Mobile Application Security Assessment Services

Denim Group has assessed mobile applications for a variety of industries, including financial services and healthcare, and has conducted numerous assessments of custom applications running on Apple iOS, Android, Blackberry and Windows Mobile environments. These applications bring a unique challenge to information security in that a single application may consist of web services, embedded browsers and native code components. There are risks specific to applications using mobile devices that are different from web application environments.

Denim Group's mobile security assessment methodology does not solely focus on the application running on the device, but instead looks at the system as a whole. This includes both third party and enterprise web services used by the application as well as other connected resources that might have an impact on the security of the system.

Our Assessment Methodology

Denim Group uses an approach combining web application security assessment techniques with assessment techniques specific to mobile computing environments. Denim Group's assessment methodology is based on emerging industry standards, such as those defined by the Open Web Application Security Project (OWASP), which include the OWASP Top 10 and Application Security Verification Standard (ASVS). These capture the major classes of vulnerabilities and weaknesses that might exist in systems incorporating mobile applications.

Additionally, Denim Group examines security risks and usability weaknesses that are common in a mobile computing environment, including, but not limited to:

  • Application permissions model
  • Encryption APIs and hardware-supported encryption capabilities
  • Security of network communications and data transmissions
  • Residual data analysis of local storage and caching (passwords, usernames, PII, and other sensitive data)
  • Native code execution
  • Ability of user to protect the device and lost device scenarios
  • Application licensing
  • Insufficient authorization from mobile client to back-end systems
  • Session hijacking
  • Security of device backup mechanisms

How We Approach Each Project

Threat Modeling
Denim Group identifies the likely threat agents and vulnerable components associated with the specific application. Denim Group works with your team to produce a holistic view of the system and uses this view to create a structured approach to enumerating possible areas of weakness. The result is a dataflow diagram, a list of identified threats, detailed countermeasures for these threats, and any areas where additional security measures should be considered. Major tasks include:

  • Interviews with client subject-matter experts
  • Reviews of specifications, schemas, and design documentation
  • Compilation of data flows and attacker profiles
  • Attack planning

Source Code Security Assessment
Denim Group then conducts a white box security assessment consisting of a combination of both automated source code scanning and manual source code review to analyze the security state of the mobile application as well as associated web services. This assessment identifies and enumerates potential coding security flaws. The assessment also provides code-level remediation recommendations to the client's project team.

Application Assessment and Residual Data Analysis
Based on the results of the code review, Denim Group then performs an assessment of associated web services as well as the running device on the application. This testing helps to simulate the activities of an attacker who would bypass the mobile application client to attack web services directly as well as attackers who could gain access to user devices in order to try and recover sensitive data stored on the device.

Contact us to discuss your organization's specific needs

Call (210) 572-4400 or email info@denimgroup.com.