logo-unlock-security

Mobile Security

Do not let the vulnerabilities of your apps threaten the security of your users: rely on us to protect them.

Mobile Security Service
private void invokePlugins() {
  for (PackageInfo info : getPackageManager()
                          .getInstalledPackages(0)) { 
    String packageName = info.packageName;
    Bundle meta = info.applicationInfo.metaData;
    if (packageName.startsWith("example.plugin.") &&
        meta.getInt("version", -1) >= 10) {
      try {
        createPackageContext(packageName, 3)
          .getClassLoader()
          .loadClass("example.plugin.Loader")
          .getMethod("loadMetadata", Context.class)
          .invoke(null, this);
      } catch (Exception e) {
          throw new RuntimeException(e);
      }
    // ...

We detect and report the vulnerability in your app

Our Mobile Security service helps identify the vulnerabilities in your mobile application (Android and iOS). We replicate different attack scenarios to locate the weaknesses in your app and, if applicable, in the queried APIs.

We bypass your protections
We identify and bypass any security mechanisms in your application (e.g. SSL pinning, anti-rooting, anti-tampering, anti-debugging).
Static analysis
We trace back to the source code of your application to analyze it comprehensively and find as many vulnerabilities as possible.
Dynamic analysis
We analyze the interactions between your application and any external services to detect any issues related to data usage.
Data protection
We check the way in which your application handles processed data to help you secure them from any malicious apps.

We follow the main industry standards

The Mobile Security service is delivered by our team of cybersecurity experts, strictly in compliance with the main industry standards and guidelines, including:

OSSTMM (Open Source Security Testing Methodology Manual)
NIST Cybersecurity Framework
OWASP MASVS (Mobile Application Security Verification Standard)
OWASP MASTG (Mobile Application Security Testing Guide)
OWASP Mobile Top 10
OWASP MASVS and MASTG standards for Mobile Security
Data protection
We pay close attention to data security in terms of confidentiality, integrity and availability.
Calculation of the impacts
The impact of each uncovered vulnerability is calculated based on the CVSSv3.1 standard.
Collaborative testing platform

We perform our tests in a collaborative way

All the ethical hackers involved in a project share their results in real time on our exclusive, controlled-access online platform. An easy solution that grants many benefits.

Maximum coverage
The cooperation among our ethical hackers maximizes the test coverage to prevent spending time on what has already been tested.
Quality, always
Project leaders can check all the time that the testing process respects the quality standards set by Unlock Security.
99% testing, 1% reporting
Automatizing the report issuance allows our testers to make full use of the time at their disposal for testing.

What we secure

Android apps
Native applications built with Java or Kotlin
iOS apps
Native applications built with Objective-C or Swift
Hybrid apps
Apps built with frameworks such as React Native or Flutter
HTML apps
Mobile apps built with web technologies

La nostra offerta

Ecco tutto ciò che ti offriamo con il servizio Mobile Security.

Ethical Hacker qualificati e certificati per la ricerca di vulnerabilità

Image link
Professional Penetration Tester
Professional Penetration Tester
È una certificazione di Ethical Hacking e Penetration Testing sulle tecniche di attacco contro reti, sistemi operativi e applicazioni.
Mobile Application Penetration Tester
Mobile Application Penetration Tester
È una certificazione che viene rilasciata agli esperti di cyber security che dimostrano una conoscenza avanzata della sicurezza delle applicazioni mobile.
Web Application Penetration Tester
Web Application Penetration Tester
È una certificazione che valuta le competenze dei professionisti di sicurezza informatica in materia di penetration test delle applicazioni web.
Formazione continua
Unlock Security investe continuamente nella formazione del personale per garantire un aggiornamento costante sui principali temi di cyber security.
Professional Penetration Tester
Professional Penetration Tester
È una certificazione di Ethical Hacking e Penetration Testing sulle tecniche di attacco contro reti, sistemi operativi e applicazioni.
Mobile Application Penetration Tester
Mobile Application Penetration Tester
È una certificazione che viene rilasciata agli esperti di cyber security che dimostrano una conoscenza avanzata della sicurezza delle applicazioni mobile.
Web Application Penetration Tester
Web Application Penetration Tester
È una certificazione che valuta le competenze dei professionisti di sicurezza informatica in materia di penetration test delle applicazioni web.
Formazione continua
Unlock Security investe continuamente nella formazione del personale per garantire un aggiornamento costante sui principali temi di cyber security.

Poniamo estrema attenzione al dettaglio per un report completo ed efficace

Image link
Rapporto Esecutivo
Sommario dei risultati ottenuti che riporta dettagli ad alto livello delle vulnerabilità, con lo scopo di fornire una panoramica dello stato di sicurezza del target.
Suggerimenti per il patching
Suggerimenti per gli sviluppatori sui rimedi che è possibile applicare per risolvere la problematica segnalata.
Dettaglio tecnico
Dettagli delle vulnerabilità individuate e dei relativi impatti sul sistema target. Permette agli sviluppatori di comprendere la problematica e il suo impatto.
Report multilingue
Possibilità di realizzare l'intero report sia in lingua italiana che in quella inglese.
Rapporto Esecutivo
Sommario dei risultati ottenuti che riporta dettagli ad alto livello delle vulnerabilità, con lo scopo di fornire una panoramica dello stato di sicurezza del target.
Suggerimenti per il patching
Suggerimenti per gli sviluppatori sui rimedi che è possibile applicare per risolvere la problematica segnalata.
Dettaglio tecnico
Dettagli delle vulnerabilità individuate e dei relativi impatti sul sistema target. Permette agli sviluppatori di comprendere la problematica e il suo impatto.
Report multilingue
Possibilità di realizzare l'intero report sia in lingua italiana che in quella inglese.

