Mobile Application Security
Our consultants have been assessing mobile applications since 2008. We offer both static and dynamic analysis techniques, and can assess both native
and web-based/service applications, and API testing. As mobile device and application testing has matured in the most recent years, we prefer to
get involved in the Software Development Life-Cycle (SDLC) approach; where it is not only easier to assess the application and associate API's before
the additional layers of security are applied, but to help reduce testing cost in the final stages of development. Our last phase of
testing is usually the cryptographic protocols, SSL certificate pinning, and reverse engineering which are always the hardest and most time
consuming form of testing. Early investment in security testing means that this last phase can be reduced backed by the evidence of security triage in
the previous stages of the development life cycle.
- Android (apk)
- Apple iOS (ipa)
Netscylla follows the traditional OWASP Mobile Security Testing Guide (MSTG), to align with developer security practises.
More details on MSTG
can be
found here:
OWASP Mobile Testing Guide.
Methodologies
DAST
Dynamic Application Security Testing is a black-box security testing methodology in which an application is tested from the outside in by
examining an application in its running state and trying to attack it just like an attacker would in the real world.
SAST
Static Application Security Testing is a white-box testing methodology which tests the application from the inside out by examining its source
code for conditions that indicate a security vulnerability might be present.
Which one is right for your organisation?
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle
(SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL
injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security
vulnerabilities while web applications are running.