SecureState’s Black Box Mobile Application Security (MAS) Assessment focuses on the OWASP Mobile Top 10. The test is meant to simulate an attacker downloading your application from an app store and attacking it with no prior knowledge of internal security controls.
SecureState will perform tests against any web services associated with the target application including but not limited to XML structural testing, XML content-level testing, HTTP GET parameters/REST testing, and Naughty SOAP attachments. Network traffic generated by the mobile application is monitored for sensitive information and use of cleartext protocols. Standard web application tests are also conducted including checks for SQL Injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).
SecureState will identify weaknesses in the trust model of the application and attempt to enumerate sensitive operations that can be accessed or modified without proper authorization. All points of interaction and input are determined, at which point SecureState will attempt to exploit logic flaws.
Finally, SecureState will attempt to identify sensitive information stored locally on the device storage or external memory cards. SecureState will verify that any such information stored on the device cannot be accessed or modified outside of trusted systems and processes. Areas tested during the assessment include log files, local databases, and web history.