Testing the security of Mobile Applications has become crucial with the increase in organizations using mobile application extensively for its workplace and customers. These applications can be banking applications, healthcare platforms, E-Commerce apps or any other business apps. Identifying and mitigating the security risks of these mobile apps are paramount for protecting the workforce and customers. Mobile Application Penetration Testing provides in-depth testing of mobile apps including the on-device security weaknesses, back-end web services, API services, etc. thereby identifying the production readiness of your mobile applications.
The client is one of the most recognized E–Commerce brands in UAE that connects millions of buyers and sellers across the world. It is one of the most popular online marketplaces for video classified advertisements. Having a wide range of categories for advertisement, the client delivers an innovative platform for a daily user to sell, buy or look for something as per their requirement.
The requirement from the client was to ensure that all the security measures are effective enough to protect the assets from unauthorized access and identify security vulnerabilities if any. The client needed a reliable security partner to provide them the required penetration testing services for their mobile applications (Android and iOS).
Being a company with a lot of subscribers and employees, the client possessed a large database of sensitive customer data that would make them an appealing target for hackers. Also, it was a highly challenging task to understand the security aspects of the mobile application.
The key focus areas of assessment included customer privacy, client-side attacks, server-side attacks and network attacks. Some of the major threats found during the assessment are as follows:
- There was no rate limit function to prevent brute force attack on the OTP field.
- The advertisements given by the customers/users were prone to changes by parameter modifications.
- It was possible to login to the application using blank credentials due to the improper validation with the credentials check.
- The application generated OTP (One Time Password) was disclosed in the server response.
- The application supported a weak password policy.
With our industry–leading security researchers, we were able to propose the following solutions for remediation of the identified threats:
- ValueMentor suggested implementing rate limiting in the OTP field of the Password Reset Submission Form as a defense against brute force attack.
- We suggested the implementation of proper authorization and access restriction to prevent unauthorized parameter modifications.
- We recommended implementing proper validation of credentials to avoid unauthorized login attempts.
- We suggested preventing or removing the generated One Time Password (OTP) information from the server response to avoid OTP fraud.
- We recommended the client to enforce a strong password policy, which didn’t permit weak passwords or passwords based on dictionary words in order to protect business data and customer information.
ValueMentor is pleased to realize that the Mobile Penetration Testing had identified all the vulnerabilities in the client’s mobile application.
- Identified and given remediation to risks associated with iOS and Android
- Recognized critical information exposures attributed to the mobile application information
- Provided insights into the resilience of applications to withstand attack from unauthorized users
- Rendered information on the potential of valid users to abuse their privileges and access
With prominent cybercrimes becoming a regular occurrence, it has become imperative for every organization to adopt a trusted security partner and assess their security posture regularly. Mobile Application Security Testing reduces the risk of mobile app breach by detecting the mobile application weaknesses early and remediating them before an attacker finds them.
ValueMentor is a pure play information security services and consulting company. We are specialists in delivering Security Consulting Services to organizations across the globe and pioneers in Information Security Audit Services, Information Security Consulting Services and Managed services.