Testing mobile applications for security
The advantages of apps in the corporate environment are their manifold possibilities. However, their use requires a critical view of the app risks in order to be able to effectively counter a hazard through app check and app release mechanisms. IT managers therefore have to ask themselves what risks exist for their company through the use of an app and whether these are acceptable or not.
Overview - What we do
We help you assess the security level of iOS and Android apps and their backend systems. We develop special analysis tools for all relevant app platforms and operate laboratories in which we conduct active attacks on apps and in-depth app security checks. We inform vendors about potential security problems in their apps. Developers receive concrete recommendations for secure app development from us. We advise you whether an app meets your security requirements. And we share critical security features with users.
Our expertise lies in the area of iOS and Android security, with a special focus on aspects of secure app development and the secure use of relevant app frameworks. Our experience from extensive manual app evaluation projects since 2010 and our strong understanding of IT security risks in app development enables us to efficiently conduct app security investigations and evaluations.
Our proprietary self-developed tools enable us to assess security features of native and hybrid iOS and Android apps. Even hardened apps with protection measures such as debugger/emulator protection, jailbreak/rooting detection, code obfuscation, resource verification, app integrity checking and hooking detection can be analyzed. This is done through static and dynamic analysis, symbolic execution, and similarity detection based on the binary files or source code of the iOS and Android apps.
For the project types listed below, various approaches can be used in consultation with you, including conceptual review, black box penetration testing, reverse engineering and source code audit.
Requirement specification of the App security functions
If you have your own app implemented externally, you should define platform-specific measures for the implementation partner exactly for the app development. This includes which iOS and Android specific measures and configurations should be used to implement the App security concept and corresponding mechanisms. We help you with the appropriate specification of the necessary measures specifically for the iOS and Android App platform.
Review of the App Security Concept
A central component of an analysis of a security architecture are the product- or service-specific App security requirements. These form the expectation horizon for the investigations and the final evaluation. In addition, the attack surface of the App and its components is identified. Defects in the general concept, the security requirements and in the detailed specification of specific measures are pointed out and recommendations made in the context of the analysis of the security architecture in order to be able to adequately counter these aspects.
App Security Assessment
This type of project is focused on your internal development and management and considers the implementation of the App and, if desired, the backend systems involved: The evaluation reports of this project type provide you with everything you need to make informed decisions: documented requirements and assumptions, detailed descriptions of tests and results for your developers, and meaningful summary assessments for your management. Project results are limited to your internal purposes.
Statements on specific App Security Claims
In highly competitive markets, a high App security can be the advantage that makes you the market leader. We can perform evaluations that verify the specific security claims of your app as part of a targeted evaluation and help you to respond to your customers' security needs and questions. The project report focuses on the desired security claims and can be passed on to your customers/partners as part of an NDA.
Public Statements on App Security
Test certificates and test reports show your customers and the public that you care about the security of your app. Published by an independent laboratory under the renowned Fraunhofer brand, they convey confidence and strengthen your sales potential. Apps can receive a Fraunhofer SIT certificate if they meet all security requirements. The certificate itself can be used for marketing purposes as a differentiator from your competitors.
Training of App Developers
We spend a lot of time attacking app vulnerabilities by, for example, leveraging encryption, finding implementation flaws, and searching for sensitive, insecurely stored app data. We are happy to share our knowledge with our customers and partners in app developer training courses about what should not be done when developing apps and which well-known, secure building blocks for security relevant app functions should be used instead.
Fraunhofer SIT seeks scientific staff, partly also for management positions
You will be responsible for planning, leading, executing and representing applied R&D projects, jointly with clients and partners from industry, government agencies and academia.