Mobile Application

What Is It?

Mobile applications, often just referred to as apps, are developed for portable devices such as mobile phones and tablets. They are typically developed and placed on an application store, such as Apples App store or Google Play, for users to download onto their device. Not all mobile applications are publicly accessible however as in an enterprise deployment, internal applications may be deployed to mobile devices via organisational device management software.

Why Assess It?

There are many reasons to conduct a mobile application security assessment, five of which are below.

Retain Your Reputation

For mobile applications published to a store, users are able to leave reviews which if the security of your application is below their expectations could be negative. Additionally, there are a number of organisations who regularly assess popular mobile applications and publish their results regarding how they handle privacy and user data as well as general adherence to security best practice. When mobile applications are not present in a store, they are still associated with your organisation and can either give or remove confidence in your cyber security posture to users.

Protect Intellectual Property

The mobile application created by your organisations developers represents their hard work and your organisations support, financial and time amongst other investment criteria. Mobile applications generally run on a device that is not under the direct control of your organisation. Confidence needs to be sought that even with privileged access to the underlying system, the mobile applications defences impedes individuals from reverse engineering it and stealing all the work that your developers have put in.

Protect Network Links

Data for the application to use needs to be retrieved from and sent to your organisation, meaning there will be connectivity provided to the mobile application. It is vital to ensure that this connectivity cannot be abused to bypass protections inside the application or attack backend services that will affect your wider organisation.

Meet Compliance

Before applications are accepted into a store, they undergo various checks which include security reviews. Your organisation can increase the likelihood of your application being accepted into the store by locating any security vulnerabilities prior to submission and remain ahead of compliance through building security assurance into your development lifecycle.

Increase Protection

Through conducting a security assessment of your mobile application you can validate your existing security controls as well as discover the most effective ways of meeting your security requirements, such as how to robustly attest the security of the device the mobile application is being executed on to defend against some classes of attacks.

The Agility Cyber Approach

Like all our engagements, we want you to get the most out of your mobile application security assessment and we do this by:

Static and Dynamic

Evaluating the code line by line is useful however we believe this should be paired with dynamic evaluation, not only to show proof of concept attacks but also to validate security assumptions in practice. We pride ourselves on disclosing accurate vulnerability information to you, rather than listing theoretical that may be mitigated by modern mobile operating system defences for example.

Local and Remote

Mobile applications work bidirectionally with your infrastructure. We do too. We check how the application retrieves data but also the backend services it is interacting with.

Data Tracing

Your organisations data flows through the mobile application, both when a user enters it but also how it is handled and passed between modules. We make sure we fully understand and follow the data to give assurance over how its handled at every stage.

Protective Monitoring

Due to where the applications are deployed it is not always possible to rely on conventional monitoring systems for security events. We check to ensure that what is being logged locally does not give a threat actor an advantage and ensure your organisation has the right monitoring in the right place to be able to detect any malicious activity and has enough information to take action.

Attack Every Input

We map out every possible input into the application, be it from a user, environment variable, referenced library, manifest or other deployment files, what is being returned from web services and so much more. We do this because it is what genuine threat actors do, they do not just focus on the user input.

Benefits of Partnering with Agility Cyber

Mutually Invested

Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.

Clarity and Simplicity

We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.

Full Consultancy

Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.

Impartiality

We are impartial, we do not sell you products or the latest buzzword laden trending solution.

Outstanding Service

We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.

Scroll to Top