While evaluating mobile app security, there are three major checks that developers perform – server-side, client-side and the protocols as per which data is moved between them. These tasks can further be divided into the following:
- Analyzing how information is sent through the internet
- By checking the privacy settings
- By checking how the data is saved
- By evaluating security through pentesting
Web Traffic Analysis
There are different ways through which iOS apps exchange and transfer data:
- Unencrypted protocols, for example HTTP – What you need to check in this is whether these protocols are being used to move confident• ial data.
- Secure protocols, for example HTTPS – What you need to check is whether the SSL certificates are being validated. Is the SSL certificate being • accepted by the app.
- Low-level data movement protocol and non-standard protocol.
What we check here is whether the app accesses user data without checking the credentials.
In the middle of standard iOS device app installation, the system builds a folder which has a unique ID in Applications/mobile/var.
Here we should look after the following:
- Plist Files: The content and any hidden options
- Keychain: What is stored and whether the passwords are securely encrypted
- Cache: What is cached?
- Logs: Whether the processes are logged and is there any confidential data which falls into logging
Penetration Testing is a powerful tool which exploits an app’s vulnerabilities and assesses the app’s chances to safeguard itself against a malicious attack. We advice you to do regular pen testing if your application functions with bank cards and other confidential information. For some kind of apps this test is essential, for example mobile payment apps.
Application Traffic Analysis
HTTP: Everything is clean here. Secure data is not transferred using unencrypted protocols.
Everything is clean here, as well as all certificates are verified.
Channels through Which Bank Card Numbers Can Be Transferred
Since multitasking is not supported by the device. The channels cannot be checked for bank card data transmission. This mission required logging in without proxy and concurrently checking the send data with proxy.
This is clean, as well as there is no unauthorized access to the user data.
To sum up, if the app under focus is not secure enough. A malicious user can easily access the account data and the password, as well as acquired login can allow hackers to change profile parameters. They can get access to crucial information, which can then be used to harm the user.