The objective of this phase is to discover as much information about the mobile application and its associated systems as possible.
Understanding application and its internals
Debugging the Android / iOS based mobile application
Reverse the binary, obtain source code to identifying any sensitive information
Understand the functionality of the application and discover the key areas of focus as per OWASP methodology:
Improper Credential Usage, Inadequate Supply Chain Security, Insecure Authentication/Authorization, Insufficient Input/Output Validation, Insecure Communication, Inadequate Privacy Controls, Insufficient Binary Protections, Security Misconfiguration, Insecure Data Storage, Insufficient Cryptography.
Perform manual assessment of in-scope applications
Assess the applications basis on the key areas to focus as per OWASP methodology
Injection, Broken Authentication and Session Management, Cross Site Scripting (“XSS”), Insecure direct object references, Security misconfiguration, Sensitive data exposure, Missing function level access control, Cross Site Request Forgery (“CSRF”), Using components with known vulnerabilities, Invalidated redirects and forwards and, Testing application business logic
Mobile Application Security Assessment Report with details about the observation, risk, severity, business impact and recommendation
