Recent enhancements to the Frida open-source dynamic instrumentation toolkit greatly ease the process of conducting jailed testing. You no longer have to manually package the Frida Gadget in your target app. As long as the app is debuggable, Frida does that for you. This post will walk you through the process of using Frida on a jailed device.
Many people have heard about mobile man-in-the-middle (MiTM) attacks but aren’t sure just exactly what they are or how they happen. Learn more including the development and security issues that can leave apps vulnerable to MiTM attacks, tips for testing and the layers of network defense that can help you avoid these issues.
To improve the guest experience and keep pace with competition, hotels worldwide are deploying digital key technology that allows guests to skip the front desk and use their mobile apps to remotely check in and go directly into their rooms without needing key cards. However, hotel mobile apps have vulnerabilities that can be exploited, as researchers demonstrated at the Black Hat USA 2019 conference.
Both static and dynamic security testing are essential components of the mobile app software development life cycle (SDLC). While Static Application Security Testing (SAST) tests snippets of source code, Dynamic Application Security Testing (DAST) fully exercises the compiled mobile binary as a user would. Read more about the misconceptions of DAST for mobile.
Managers can find guidance for mobile app security verification and testing requirements from the OWASP Mobile Security Verification Standard (MASVS). We recommend using MASVS as a starting point for developing a plan of attack and standardizing testing using the Mobile AppSec Model. Learn more about it here.
Mobile app security professionals who connect and engage with the broader mobile appsec community can amplify their efforts and learn from each other. Combined, the NowSecure services team members have pen tested thousands of mobile apps. They share three key best practices for mobile app pen testing that practitioners can adopt to meet their organizations’ needs.