Smartphone App Assessment

We conduct vulnerability analysis via reverse engineering of iOS and Android apps, as well as assessment for source code and server-side APIs.

Assessment Service Overview

We provide a security assessment service based on the JSSEC security guide and the OWASP Mobile Top 10 to identify any security issues in smartphone apps for iOS and Android, etc.
We can also run behavior analysis on apps via reverse engineering. After the assessment, we submit a security strength assessment and a report on relevant risk countermeasures.
By identifying issues and risks in smartphone apps, it is possible to take appropriate steps to handle incidents promptly when they occur.
The added value of the app can be enhanced by commissioning and running security assessment from a firm specializing in vulnerability assessment.

Smartphone App Vulnerability Assessment Flow

  • STEP1

    Preparations for Smartphone App Vulnerability Assessment

    Learning Smartphone App Characteristics and Defining the Scope of Vulnerability Assessment

    We develop a grasp of the characteristics of each app service, and determine which vulnerability assessment item should be prioritized.

    1. Interview your staff to examine the system structrue of the Smartphone App

      By reviewing the specifications and interviewing staff, we ascertain the app’s use and implemented features.

    2. Assessment Action Plan Formulation and Estimate

      We determine which elements must be prioritized in accordance with the target app. Thereafter, we provide an estimate.

  • STEP2

    Smartphone App Vulnerability Assessment Service Delivery

    Fully Manual Smartphone App Security Assessment

    We conduct vulnerability assessment with fully manual procedures. We can handle everything from basic checks to advanced reverse engineering.

    1. Static Analysis

      We investigate vulnerabilities from reverse engineered source code. If necessary, we write verification code, and test whether hypothetical attack scenarios will succeed.

    2. Dynamic Analysis

      We examine the contents of files and logs generated when the app is run, and the contents of communications it produces.

  • STEP3

    Submission of Smartphone App Assessment Report and Suggested Improvements

    Analysis/Assessment Results Report

    The report touches on everything from detected vulnerabilities to overall security level, risk, and countermeasures going forward.

    1. Vulnerability Reproduction Procedures

      We individually specify the reproduction procedures for any vulnerabilities discovered. We will also explain countermeasures.

    2. Overall Evaluation

      The assessment touches on everything from overall security level to comments on risk, and countermeasures going forward.

Smartphone App Vulnerability Assessment Items

Android App Vulnerability Assessment

Communications

Malicious Communications
We capture app communications and check for the unauthorized transmission of critical information to external servers.
Critical Information Transmission Methods
We check whether critical information such as personal data and passwords, etc., is encrypted when transmitted.
SSL/TLS Certificate Authentication
We check whether the certificates used in SSL/TLS transmissions are properly validated.

On-Board Data

Storage Methods for Critical Information
We check whether data such as critical information is stored in plain text in the on-board data (files, database, preference).
Malicious Activity via Data Alteration
We check the feasibility of unauthorized activity (cheating, falsifying balances, falsifying purchase records, etc.) via altering on-board data.
Defective Permissions Settings
We check the permissions for files including critical information.
Output of Critical Information to SD Cards
We check for the presence of critical information saved to SD cards.
Output of Critical Information to Logs
We check for the output of critical information to logs.

Logic and Source Code

Content Provider Access Control Defects
We check whether it is possible to maliciously access content providers with access to critical information from other apps unintentionally.
Output of Critical Information via Intent
We check for the output of critical information via intent logs.
WebView-related Vulnerabilities Check
We check for data leaks via JavaScript linkages or the addJavaScriptInterface function.
Tamper Resistance Check
We check the feasibility of decompiling, and the presence of obfuscation, etc.
Check for Critical Information in Source Code
We check whether critical information, such as encryption keys and hidden functions or URLs, is hard-coded in the source code.
Communications Protocol Analysis
We conduct analysis if protocols other than HTTP are being used, and check for the presence of vulnerabilities.
Logic Alterations
We check whether major logic alterations are possible by applying binary patches.
Vulnerability Analysis via Reverse Engineering
We conduct analysis of other vulnerabilities through reverse engineering.

iOS App Vulnerability Assessment

Logic and Source Code

WebView-related Vulnerabilities Check
We check for data leaks via linkages with other apps or the WebView function.
Critical Information Transmission Methods
We check whether critical information such as personal data and passwords, etc., is encrypted when transmitted.
SSL/TLS Certificate Authentication
We check whether the certificates used in SSL/TLS transmissions are properly validated.

On-Board Data

Storage Methods for Critical Information
We check whether data such as critical information is stored in plain text in the on-board data (files, database, preference).
Malicious Activity via Data Alteration
We check the feasibility of unauthorized activity (cheating, falsifying balances, falsifying purchase records, etc.) via altering on-board data.

Logic and Source Code

WebView-related Vulnerabilities Check
We check for data leaks via JavaScript linkages or the addJavaScriptInterface function.
Tamper Resistance Check
We check the feasibility of decompiling, and the presence of obfuscation, etc.
Check for Critical Information in Source Code
We check whether critical information, such as encryption keys and hidden functions or URLs, is hard-coded in the source code.
Communications Protocol Analysis
We conduct analysis if protocols other than HTTP are being used, and check for the presence of vulnerabilities.
Vulnerability Analysis via Reverse Engineering
We conduct analysis of other vulnerabilities through reverse engineering.

Sample Report

In the report of the assessment results, we present the details, reproduction procedures, risks, and countermeasures for the vulnerabilities that are discovered, so that the client company can correct them quickly.
*Please request a sample report on the inquiry page. A representative will send them within two business days.

CONTACT

Please do not hesitate to contact us.

Wishing to solve security issues in your web services or apps and maximize profit? Please do not hesitate to contact us, as we will be delighted to help you.
Our highly experienced security engineers will test your system.