I wrote recently about performing source code analysis for mobile apps. I’m seeing some crazy stuff that I didn’t think I’d see in mobile apps (but I’m not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.
But there’s another side to mobile app security assessments – it’s simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren’t uncovered in traditional user, functional, and QA testing. In recent application assessments, I’ve found things like:
Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check?
Like I say about a lot of things related to information security…do it yourself, allow me to help, or hire someone else – just do something.