Our customized threat modeling identifies vulnerabilities within your security posture that puts your most valuable organizational and client data — the crown jewels — at risk.
Our security audits and vulnerability assessments are based on industry standards and best practices to assess weaknesses in your cloud environment and network, as well as mobile and web-based apps.
Our sophisticated testing services delve into your network, smart devices and other systems to expose critical security deficiencies.
At some point, you decided you needed a mobile application for your organization or product.
Maybe it's needed to allow mobile interaction with your systems, or is necessary to interact with your products. Whether you developed it in-house or through a third party, do you know how securely it was written? Sure, there are many published security best practices but did your developers understand and follow each one?
A mobile application vulnerability assessment will delve into your mobile app looking for coding weaknesses, hidden secrets, potential privacy issues and other security inadequacies. We look for common development mistakes and then work with your developers so they can fix the issues, before a security breach.
Many mobile developers think of application security in terms of how they expect users to interact with the system. But what happens if a hacker reverse engineers the app? With the use of emulators, jailbroken, and rooted mobile devices, they can unearth sensitive data and watch interactions with web APIs that your developers assumed were hidden and protected.
We begin by deploying your application to emulators or rooted Android and jailbroken iOS devices in our mobile interception lab. This allows us to easily extract and decompile your applications — if you haven't already given us the source code for review.
We then perform static code analysis looking for coding weaknesses and hidden secrets, and use your application like traditional end-users would. Every network packet is captured for analysis, databases are scraped, and system memory is inspected. Web requests pass through proxy interception and modification software that allows us to control every aspect of the app's integration with external services. We even attach debuggers to your live running code to bypass any local controls you may have implemented!
Learn how we've helped our valued clients improve their security posture and mitigate risk through mobile app vulnerability assessments.
We found AWS secret access keys embedded in a mobile application that had access to all customer data for an organization. We worked with the development team to re-architect the application before release to keep their data secure.
We discovered hard-coded Active Directory credentials in a publicly-available corporate application that could have led to a complete breach of corporate data.
We found a misconfigured keyboard cache in a medical imaging application that would have allowed for the insecure storage of personal health information (PHI).
We fought through multiple layers of SSL/TLS certificate verification and pinning protections to capture and modify sensitive smart device firmware during the over-the-air (OTA) update process.
Our consultants know how to disassemble your mobile applications to find hidden secrets, watch network interactions with web APIs, and even patch the application to do things you never expected! Many companies shy away from mobile assessments because they find it too difficult to set-up or they don't know what they're looking for. We've developed a robust testing methodology and created a powerful mobile interception lab that allows us to focus on your application.
Contact us to discuss your mobile app security project today. We'd welcome the opportunity to help you achieve your information security goals.
Check out our blog to get the latest infosec how-to articles, best practices and strategies written by our offensive security experts. Cyber crime isn't going anywhere, so stay informed and on top of it!
Are you wondering how to get started with embedded device security testing and what tools are needed for hardware hacking? Whether you are trying to reverse engineer and hack an embedded system or are looking to make modifications to an IoT device, part one of our Hardware Hacking Lab series will introduce you to some of the physical tools we rely on most to perform our smart device security assessments. Look for additional posts later that will walk through the hardware and software tools needed to get started.
The recent wave of WannaCry ransomware attacks has shed a lot of public light on the Windows SMB remote code execution vulnerability patched by MS17-010 and has fortunately resulted in organizations applying the security update to prevent further infections. While much of the focus has been on patching desktops and servers, it’s easy for many organizations to continue to neglect devices running the Windows Embedded 7 OS.
The level of knowledge sharing that takes place within infosec is amazing! Many security researchers take time to publish their scripts, tips, successes, and failures on Twitter for all to see, so as a security professional, it’s important to learn how to effectively use Twitter to hone your craft.
Red teamers can learn new tactics, techniques, and procedures (TTPs) by following other red teamers. Blue teamers can learn new detections or preventative controls published by other blue teamers.
You might not know how at-risk your security posture is until somebody breaks in . . . and the consequences of a break in could be big. Don't let small fractures in your security protocols lead to a breach. We'll act like a hacker and confirm where you're most vulnerable. As your adversarial allies, we'll work with you to proactively protect your assets. Schedule a consultation with our Principal Security Consultant to discuss your project goals today.
© 2020 FRACTURE LABS, LLC ALL RIGHTS RESERVED