We teach following technical and business logic issues related to mobile application on the different mobile platforms such as android,IOS and windows.
Jailbreak Warning Checks |
Certificate Pinning Checks |
Dangerous enabled settings(debug mod etc) |
Decompile/Reversing tests |
Hardcoded Passwords checks in the sources |
Token, 3rd party data leakage checks in the sources |
Information leakage in the real time device logs |
Application logs checks if there is critical information |
Application’s stored cache data checks |
Password protection situation of the local databases |
Sensitive information storing situation of the databases |
Checks all critical files(xml,plist etc) |
Run time tests |
Memory analyse in the run time |
Certificate Pinning Bypass |
Situation of the keyboard cache in the text inputs |
Data storage shared sdcard |
Tcpdump analysis whilst app is working |
All backup file, logs and spesific files analysis |
Sensitive strings search with grep in the whole app directory |
Mobile app recompile tests |
Android APK obfuscation sitiation |
Input manipulation tests |
2-factor auth tests |
Data transmission security between device and server |
Server side tests |
Full port scan for server IP address |
Full vulnerability scanning for server IP address |
Mobile web site tests like a website test |
Testing app permissions |
Testing critical information in the clipboard |
Application Session Timeout situation. |
Username and password policy check |
Predictable credentials checks |
Login form captcha, anti-csrf usage situation |
Business logic vulnerabilities on the application functions |
Code injection tests |
Command execution tests |
Iframe injection |
LFI/RFI Tests |
LFI via iframe injections on the device |
XSS tests(Reflected,Dom,Stored,Blind) |
XSS tests with payload injections via cross paltforms(mobile-web) |
XXE vulnerability checks |
Technical and business logic tests on the registration form |
Password reset function tests |
Access via web browser to mobile app with useragent changing |
Takeover account tests |
Deployment and configuration issues |
Mobile API and webservices tests |
SSRF Tests(local and remote) |
Insecure Direct Object Reference Tests |
Privilege Escalation with diffrent roles |
Directory traversal |
Advenced authorization and authentication tests |
Username enumeration wia warnin messages or mis-developments |
Automate Scanning |