Intrepidus Group
Assessment Services

Mobile Application Penetration Testing

Many companies are realizing the need for mobile-device based applications. These are frequently built to replicate the functionality of existing web applications. However, the attack vectors and risks are different. Intrepidus Group has gained a deep understanding of mobile architectures and application development having assessed numerous mobile applications, assisted organizations with the secure architecture and development of the same, and reviewed device-level security controls while working with OEMs and telecommunications providers. Intrepidus Group has expertise and experience with the following popular smartphone platforms:

  • Apple's iOS (iPhone/iPad)
  • Google's Android
  • Palm's webOS
  • RIM BlackBerry
  • Windows Mobile
  • BREW
  • Java (J2ME/Java ME)

Mobile Application Source Code Review

Intrepidus Group employs its encompassing knowledge of mobile platforms to perform a manual code review of even the most sensitive functionality in an application. From low-level static analysis, to high-level policy and best practice comparisons, and everything in between, Intrepidus Group is able to provide a deep, thorough evaluation of your mobile application's security posture. Intrepidus Group has extensive experience reviewing code for the iOS platform (Objective-C and C) and the Android OS (Dalvik).

Mobile Application Threat Modeling

Threat Modeling is an important part of a secure Software Development Life Cycle (SDLC). Threat modeling allows us to take a holistic view of a mobile application and its security risks. Intrepidus Group draws on its deep experience and knowledge of mobile platforms and how developers write applications for mobile platforms to model applications as an attacker will see them. The threat modeling process involves several key steps, the first of which is gaining an extensive understanding of the application. After gaining a firm understanding of the application and exploring its attack surface, Intrepidus Group will identify flaws and potential bugs in the key areas where an attacker could inflict the most damage. After the threat modeling process, Intrepidus Group creates a detailed report, which the development team can integrate into SDLC and update throughout the application's lifetime.

Smartphone Device Testing

In today's market, carriers must maintain a handset release schedule that is much more aggressive than ever before. Subscribers want new devices and they want them yesterday. These aggressive timelines can breed bugs. It is not uncommon that during the development of new handsets, high risk vulnerabilities get introduced. Because of this, Intrepidus has designed quick turnaround mobile device assessments. This service focuses on the following:

  • Designed to be sensitive to aggressive go to market timelines (quick turnaround)
  • Uncover high risk vulnerabilities
  • Identify previously reported vulnerabilities reintroduced into the new handsets

Telecommunications Product Review

The back-end components that enable your customers to send SMS and browse the Internet over your 3G and 4G networks are complex, and expose large attack surfaces. Multiple network interfaces, closed source services exposed to public networks, and a fast paced business climate are forcing vendors to get products shipped and plugged into your network quickly. This creates a risk management nightmare.

Intrepidus Group can help you address these risks by performing comprehensive security assessments of the systems and infrastructure powering your back-end networks. A threat modeling exercise, followed by configuration reviews and dynamic testing of all network and application interfaces will allow your organization to understand the various attack vectors and the products' resilience to each of them. Such an assessment also entails protocol analysis, fuzz testing, and back-door identification that will uncover "undocumented features" and bugs that equipment manufacturers don't want you to know about.

Network & Application Penetration Testing

Intrepidus Group can help you understand the risks faced by your networks and applications by performing hands-on penetration tests or vulnerability assessments. Our consultants focus on identifying the practical exploitable vulnerabilities, demonstrate their business impact, classify them based on risk, and provide detailed and understandable technology-specific remediation advice.

Over the years, our proven methodology has consistently evolved to encompass the latest threats and includes:

  • Network Range Discovery
  • Host and Service Discovery
  • Vulnerability Identification
  • Manual Testing and Verification
  • Unauthenticated Web Vulnerability Testing
  • Authenticated Web Application Testing

The purpose of this testing is to identify vulnerabilities in an organizations network and systems, demonstrate their impact on business, classify them based on business impact, provide detailed technology-specific remediation advice, and to test the effectiveness of incident detection mechanisms.

Social Engineering

Attackers are increasingly using social engineering ploys to "break in" to organizations and gain unauthorized access to proprietary information. Intrepidus Group can help you mitigate the risk due this threat by conducting social engineering exercises that emulate the real threat. Additionally, we provide you with a summary of the susceptibility of your employee base as well as a detailed account of the exercise, all of which helps strengthen your user awareness programs. Such engagements entail:

  • Email-based, phishing exercises
  • Attempts to gain unauthorized physical access
  • Telephonic impersonation to glean sensitive information

Intrepidus Group’s consultants begin by designing attack scenarios applicable to your organization. After a scenario is approved, we emulate the attack while assessing the ability of your employees to identify and avoid potential lapses in security through unintentional communication of sensitive data. In doing so, we effectively uncover the likelihood of inadvertent disclosure of confidential information and help avoid system access from an external attacker in the future.

Source Code Review

A security review of source code is aimed at identifying, both, design flaws and implementation bugs that may render your application susceptible to compromise.

Our consultants are capable of reviewing security of applications written in C, C++, Java, .NET, Ruby, and PHP.

image