• Mobile app security assessments

    28 Feb 2013

    I wrote recently about performing source code analysis for mobile apps. I’m seeing some crazy stuff that I didn’t think I’d see in mobile apps (but I’m not really surprised) related to session manipulation, hard-coded cryptographic keys and the like which underscores the importance of the exercise.

    But there’s another side to mobile app security assessments – it’s simply manual analysis. That is poking around with the apps and the mobile devices using good tools and proper techniques to find and demonstrate security and forensic-related flaws that aren’t uncovered in traditional user, functional, and QA testing. In recent application assessments, I’ve found things like:

    • login-related weaknesses
    • information mishandling
    • insecure interactions with external applications/systems
    • exploits in general functionality that put PII at risk

    Odds are good that you or someone you know is rolling out a new mobile app. Or perhaps you were an early adopter and need to validate that your existing apps are reasonably secure. The question is: What are you doing to ensure things are in check? 

    Like I say about a lot of things related to information security…do it yourself, allow me to help, or hire someone else – just do something.