Mobile Application Security Services
Mobile Application Security Assessment
The rapid growth of mobility and the variety of applications available today create a new computing realm that has its benefits and its challenges. Mobile devices and wireless networks are becoming more and more powerful. Operating systems and applications that run on them are getting progressively more sophisticated. Companies now heavily rely on mobility in their business processes and particularly they rely on mobile apps. Decision makers may not realize that mobile applications present similar security challenges as the traditional applications and even more. Enhanced connectivity of mobile devices, personal and corporate data stored or accessed through them, access to the device sensors and payment systems, create new, previously unexplored attack vectors. Therefore mobile apps must be an integral part of the organization’s IT risk assessment.
Organizations and mobility users that deploy third-party applications without prior security assessment are particularly vulnerable. Even legitimate apps intentionally or unintentionally often disseminate sensitive information or can be readily exploited. Click here to learn more. App stores do not sufficiently vet applications for spyware, backdoors, misuse of paid-for resources or vulnerabilities. Verifying the safety of an application before its use is absolutely essential.
Safe Frontier Mobile Application Security Services help mobility users identify the risks associated with mobile applications, and help defend against them.
The security assessment provides better understanding of the application security quality and offers standardized metrics to help organizations and individuals make informed decisions regarding their security and privacy.
Security assessment is not just a vulnerability scan. It involves dynamic, static and forensic analysis with manual and automated processes. Mobile applications may consist of web services, embedded browsers and native code components, making the reliable assessment often an enduring and expensive process. Our advanced methodologies and testing platforms allow us to take application security assessment to the next level. Our state of the art evaluation technologies make comprehensive assessments easily accessible and affordable. You don’t have to spend thousands anymore. And whether you are a business, an agency, a developer or an app store, we will help you protect your reputation, your privacy, your valuable assets and maintain security and compliance.
How it works?
We made it very simple for you with 3 easy steps:
- Choose the Assessment Plan and register to create an account.
- Upload your application, answer the questionnaire and proceed to checkout.
- We will perform the analysis and provide you with the report. If your application conforms to the certification criteria we will issue a relevant certificate.
Assessment vs. Scan… What is the difference?
We provide Security Assessment - much more comprehensive analysis than a Vulnerability Scan.
Security Assessment – identifies security vulnerabilities in the context of the environment under test with manual verification to confirm exposure. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to.
Vulnerability Scan looks for known security issues by using automated tools to match conditions with known vulnerabilities. The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor.
What are the vulnerabilities we’re after?
Click here to download the presentation.
The <SAFEBIZAPP I> certification signifies that the software has been independently assessed and it meets or exceeds the <SAFEBIZAPP I> certification criteria. To learn about the certification criteria, please see the Methodology tab.
The <SAFEBIZAPP II> certification is recommended for critical applications. It signifies that the software has been independently assessed and it meets or exceeded the <SAFEBIZAPP II> certification criteria. To learn about the certification criteria, please see the Methodology tab.
The <SAFEGOVAPP I> certification is recommended for agencies and government contractors. It signifies that the software has been independently assessed and it meets or exceeds the <SAFEGOVAPP I> certification criteria. To learn about the certification criteria, please see the Methodology tab.
How to verify authenticity of certificate?
All certificates are digitally signed with Safe Frontier EcoSign™ digital signature and can be verified by clicking on the signature or entering a transaction number on this page. If you cannot verify a certificate or have other questions, please contact us.
Who would benefit?
Safe Frontier performs security assessment of mobile applications for a variety of industries, including financial services and healthcare. Our customers are businesses and agencies looking to improve their compliance and security, as well as application developers, publishers and resellers that want to provide additional level of safety assurance to their clients.
Businesses & Agencies
Mobile applications can potentially present a serious risk to the organization’s IT. Having the application validated against a stringent set of criteria, as well as evaluated for compliance, helps organizations demonstrate best security practices and protect their customers and employees.
Developers & Publishers
Establishing a relationship of trust with your clients is very important but could also be very difficult if you are not a well known company. Safe Frontier is here to help you through our evaluation and certification program. As a publisher or developer of certified app, you may be eligible to use our certificate and logo of compliance with your qualified product to gain trust and recognition. See details and guidelines.
Appstores & Resellers
Application resellers can increase customer satisfaction and confidence, as well as differentiate by offering certified applications and certification programs for publishers and developers. The developer community can leverage such alliances to get significant discounts on application certification in order to attract more customers and increase sales. Contact us for more information about the Mobile Application Security Services Alliance Program.
Methodology & Metrics
Safe Frontier conducts security assessment of mobile applications where the application is examined using dynamic, static, and forensic analysis to ensure that the majority of the attack surface is covered. Security assessment is mainly focused on discovering vulnerabilities in the context of the environment under test with manual verification to confirm exposure, but doesn’t include the exploitation of vulnerabilities to gain further access. A security assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to. There are two main areas of evaluation:
- Vulnerability – examination for potential flaws, weakness, or exposure of an application that could lead to a failure of confidentiality, integrity or availability.
