Share :
MOBILE APPLICATION AUDIT offer
Synetis offers analysis of Android mobile applications. The objective is to verify:
- User data security ;
- The security of the servers to which the servers connect.
During these audits, a decompilation of the KPA is carried out in order to perform a static analysis. In addition, a dynamic analysis is performed to verify the proper functioning of security mechanisms specific to Android.
The first part of the Synetis methodology consists of a complete static analysis whose main goal is to disassemble the application in order to discover implementation security weaknesses at the level of the application source code, secrets and sensitive information directly accessible in the configuration files.
The second part of the audit consists of dynamic analysis whose goal is to test the behavior of the application vis-à-vis the use of the application by an attacker such as injection attempts to exploit vulnerabilities such as SQL Injection, Cross-Site Scripting and many others.
According to the guide published by OWASP (Open Web Application Security Project), mobile application audits in general aim to verify the security of the following points:
- network communications
- authentication
- session management
- cryptography
- code auditing
- reverse engineering
- L1: Standard safety ;
- L2: Defense in depth ;
- R : Resistance to reverse engineering and modification.
Since level R can be combined with the others, there are actually four levels, which are combinations of levels L1 and L2 with and without level R(L1, L1+R, L2, L2+R).
In concrete terms, the first level L1 corresponds to the standard security that an application should have, while the second level L2 corresponds more to applications handling highly sensitive data and requiring the implementation of a risk analysis.
