Application security service assures the reliability of the application security controls and architecture without need to provide its source code. The process involves decompilation and code/data flow reconstruction, dynamic testing of the application in the tracing and debugging tools, binary instrumentation to validate the bugs or trigger necessary functionality (e.g. test the server-side backend or bypass SSL pinning). We support Windows/Linux/MacOS/iOS/Android applications and if required can cover any popular operating system/processor architecture.
Project case: Windows/MacOS software security audit
The project goal was to ensure security of the complex application, which included Windows/MacOS frontends and Azure based backedn. The threat vectors included attacks on the client (e.g. if the software introduces weakness to the client OS) and system back-end security. Only access to the binaries and test accounts were provided.
The following vulnerabilities were identified:
- Remote code execution on the client through the out-of date library
- Weak filesystem/registry permissions on the client installation
- Hardcoded API keys to some back-end components in the client installation
- Denial of service on the backend infrastructure through XML bombs
Project case: Mobile application security audit
The project goal was to asses the security level of the customer’s iOS/Android mobile applications according to the best security standards and recommendations. The OWASP Mobile Application Security Verification Standard (MASVS) standard was used as a basis as well as OWASP Mobile Testing Guide.
The first part of the audit was the interview with the developer to found issues in the SDLC part and in the application code. The second stage included source code analysis, found vulnerabilities reproduction (with the aid of Frida dynamic instrumentation framework, jwt/gdb debuggers for Android, lldb debugger for iOS).
As a result, the customer has received a detailed report with the checklist of MASVS requirements and their verification results (OK, Found, N/A) and the detailed recommendations on how to fix them to become MASVS compliant. Some of the identified vulnerabilities included:
- Unsafe web-view components use, which allowed Universal XSS
- Logging to the system logs of the sensitive data (including API keys and credentials)
- The lack of encryption of stored data
- Broadcast theft in the Android application which allowed to intercept sensitive data
- Unsafe URL handler in iOS which allowed application crash