- Malicious Functionality – examination for unwanted and dangerous behavior, such as:
- Deliberate dissemination of sensitive information
- Unauthorized network connectivity
- Unauthorized access to paid-for resources
- User interface impersonation
- System modification
- Logic bomb, etc.
All vulnerabilities assessed are divided into the standardized risk categories based on the Open Web Application Security Project (OWASP) Top 10 Mobile Risks list; and each category is further classified under the Common Weakness Enumeration (CWE) system. The OWASP Top 10 Mobile Risks list is compiled based on the risk severity (Top-N list), using the OWASP Risk Rating Methodology that implements [Risk = Likelihood * Impact] approach. Attacks classification and methodologies are based on the Common Attack Pattern Enumeration and Classification (CAPEC) system.
Safe Frontier utilizes Common Vulnerability Scoring System (CVSS) to calculate the CVSS Base Metric Vulnerability Score for each vulnerability found in the assessed software. Organizations can apply these scores in their temporal or environmental contexts to derive contextual vulnerability score for better risk understanding and informed management decisions.
Safe Frontier evaluates three types of threats arising from malicious or unwanted functionality. The threat model includes: malware, personal spyware and grayware. It is distinguished based on the delivery method, legality, and notice to the user.
- Malware (Trojans, worms, botnets, and viruses) steals or damages data, illicitly uses paid-for resources, stages or executes attacks on other systems, etc. The attacker may exploit a vulnerability in the device to gain unauthorized remote access or deceive a user into installing the malicious app. Malware is generally illegal and provides no legal notice to the user.
- Personal Spyware collects information related to the user identity and activity, such as phone call history, text messages, phonebook, pictures, documents, location, etc. It may also covertly activate and collect information from the device sensors, such as camera, microphone, GPS, etc. Personal spyware is usually physically installed on the device by an attacker without victim’s knowledge. The attacker and not the application author normally get the victim's information. It is generally legal to sell personal spyware because it does not defraud the buyer. Its purpose is disclosed to the buyer but the use of the personal spyware without the victim’s consent, could be illegal.
Most of the malware today is profit-driven. Malware is identified by its incentive driven malicious behavior and typical characteristics.
Benchmarks & Scoring
Safe Frontier assesses and scores the vulnerability of application to determine a risk it can present to its user. Safe Frontier also examines and classifies the application as malware, personal spyware or grayware if malicious or unwanted functionality was found in the application.
Vulnerability is rated as CVSS Base Metric Vulnerability Score, taking into consideration the probability of the findings (Probability Level). There are three Probability Levels:
- Verified – a vulnerability is identified, positively confirmed and rated.
- Identified – a vulnerability is identified and rated but cannot be positively confirmed. For example, the test results are inconclusive, giving a reasonable amount of effort, and therefore a vulnerability cannot be positively confirmed.
- Suspected – a finding that is believed to be a vulnerability but it cannot be positively identified without further tests that are beyond the scope of the assessment.
Applications are also classified (Application Class) as malware, personal spyware or grayware based on the malicious functionality discovered in the application and the Probability Level of the application belonging to a certain Application Class:
- Verified – an application is fully consistent with the criteria for its Application Class.
- Identified – an application is not fully consistent with the Application Class criteria but could be classified as such.
- Suspected – an application may exhibit some features of the Application Class but cannot be classified as such without further tests that are beyond the scope of the assessment.
Application can belong to more than one Application Class with various Probability Levels if it exhibits the characteristics of more than one Application Class.
Safe Frontier offers a certification program to certify applications that meet or exceed the criteria specified below:
- Malicious Functionality rating is based on the Application Class and the Probability Level.
- The Vulnerability score is calculated for each Probability Level and consists of the two variables:
- Total number of Vulnerabilities per each Probability Level.
- Verified or Identified vulnerabilities that may be present in the application that individually exceed the Base Metric Vulnerability Score Cutoff Value. For example, zero Vulnerabilities are allowed that have a greater Base Metric Vulnerability Score than the Base Metric Vulnerability Score Cutoff Value of 3. If even a single Vulnerability is present that has a Base Metric Vulnerability Score more than 3, the application did not meet the certification criteria.
Please contact us for <SAFEGOVAPP I> and other certification eligibility criteria.
The above matrix allows eliminating applications that have dangerous vulnerabilities, as well as have total number of vulnerabilities beyond a tolerable level. As security threats evolve, the certification requirements also change; please refer to the security assessment report for the exact criteria that the application was tested for.
When application is evaluated for the certification eligibility, it can receive one of the three statuses:
- Passed - the application passed the criteria and is eligible for certification.
