Archive for the ‘Mobile’ Category

iSecPartners – Auditing high-value applications cheat-sheet

July 22, 2014 Leave a comment

iSecPartners has released on GitHub a “cheat-sheet” for auditing high-value applications. It’s well worth a read.

This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

It is an advanced list – meaning entry level issues such as application logic bypasses, common web vulnerabilities such as XSS and SQLi, or lower level vulnerabilities such as memory corruption are explicitly not covered. It is assumed that the reader is aware of these and similar vulnerabilities and is well trained in their search, exploitation, and remediation.

A good example of the type of analysis to strive for can be shown in Jacob Appelbaum’s analysis of UltraSurf:


Penetration Testing Android Applications

June 29, 2011 Leave a comment

McAfee’s Foundstone division has created a great guide on setting up your system for testing and analyzing Android applications.

Penetration Testing Android Applications [pdf]

This paper focuses specifically on helping security professionals understand the nuances of penetration testing on Android applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the emulator, configuring the proxy tool and decompiling applications, etc. It also provides an introduction to security tools available for the Android platform.

Categories: Mobile, Tech