SERVICES

Secure Your Web Apps from Hackers

Web Applications are the heart of many organizations’ online presence and are a prime target for hackers to attack your business, Lock down these exposed webapps with a bullet proof penetratio test, where our experts will help you identify and resolve security flaws.

%

Discover bad security practices in your web app

%

Probe and exploit application vunerabilities

%

Analyze flaws in your web app design

%

Remediate the weaknesses to stay protected

Internal and External Vulnerability Assessments

Also known as security assessment scanning, this type of testing identifies systems and network configurations that could expose the customer to a breach of the network and critical systems. Systems are scanned for improper configurations; missing security software patches; unnecessary services and protocols; and vulnerabilities related to clear text protocols, coding and/or applications. Then recommendations to securing the environment are provided.

Internal and External Application Testing

This testing determines if unauthorized access to applications data, and/or network can be achieved. The scope of the project can vary greatly, depending upon the desired level of information. Web applications are probed, and testing identifies vulnerabilities such as coding flaws, buffer overflows, cross site scripting, SQL injection, broken access control and authentication, improper error handling, insecure storage and insecure configuration management. Recommendations for securing the environment are provided.

Internal and External Mobile Testing

Whether your organisation develops mobile apps or relies on the use of mobile applications or devices to perform critical functions across the workplace, The Cyber Batman can help you identify and address vulnerabilities that could lead to assets and data being compromised.

Inside the Mobile App Attack Surface

  • GPS Spoofing
  • URL Schemes
  • Buffer Overflow
  • GPS Leaking
  • allowBackup Flag
  • allowDebug Flag
  • Integrity/Tampering/Repacking
  • Side Channel Attacks
  • Code Obfuscation
  • JSON-RPC
  • Escalated Privileges
  • Configuration Manipulation
  • Automatic Reference Counting
  • App Signing Key Unprotected
  • Android Rooting/iOS Jailbreak
  • Insecure 3rd Party Libraries
  • Unintended Permissions
  • Clipboard Data
  • User-initiated Code
  • World Writable Files
  • UI Overlay/Pins Stealing
  • World Readable Files
  • Confused Deputy Attack
  • World Writable Executables
  • Escalated Privileges
  • Intent Hijacking
  • Media/File Format Parsers
  • Dynamic Runtine Injection
  • Zip Directory Traversal
  • Data Caching
  • Data Cached in Memory RAM
  • No/Weak Encryption
  • SQLite Database
  • Data Stored in Application Directory
  • Data Stored in SD Card
  • TEE/Secure Enclave Processor
  • Emulator Variance
  • Decryption of Keychain
  • OS Data Caching
  • Side Channel Leak
  • Configuration Manipulation
  • Data Stored in Log Files
  • Passwords & Data Accessible
  • Wi-Fi (No/Weak Encryption)
  • Session Hijacking
  • Improper TLS Validation
  • Cookie “http only” Flag
  • Rogue Access Point
  • DNS Poisoning
  • VPNs
  • Cookie “Secure” Flag
  • Packet Sniffing
  • TLS Downgrade
  • HTTP Proxies
  • Configuration Manipulation
  • Man-in-the-middle
  • Fake TLS Certificate
  • Weak/No Local Authentication
  • Zip Files in Transmit
  • App Transport Security
  • Transmitted to Insecure Server

 

OWASP Mobile Top 10 – Areas of Common Failure

M1 – Improper Platform Usage Misuse features like Touch ID, permissions, keychain. 4% Fail
M2 – Insecure Data Storage Data leakage, client-side injection, weak server-side controls. 50% Fail
M3 – Insecure Communication Poor handshake, SSL/TLS/cert issues, transfer in clear text. 48% Fail
M4 –¬†Insecure Authentication Improper identiy management, weak session management. 5% Fail
M5 – Insufficient Cryptography Lack of crypto, improper crypto use. 8% Fail
M6 – Insecure Authorization Improper local authentication, forced browsing. 2% Fail
M7 – Client Code Quality Code mistakes e.g. buffer overflows, format string vulns. 32% Fail
M8 – Code Tampering Binary patching, method hooking/swizzling, memory mods. 11% Fail
M9 – Reverse Engineering Exposure to attacker reversing tools. 32% Fail
M10 – Extraneous Functionality Dev/QA inadvertent disabling security, hidden backdoors. 47% Fail