Mobile App Security

Apps give the impression that they are much more sealed off and thus less vulnerable to attack than browser-based applications. However, this impression is deceptive, as an attacker can use his tools to reveal not just the internal structures and workings of the app but also the communication and points of entry into the server-side application.

The need for vulnerability-free programming is therefore just as urgent as with traditional web applications, yet generally much harder to achieve owing to their greater complexity.


We analyse apps in their entirety. 
We either use individual measures or all the measures listed below, depending on the type of app and protection needs:

Server-side web application
Comprehensive web application security black-box penetration tests are conducted on the server application, as described in this document.
Communication
The communication is decrypted and comprehensively analysed using appropriate tools.
Architecture
If more stringent security requirements are placed on the app, owing to its functionality, sensitivity of data or security requirements, then a platform-specific analysis of the architecture is carried out. The detailed technical specifications (or similar descriptions) are tested to ascertain whether the web application incorporates the producer’s security guidelines, that is to say that the platform’s security features, commensurate with the protection needs, are applied to data and functions.
Selective or comprehensive code analysis

Code analysis is performed if more stringent security requirements are placed on the app and the results of the penetration test or architecture analysis also suggest this. All the points and processes in the code that affect sensitive data and functions are examined, with particular attention being paid to the secure storage of sensitive data on the device.

Comprehensive code analysis is performed in special cases with specific protection needs.

Misuse scenarios and user errors
Typical threats to smartphone applications are examined and the risk to which the respective app is exposed is assessed – either by deliberate actions (e.g. theft) or user errors (e.g. loss).