We teach following technical and business logic issues related to mobile application on the different mobile platforms such as android,IOS and windows.
| Jailbreak Warning Checks |
| Certificate Pinning Checks |
| Dangerous enabled settings(debug mod etc) |
| Decompile/Reversing tests |
| Hardcoded Passwords checks in the sources |
| Token, 3rd party data leakage checks in the sources |
| Information leakage in the real time device logs |
| Application logs checks if there is critical information |
| Application’s stored cache data checks |
| Password protection situation of the local databases |
| Sensitive information storing situation of the databases |
| Checks all critical files(xml,plist etc) |
| Run time tests |
| Memory analyse in the run time |
| Certificate Pinning Bypass |
| Situation of the keyboard cache in the text inputs |
| Data storage shared sdcard |
| Tcpdump analysis whilst app is working |
| All backup file, logs and spesific files analysis |
| Sensitive strings search with grep in the whole app directory |
| Mobile app recompile tests |
| Android APK obfuscation sitiation |
| Input manipulation tests |
| 2-factor auth tests |
| Data transmission security between device and server |
| Server side tests |
| Full port scan for server IP address |
| Full vulnerability scanning for server IP address |
| Mobile web site tests like a website test |
| Testing app permissions |
| Testing critical information in the clipboard |
| Application Session Timeout situation. |
| Username and password policy check |
| Predictable credentials checks |
| Login form captcha, anti-csrf usage situation |
| Business logic vulnerabilities on the application functions |
| Code injection tests |
| Command execution tests |
| Iframe injection |
| LFI/RFI Tests |
| LFI via iframe injections on the device |
| XSS tests(Reflected,Dom,Stored,Blind) |
| XSS tests with payload injections via cross paltforms(mobile-web) |
| XXE vulnerability checks |
| Technical and business logic tests on the registration form |
| Password reset function tests |
| Access via web browser to mobile app with useragent changing |
| Takeover account tests |
| Deployment and configuration issues |
| Mobile API and webservices tests |
| SSRF Tests(local and remote) |
| Insecure Direct Object Reference Tests |
| Privilege Escalation with diffrent roles |
| Directory traversal |
| Advenced authorization and authentication tests |
| Username enumeration wia warnin messages or mis-developments |
| Automate Scanning |