GigaOm Radar for Attack Surface Management: Bishop Fox Named "Leader" and "Fast Mover". Read the report to learn why ›
We run in-depth manual and dynamic analyses of Android/iOS devices and apps, guided by OWASP testing methodologies. Our zero-, partial-, or full knowledge assessments use industry-standard and internally developed tools in conjunction with expert-guided testing techniques to locate and validate mobile application security deficiencies.
A Mobile Application Assessment (MAA) provides in-depth manual and dynamic (run-time) analyses of Android/iOS devices and applications, irrespective of source-code availability, following the OWASP Mobile Security Testing Guide (MSTG) and OWASP Mobile Application Verification Standard (MASVS) methodologies. Using the same tools and techniques as real attackers in addition to our own, we'll test your mobile applications for the OWASP Top 10 Mobile Risks.
When conducting an MAA as a Hybrid Application Assessment (HAA), we'll leverage the source code provided to validate and locate vulnerabilities. If source code isn't available, the team will attempt to reverse engineer the application’s binary to partially reconstruct an application’s source code and attempt to identify security vulnerabilities.
Mobile Application Assessment highlights:
Bishop Fox’s Mobile Application Assessment (MAA) methodology identifies application security vulnerabilities by combining automated and manual testing techniques. Download the complete methodology to see what you can expect when you work with us.
Assessment is the first step to securing your mobile application environments. Our team of experienced consultants put the full spectrum of your application under the microscope, performing runtime patches, network interception, filesystem storage, device keystore storage, binary reverse engineering, and server-side testing.
We’re your partner in supporting your governance and compliance programs. Many regulatory requirements and internal policies mandate manual testing of your mission-critical apps. With deep expertise in mobile platforms, we’ve got you covered.
By combining binary and file-level analysis, we identify difficult-to-find vulnerabilities. Notably, we test for the OWASP Top 10 Mobile Risks including Improper Platform Usage, Insecure Data Storage, Insecure Communication, Insecure Authentication, and more.
Our team uses advanced technology to create and use virtual devices when conducting our assessments. Our approach is highly efficient – maximizing testing time rather than configuring and managing physical mobile devices.
We go beyond testing communications and a mobile app’s artifacts. We’ll also reverse engineer an application’s binary to find and exploit high severity security issues. Plus, we test the application’s API and dynamically instrument the binary to identify issues in the application’s business logic.
It’s hard to find expertise in mobile security because the technology is always evolving. Our team’s experience comes from a variety of fronts, from mobile developers to security consultants and vulnerability researchers. We see your apps from all sides.
Our high-quality reporting goes above and beyond static risk ratings and generic scoreboards. In addition to being fully customized to your application, your organization, and your desired outcomes, our reports offer actionable security guidance.
Our consultants are actively engaged and contribute to the security industry by speaking at security conferences and sharing their research.
Connecting devices to the internet introduces new areas for innovation, improvement, and also intrusion. Connecting a lock to the internet meant that August Home had the unique challenge of maintaining customer confidence while introducing a new approach to securing their front door using the August Smart Lock.
Sebastian Guerrero is a Senior Security Consultant at Bishop Fox, where his areas of expertise are mobile and web application penetration testing (static and dynamic), as well as network penetration testing and product security reviews.
Sebastian has demonstrated critical impact during client engagements. While performing application penetration testing on an acquisition for a major automobile manufacturer, he found numerous SQL injection issues in the company’s main portals, through which an attacker could gain total control over the DBMS, access sensitive information, and obtain remote code execution over the server. Over the course of the engagement, Sebastian also determined that the acquired company had experienced breaches that it was unaware of over the course of two to three years.
He has also presented at conferences such as Black Hat Asia, RSA, and RootedCON and sits on the bug bounty halls of fame for organizations such as Facebook, Google, Microsoft, Instagram, Mozilla, Adobe, Pinterest, and eBay.
We'd love to chat about your offensive security needs. We can help you determine the best solutions for your organization and accelerate your journey to defending forward.