- Preliminary not passed - the application did not pass the criteria but did not exceed the grace period to mend, and therefore may be re-evaluated.
- Not passed - the application did not pass the criteria and exceeded the grace period to mend, and therefore it is not eligible for certification.
If application code, name, version, or anything else is modified in the way that the MD5 Hash value of the submitted application has changed, it is considered to be a new application and should be reevaluated and re-certified.
Mobile Application Security Assessment
Safe Frontier’s application security assessment covers areas of malicious functionality and application vulnerability. Utilizing commercial and proprietary tools, Safe Frontier evaluates applications using a standardized testing methodology.
Applications that meet or exceed the certification criteria receive a certificate of compliance. The analysis we perform for each certification level are progressively more comprehensive and the compliance criteria is more demanding. Safe Frontier utilizes Common Vulnerability Scoring System (CVSS) that allows organizations to easily apply the received metrics within their specific context. See Methodology tab for detail.
This security assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to. There are two main areas of evaluation: Malicious Functionality and Vulnerability.
Malicious Functionality is an examination for unwanted or dangerous behavior, such as:
Deliberate dissemination of sensitive information (breach of privacy, information theft) - sensitive data is covertly transmitted from the device:
- Covert transmission of address book, phone log, messages, email, browsing history, keyboard input, data files, etc.
- Covert transmission of camera data, microphone/audio, location data, etc.
- Exfiltration via sockets, such as HTTP, IMAP, SMS, SIP, Bluetooth, etc.
Unauthorized connectivity and misuse of paid-for resources (SMS, data transfer, payments). Malicious code in the application may allow the attacker to push commands to a compromised application and initiate attacks on the third party systems; for example a Distributed Denial of Service (DDoS) attack or mailing spam messages from the compromised device turning it into a spam bot.
Vulnerability is an examination for potential flaws, weakness, or exposure that could lead to a breach of confidentiality, integrity or availability.
Language inherent risks are common security flaws in the programing language. Such flaws may present a threat to confidentiality, integrity and availability of the application, as well as the data accessed by the application:
- Cryptographic weaknesses
- Leaking confidential information
- Improper credentials management
- Code injection flaws
- Memory management flows
Platform specific risks are based on the vulnerabilities inherent in the specific mobile platform. For example, a vulnerability found on Android that allows one application to exploit another application installed on the same device.
This certification is recommended for critical applications. It requires compliance with a more stringent set of criteria than <SAFEBIZAPP I>, and involves additional forensics and manual examination. See Methodology tab for detail.
The <SAFEGOVAPP I> certification is recommended for agencies and government contractors. In addition to the <SAFEBIZAPP II> assessment and a more stringent set of criteria, we examine compliance with common standards and regulations1:
- Gramm-Leach Bliley Act (GLBA)
- Payment Card Industry (PCI)
- Sarbanes-Oxley (SOX) Act
- Health Insurance Portability & Accountability Act (HIPAA)
Contact us for information on mobile application assesment where security clearance is required.
1We only provide expert opinion and do not certify compliance with a particular standard.
Disclaimer: While we take every precaution to assess the application as carefully as possible, under no circumstances we guarantee that the assessed software is safe or free of vulnerabilities, malicious or unwanted functionality. Safe Frontier does not warrant or make any representations, and hereby disclaims and negates all warranties, concerning the accuracy, likely results, or reliability of the Mobile Application Security Services, or statements or materials concerning such services herein or elsewhere.
Due to the nature of software security testing, in no event shall Safe Frontier or its subsidiaries, suppliers, partners or affiliates be liable for any errors, omissions or damages (including, without limitation, damages for loss of data or profit, or due to business interruption), arising out of the use or inability to use the Safe Frontier’s Mobile Application Security Services or materials.
We only asses a particular instance of the software that you provide. If there are any changes to the software after the assessment, it has to be reassessed. Reassessment discounts are available. Contact us for more information.
What is a vulnerability?
A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application.
Examples of vulnerabilities:
→ Lack of input validation on user input
→ Lack of sufficient logging mechanism
→ Fail-open error handling
→ Not closing the database connection properly
→ Application Programming Interface (API) Abuse
What is malicious functionality?
→ Activity sniffing and data theft (Trojan)
→ Unauthorized network connectivity
→ Unauthorized access to paid-for resources (dialing, SMS, etc.)
→ User interface impersonation
→ System modification
→ Logic tripwire
What is an attack?
Attacks are the techniques that attackers use to exploit the vulnerabilities in applications.
Examples of attacks:
→ Sniffing Attacks
→ Embedded Malicious Code
→ Exploitation of Authentication
→ Abuse of Functionality
Washington, DC: July 17, 2013 Safe Frontier today announced details of i
Washington, DC: Jun 24, 2013 – Safe Frontier announces today the release