Information Security Assessment

Information Security Assessment

In every industry and company digital transformation looks different which is the integration of digital technology into all areas of business. This integration leads to fundamental changes in how the business operates.

Banks running on a digital core can see reduced costs and streamlined processes. This end-to-end integration also helps provide a more seamless, engaging customer experience. Banks running on a digital core can see reduced costs and streamlined processes. This end-to-end integration also helps provide a more seamless, engaging customer experience. Whereas attacker tries to get access to the most vulnerable aspect of the bank using social engineering, trying to find loop holes by being there one of the most customers and engaging banks trust.

We not only provide VAPT to banks but also provide security awareness programs with latest cyber attacks

Services:

  • Web-Security Assessments
  • Mobile (Android & IOS) Security Assessments
  • Cloud Security Assessments
  • Protocol Security Assessments
  • Product Security Assessments
  • Network Security Assessments
  • Wireless Security Assessments
  • Red Teaming Assessment
  • Forensic Audit (DFIR)

Discovery

We discovery information related to the mobile app during the penetration testing process through various different processes, including, but not limited to, the following:

  • Open Source Intelligence: It may be possible to find out more information about an application. This includes checking through search engines, third-party libraries that are used, or finding leaked source code through the use of source code repositories, developer forums, and social media.
  • Understanding the platform: Understanding the platform is a crucial part of application penetration testing. This gives a clear understanding from an external point of view when it comes to creating a threat model for the application.
  • Client side vs Server side scenarios: It is crucial to understand the type of application (native, hybrid, or web) and work on the test cases.

Overall, we try to understand your mobile app through multiple interactions in the pre-engagement process and ensure we identify your critical data and core competencies.

Analysis/ Assessment

We undertake the following methods to analyse and assess the mobile app:

  • Static analysis:Static analysis is performed, without executing the application, on the provided or decompiled source code and accompanying files.
  • Archive analysis: The application installation packages for the Android platform will be extracted and examined to review configuration files that have not been compiled into the binary.
  • Local file analysis: When the application is installed, it is given its own directory in the file system. During the usage of the application, it will write to and read from this directory. Files accessed by the application will be analyzed to verify the process.
  • Reverse engineering: Reverse engineering will be attempted to convert the compiled applications into human-readable source code. If possible, code review will be performed to understand the internal application functionality and search for vulnerabilities. In the case of Android, the application code may be modified and recompiled to enable access to debug information during dynamic analysis.
  • Dynamic analysis: Dynamic analysis is performed while the application is running on the device. This includes forensic analysis of the local file system, network traffic between the application and server, and assessment of the app's local inter-process communication (IPC) surface(s).
  • Network and web traffic: The device will be configured to route their connection to the server through a test proxy controlled by the security tester. This will enable web traffic to be intercepted, viewed, and modified. It will also reveal the communication endpoints between the application and the server so that they can be tested. Network traffic that is not traversing the Web and is happening at a lower layer in the TCP/IP protocol stack, such as TCP and UDP packets, will also be intercepted and analyzed.
  • Inter-process communication endpoint analysis: Android mobile apps are composed of the following IPC endpoints (which will be analyzed during the mobile app testing):
    • Intents: These are signals used to send messages between components of the Android system
    • Activities: These are screens or pages within the application
    • Content providers: These provide access to databases
    • Services: These run in the background and perform tasks regardless of whether the main application is running
    • Broadcast receivers: These receive and possibly act on intents received from other applications or the Android system

Exploitation

We attempt exploitation to ascertain the impact of the vulnerabilities that have been identified during the course of mobile app assessment.

  • Attempt to exploit the vulnerability: Acting upon the discovered vulnerabilities to gain sensitive information or perform malicious activities.
  • Privilege escalation:Demonstration of identified vulnerability to gain privileges and attempt to become a super user.