Overview:
Client is a leading technology services provider that offers scalable and IT and computing solutions. Client operates with a mission of providing world-class IT infrastructure and powerful networking solutions. They are providing superior customer experiences and innovative solutions.
Client Requirement:
Client required someone to analyze the security emails they were getting for vulnerabilities in one of their mobile applications. The android application that they had developed had not been updated since it was developed. Client wanted experts to take a thorough look at the code and test it for vulnerabilities and also perform penetration testing so as to ensure that the application can be secured and used without any potential threat. Client was looking for a VAPT service provider in India to take a look at the Android application and offer expert advice and solutions.
How did ECS provide a solution?
- It was necessary to analyze the application and identify the vulnerabilities and risks involved.
- Code Vulnerability Assessment was done and after thoroughly understanding the loopholes or errors, ECS was able to draw up a plan to minimize the errors that could lead to major cyberattacks.
- The current security settings weren’t enough and safeguards needed to be put into place.
- A detailed plan for remediation by detecting existing flaws or malicious code was prepared.
ECS performed two types of analysis:
1. Static Analysis:
We decompiled the entire codebase and checked the code manually. We also used tools such as Mobsf and Jadxgui to detect any flaws in the code.
2. Dynamic Analysis:
- We used tools such as BURP SUITE to find vulnerabilities.
- ECS followed a checklist and created a custom checklist under the guideline of OWASP Top 10 Vulnerabilities:
- We were able to cover all the security loopholes.
- Documentation and daily reporting enabled client to patch all vulnerabilities and monitor how VAPT (Vulnerability Assessment and Penetration Testing) is done.
Results:
After a thorough analysis, ECS performed VAPT (Vulnerability Assessment and Penetration Testing) for the customer’s Android mobile application. Penetration testing allowed the identification of several vulnerabilities.
- We discovered very critical security weaknesses in the mobile application
- ECS helped tighten the Mobile app protection level
- Our Team has also prepared a customized plan for regular testing and updates of the app.
Following are the vulnerabilities found by ECS after Dynamic Analysis:
- OTP Bypass
- IDOR (In-direct Object Reference)
- Hard coded Google API Keys
The Customer was satisfied with the approach that ECS took for securing the application and expressed their intention to continue collaboration with ECS as a trusted provider of vulnerability assessment penetration testing services. ECS is one of the leading firms offering VAPT in India.
Conclusion:
ECS not only helped securing the mobile application, but also helped the customer by preparing a detailed security plan that includes regular audits that should be conducted. Retest phase included patching the app with appropriate updates and then recheck the functionalities. Day-to-day reports and a final report with all the findings and the implemented solution was submitted. Client was able to use the Android application without any fear of a possible vulnerability that could put their entire data at risk. We successfully made sure that the code is threat-free.