softScheck secures your apps
There are about 3 million apps (with an estimated 300 billion downloads) offered on all platforms worldwide – most of them are unchecked in terms Security: Access Unauthorized, unwanted disclosure and unauthorized use of user data such as messages, personal data, address books, location and motion profiles etc.
Then there are the questions about the safety of the interacting Server and the data link between the smart terminal and the server. App developers are therefore under increasing pressure: The security of Apps is completely inadequate.
The ISO 27000 family and the “BSI Grundschutz” propose many security measures – but the eligible suites, tools and guidance are often too general and incomplete, so that the implementation of these security measures is only a drop in the bucket.
The competition in the App Store is large and increases with the number of apps. In order for the Security testing is essential for the quality and the success of any app.
What’s to be done? And above all: What can be done economically?
softScheck provides tailored mobile apps methods in the form of a security testing process to identify known and previously unrecognized particular vulnerabilities in your app.
Mobile App Fuzz Testing
softScheck uses commercial, open source and proprietary fuzzer to identify previously unknown vulnerabilities. These Fuzzers analyze the reaction of your app to unforeseen – not considered in the program code – input data. Unexpected (mis) behavior of your app provide clues to exploitable vulnerabilities. Among our Fuzz Testing services:
- Identification of all available interfaces
- User Input (UI) fuzzing
- Intent / Broadcast fuzzing
- Monitoring and evaluation of monitoring results
Static Code Analysis for Android und iOS
The Static Code Analysis of the source code is mostly automated or semi automated formally investigated in a known fault pattern. Among our Static Code Analysis Services:
- Reverse Engineering the app
- Use of different static source code analysis techniques, such as e.g. Semantic, Data Flow and Tainted Data Analysis
- Identification of i.a. Bad Practices, Privilege Management, Privacy Violations, race conditions, deadlocks, memory pointer and injuries
In a manual audit our security experts identify and examine most critical components of your app. Among others we check:
- the correct implementation of SSL connections,
- the processes for collecting, processing and transmission of all data of the application, particularly as regards personal data
- on Rouge Client Attacks
- on Leaking Content Provider
- on Authentication Bypass
- on Network Traffic Analysis
- on Backdoor Detection
- and work on mitigations
Threat Modeling supports the methodical development of a trusted system design and architecture in the design phase of software development, the troubleshooting costs are still very low in this stage of development. Similarly, already existing system designs and architectures can be check, with the aim of identifying, assessing and correcting security vulnerabilities. Among our Threat Modeling Services:
- Review of the security architecture for vulnerabilities
- Identification of safety-related communication channels and processes
- Identification of threats, Design-related vulnerabilities and the associated safety measures
Your app should never be considered in isolation, but always as a part of the system in which it is operating. Communicates your app with servers, so these need to be examined for security vulnerabilities. softScheck offers penetration tests to identify known vulnerabilities and sets on commercial and freely available tools – depending on need and effectiveness.