Cookie Policy This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Continue Learn more

Reality Net System Solutions

Mobile Security

Nowadays mobile devices are the main communication system in all companies. We often use such devices to exchange sensitive or private information. For this reason it is essential for companies to adopt best practices with the aim of making their safe use.
Recent years have ushered in a new era of enterprise mobility: the use of notebook and mobile phone was passed to devices such as smartphones and tablets that allow you to put together different needs.

These tools allow everybody to communicate via voice and text (SMS, chat, email), to have an always-on connection to the Internet and to use enterprise applications. Data produced can then be transferred to normal computers for further and complete processing. IT departments are forced to allow the use of these devices within the corporate network, in many cases without adopting proper policies and procedures and without the determination of appropriate choices to secure these devices. The network access via smartphones and tablets increases employee productivity, but unprotected devices, running potentially malicious applications, can cause malware attacks, loss or theft of confidential and legal problems.

PROCESS

  • Risk Analysis study of the security state of the mobile systems inside a business network, spotting of critical and risk elements, estimate of the probability and costs of possible attacks
  • Policies and Procedures definition of business policies and processing of specific procedures for mobile device introduction, management and disposal
  • Mobile Device Management advice service in the choice and installation of an MDM service for the management of the whole mobile device business asset
  • Penetration Testing survey of the business implemented defense system and testing of the mobile devices in different scenarios (e.g. lost or stolen device, Wi-Fi access, installation and use of apps, possibility of jailbreaking or rooting)
  • Malware Analysis malware analysis on business devices and discovery of private and sensitive data transmission outside
  • App Analysis security analysis of business implemented mobile apps with the most commonly used standards (e.g. OWASP Mobile Security Risks, PCI-DSS)

METODOLOGY

For the Penetration Testing activity our consultants use the most consolidated procedures and methods such as OWASP Mobile Top 10 Risks.

  • Insecure data storage: access to confidential information stored on the device (e.g. usernames, passwords, cookies, application logs, etc.)
  • Weak server side controls: implementation weakness of backend services (e.g. web applications vulnerable to XSS or CSRF)
  • Insufficient trasport layer protection: man-in-the middle attacks, in-transit data tampering, mistake in the validation certificates
  • Client side injection: attacks to web applications (e.g. SQL Injection)
  • Poor authorization and authentication: authentication and authorization based on steady values (e.g. IMEI, IMSI, UUID)
  • Improper session handling: incorrect handling of sessions inside apps (e.g. HTTP Cookies, OAuth tokens)
  • Security decision via untrusted inputs: incorrect use of URLs to access specific functions (e.g.phone reset, Skype calls)
  • Side Channel data leakage: access to sensible information stored without any possible control by the user (e.g. Web caches, keystroke logging, screenshot, geopositioning)
  • Broken cryptography: easily breakable cryptographic implementation and non-use of correct APIs
  • Sensitive Information Disclosure: access to confidential information from application source code (e.g. API Keys)