POSITIVE HACK DAYS



ORGANIZER

Smartphone and Tablet Applications – Approved by Positive Technologies

  • July 26, 2012

    Positive Technologies starts up a service related to critical mobile applications security analysis. Development of the new area is mainly aimed at effective and comprehensive security evaluation of different systems, the client part of which is more and more frequently used in handheld devices.

    Beside security analysis of remote banking systems, Internet payments, mobile communication services management, ERP systems, and information infrastructures, Positive Technologies will provide services related to evaluation of security level and search for vulnerabilities in mobile applications for Apple iOS, Google Android, Windows Phone, and other operating systems, depending on customer's requirements.

    The company experts have succeeded in detecting and fixing critical errors in different mobile applications (browsers, antiviruses, mail and Internet bank clients).

    Comprehensive analysis of all mobile applications

    Mobile application security analysis, offered by Positive Technologies, is a comprehensive research of information security, carried out both on the client and server parts of an application. Such analysis consists of a search for program vulnerabilities in an application and study of its behavior, which allows detecting complicated problems, such as unauthorized transaction possibility.

    Each mobile platform is assigned with a specific set of operations with consideration of the platform's architecture and release mode.

    In the course of server analysis, Positive Technologies uses self-developed methods and tools, including MaxPatrol Vulnerability and Compliance Management System. It employs methodologies of acknowledged international organizations (Web Application Security Consortium (WASC), Open Web Application Security Project (OWASP)) and best practices in application security area.

    To analyze mobile application security, the company experts can use both gray box testing (as an attacker, who possesses a user access to the application) and white box testing (application source code and architecture analysis).

    As a result, a client receives objective and independent evaluation of the application security level, which may be used as a basis for development of measures to increase the application information security level and decrease the corresponding risks. Moreover, in case of white box testing, specialized fixes of detected mistakes, namely patches, can be issued.

    Relevance

    Rapid growth of the mobile market for the last few years has resulted in new services in various business areas. Client-server applications, developed for mobile platforms (iOS, Android, etc.) to perform financial operations, are more and more often released. These applications contain vulnerabilities, exploitation of which by malware users may result in considerable financial and reputational damage of the company owning the system.

    According to experts, an average annual loss of large companies, caused by incidents with mobile applications, exceeded USD 400,000 in 2011.

    Experts' comments

    Boris Simis, Business Development Director at Positive Technologies:

    "Nowadays we use smartphones and tablets for absolutely different purposes, starting with movies watching to bank payments and important corporate data accessing. In fact a mobile device is an office in your pocket and it should be protected not worse than office systems and applications. However, our experience shows that those practices, which have been accumulated in the sphere of security of traditional applications and web systems, are hardly implemented in mobile platforms. Incredible as it may seem, a mobile program may contain mistakes that have already been eliminated in versions meant for desk computers."

    Dmitry Evteev, the Head of Security Assessment Department at Positive Technologies:

    "We analyze security of various remote banking systems regularly. Today this process is impossible without thorough security study of applications of the most popular mobile devices. This is also applicable to telecommunication, industry and many other areas, in which mobile devices serve as terminals for access to important business information more and more frequently."

    Detailed description of the service related to mobile applications security analysis

Back to the list