issue; it is also a demonstration of different running phases that has been solicited from our tests. Using our patented Dynamic Image Interpreter, Mobile Reviewer detects Async Inputs, Application Status Changes, Lost Connections, Unhandled Errors and Ransomware by interpreting the images dynamically.
Information Leakage. Lists all tainted information during Apps execution, like IMEI, personal data, e-mail, external IP and DNS access, File access, Hardcoded URL and URI, Encryption keys, phone calls, SMS/MMS sent, etc.
Structural analysis: detects problems due to incorrect decisions in the organization of code.
Dead Code analysis: seeking for unused and/or unitialized code, variable, object and parameters that can be manipulated for hiding dangerous code.
Fingerprint analysis: detects all vulnerable libraries and frameworks used by the application.
Certificates analysis: detects all invalid certificates used by the application.
Encryption analysis: detects all invalid or weak encryption used by the application.
Configuration files analysis: correspondence checks b/w code and configuration files; seeking for dangerous configuration tags; unsecured cookies, environment variables, library and framework configuration, insecure authorizations and authentication; misconfiguration of application logic and data flows, code injection exposure.
Exception handling and Logging robustness check.
Android Hardcoded Secrets: Rooted phone, Hard disk forensics, adb backup, Debuggable application allowing run-as (mitigated by Android). Social engineering, Bug in application allowing for data exfiltration, Bug in application allowing arbitrary command execution (not mitigated by Android).
Apple iOS Key Security Flaws: Limited benefit of encryption for powered-on devices, Evidence of past hardware (SEP) compromise, Limitations of “end-to-end encrypted” cloud services.
iOS IPA, APPX and APK/XAPK binary analysis: .ipa, .appx, .apk, and .xapk files are just zipped files that include the application executable and a bunch of other stuff. In most cases they are not 100% encrypted and contains images, web pages, db files, configuration files and even zipped source code.
Protocol testing: Find in the code references to security protocols, execute Dynamic Analysis of TLS/SSL Security, SSL Pinning Bypass, LGTM issues, and REST API exposed for TLS/SSL included.
Intent/app extension dumper: Through auxiliary Frida or Needle script.
Correlation: Static and Dynamic analyses will be correlated using Dynamic Syntax Tree, combining, and correlating the results. You are able to identify which vulnerabilities are truly exploitable and should be at the top of your remediation list.
These checks are first performed by automated procedures, then manual intervention will needed, taking into account the established risk on the application.
Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention.