Mobile Assessment

The use of mobile devices for both everyday and business situations is now commonplace. 'BYOD' (Bring Your Own Device) or organisation supplied devices are readily used to undertake business tasks which used to be reserved for the office PC.

CQrity Limited's mobile assessment service includes an end-to-end review of the mobile application environment, from the local application running on the mobile device to the 'back-end' web services / APIs that provide the applications with their data. Utilising both automated and manual testing techniques, our mobile security assessment enables clients to ensure they are creating secure mobile applications. Further validation of issues against the OWASP Mobile Top 10, allows us to offer a comprehensive assessment against a well known methodology.

We have the skills to evaluate all variants of devices including iOS, Android, Blackberry and Windows Phones, as well as various Mobile Device Management (MDM) platforms.

Along with assessing the actual technical risk, our consultants use root cause analysis techniques to help your organisation mitigate the issues as quickly as possible. This will help reduce the risk posed to users of your applications and reduce the likelihood of reputational damage.

After reporting the issues discovered during the assessment, our consultants are also available for further follow-up calls to clarify certain issues or help your organisation understand the risks posed.

Our service can be fully tailored to the needs of your business, with reporting delivered in your preferred format where possible

Overview

The following high-level areas are included within the assessment:

  • Platform insecurities
  • Device data storage
  • Cryptography and communication mechanisms
  • Authentication and authorisation
  • Session management
  • Remote web services
  • Input and output validation
  • Business logic
  • Mobile Device Management (MDM) Solutions

Assessment Steps

Device / Offline Analysis

The application is evaluated to ensure it meets common security guidelines, such as protection of data at rest, input validation and secure communication where relevant.

Logic & Processes

The assessment commences, utilising manual and automated techniques in order to bypass any authentication in place, elevate privileges, or unlock premium content.

API Assessment

The API service will be reviewed using open source methodologies, looking for weaknesses in areas such as communication, protection of data and general insecurities.

Reporting

The assessment is documented in a simple, easily digestible, format.