New from Ponemon Institute: The State of Offensive Security in 2023. Read the Report ›
A Mobile Application Assessment (MAA) provides in-depth manual and dynamic (run-time) analyses of Android/iOS devices and applications, irrespective of source-code availability, following the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Verification Standard (MASVS) methodologies. Using the same tools and techniques as real attackers in addition to our own, we'll test your mobile applications for the OWASP Top 10 Mobile Risks.
When conducting an MAA as a Hybrid Application Assessment (HAA), we'll leverage the source code provided to validate and locate vulnerabilities. If source code isn't available, the team will attempt to reverse engineer the application’s binary to partially reconstruct an application’s source code and attempt to identify security vulnerabilities.
Mobile Application Assessment highlights:
Bishop Fox’s Mobile Application Assessment (MAA) methodology identifies application security vulnerabilities by combining automated and manual testing techniques. Download the complete methodology to see what you can expect when you work with us.
Assessment is the first step to securing your mobile application environments. Our team of experienced consultants put the full spectrum of your application under the microscope, performing runtime patches, network interception, filesystem storage, device keystore storage, binary reverse engineering, and server-side testing.
We’re your partner in supporting your governance and compliance programs. Many regulatory requirements and internal policies mandate manual testing of your mission-critical apps. With deep expertise in mobile platforms, we’ve got you covered.
By combining binary and file-level analysis, we identify difficult-to-find vulnerabilities. Notably, we test for the OWASP Top 10 Mobile Risks including Improper Platform Usage, Insecure Data Storage, Insecure Communication, Insecure Authentication, and more.
Our team uses advanced technology to create and use virtual devices when conducting our assessments. Our approach is highly efficient – maximizing testing time rather than configuring and managing physical mobile devices.
We go beyond testing communications and a mobile app’s artifacts. We’ll also reverse engineer an application’s binary to find and exploit high severity security issues. Plus, we test the application’s API and dynamically instrument the binary to identify issues in the application’s business logic.
It’s hard to find expertise in mobile security because the technology is always evolving. Our team’s experience comes from a variety of fronts, from mobile developers to security consultants and vulnerability researchers. We see your apps from all sides.
Our high-quality reporting goes above and beyond static risk ratings and generic scoreboards. In addition to being fully customized to your application, your organization, and your desired outcomes, our reports offer actionable security guidance.
Our consultants are actively engaged and contribute to the security industry by speaking at security conferences and sharing their research.
Connecting devices to the internet introduces new areas for innovation, improvement, and also intrusion. Connecting a lock to the internet meant that August Home had the unique challenge of maintaining customer confidence while introducing a new approach to securing their front door using the August Smart Lock.
Sebastian Guerrero is a Senior Security Consultant at Bishop Fox, where his areas of expertise are mobile and web application penetration testing (static and dynamic), as well as network penetration testing and product security reviews.
Sebastian has demonstrated critical impact during client engagements. While performing application penetration testing on an acquisition for a major automobile manufacturer, he found numerous SQL injection issues in the company’s main portals, through which an attacker could gain total control over the DBMS, access sensitive information, and obtain remote code execution over the server. Over the course of the engagement, Sebastian also determined that the acquired company had experienced breaches that it was unaware of over the course of two to three years.
He has also presented at conferences such as Black Hat Asia, RSA, and RootedCON and sits on the bug bounty halls of fame for organizations such as Facebook, Google, Microsoft, Instagram, Mozilla, Adobe, Pinterest, and eBay.
Feb 19, 2019
Amtrak Mobile APIs - Multiple Vulnerabilities
By Priyank Nigam
Feb 24, 2015
Rethinking & Repackaging iOS Apps: Part 1
By Carl Livitt
Using Cyber Offensive Methods to Improve Defense
TAG Cyber provides an unbiased assessment of Bishop Fox’s offensive cybersecurity services and Cosmos platform.
We'd love to chat about your offensive security needs. We can help you determine the best solutions for your organization and accelerate your journey to defending forward.