Supportiamo gli sviluppatori nelle diverse fasi di patching delle vulnerabilità

Image link
1
Presentazione
Organizziamo un incontro per presentare e dettagliare il report di sicurezza in ogni sua parte.
2
Validazione
Valutiamo e validiamo il piano proposto dagli sviluppatori per evitare errori nella fase di patching e ottimizzare i tempi di risoluzione.
3
Implementazione
Gli sviluppatori implementano la strategia concordata in fase di validazione e applicano le patch.
4
Verifica
Replichiamo gli attacchi per verificare la corretta implementazione del piano di patching.
1
Presentazione
Organizziamo un incontro per presentare e dettagliare il report di sicurezza in ogni sua parte.
2
Validazione
Valutiamo e validiamo il piano proposto dagli sviluppatori per evitare errori nella fase di patching e ottimizzare i tempi di risoluzione.
3
Implementazione
Gli sviluppatori implementano la strategia concordata in fase di validazione e applicano le patch.
4
Verifica
Replichiamo gli attacchi per verificare la corretta implementazione del piano di patching.

Ti offriamo un servizio di sicurezza che rispetta le necessità del tuo business

Image link
Analisi del codice sorgente
Possibilità di affiancare le analisi di sicurezza standard a un'analisi più approfondita basata sul codice sorgente.
Accesso ai risultati in tempo reale
Abbiamo ideato una soluzione ad-hoc per fornire accesso in tempo reale ai risultati ottenuti durante i test di sicurezza.
Attività continuative
Offriamo la possibilità di effettuare i test di sicurezza in modo continuativo garantendo una sicurezza duratura nel tempo.
Richieste particolari?
Siamo a completa disposizione per accogliere eventuali nuove proposte di modulazione del servizio per soddisfare le tue esigenze.
Analisi del codice sorgente
Possibilità di affiancare le analisi di sicurezza standard a un'analisi più approfondita basata sul codice sorgente.
Accesso ai risultati in tempo reale
Abbiamo ideato una soluzione ad-hoc per fornire accesso in tempo reale ai risultati ottenuti durante i test di sicurezza.
Attività continuative
Offriamo la possibilità di effettuare i test di sicurezza in modo continuativo garantendo una sicurezza duratura nel tempo.
Richieste particolari?
Siamo a completa disposizione per accogliere eventuali nuove proposte di modulazione del servizio per soddisfare le tue esigenze.

FAQ

In this section, we answer some of the most frequently asked questions.

The main risks that we can identify are related to mobile app vulnerabilities. These vulnerabilities can be exploited by cybercriminals and malicious apps to cause several damages, such as:

  • Stealing sensitive information such as users' passwords and personal data.
  • Analyzing the app source code to leak any confidential information.
  • Infecting the app through malwares to steal any data or compromise the security of its users.

Our Mobile Security service helps you protect your mobile apps from these risks, by detecting and fixing the vulnerabilities before they can exploited by cybercriminals. This way, you prevent your app from being attacked and avoid any security risks for your users.

For your app to undergo our Mobile Security service, you should make sure that:

  • You can provide us with the APK file (for Android) or IPA file (for iOS) to install the app on our devices.
  • If the app is using any APIs, they must be made accessible via the Internet or through private network.
  • You can provide credentials to analyze the functionalities that require login, if applicable.

In terms of mobile application security, our service offers several advantages compared to automated scanning. In particular, our Mobile Security service simulates a cyberattack to identify any weaknesses and vulnerabilities.

Besides, our service provides a more accurate security assessment compared to any automated scan, since it is based on the simulation of real cyberattacks, similar to those that would be carried out by real hackers. Moreover, our service offers an evaluation of the consequences and the impacts of cyberattacks on your business, helping you define your priorities and the security measures that you should adopt.

Finally, our Mobile Security service can be customized based on the specific needs of your business, providing a more accurate and precise assessment of its security situation.

The OWASP Mobile Application Security Verification Standard (MASVS) is a standard for the assessment of mobile app security developed by the Open Web Application Security Project (OWASP) and used by Unlock Security as a guideline. The MASVS provides a set of security requirements for mobile applications and defines the criteria that the apps should meet in order to be considered secure.

The MASVS was outlined to help mobile app developers guarantee the security of their applications and protect the sensitive data of their users. The MASVS is based on the OWASP Mobile Security Testing Guide (MSTG), which provides detailed guidance on security testing for mobile applications.

The MASVS is divided into 2 levels: level 1, defining generic security requirements for mobile applications, and level 2, which defines advanced security requirements for the mobile applications that handle sensitive data, or are exposed to a higher level of risk.

The MASVS represents a very useful tool also for the mobile app developers that want to ensure the security of their applications and protect the sensitive data of their users. However, it is important to bear in mind that the security of mobile apps also depends on the way in which they are used, and on the security measures adopted by their final users.

The OWASP Mobile Application Security Testing Guide (MASTG) is a detailed guide to mobile app security testing developed by the Open Web Application Security Project (OWASP). The MASTG provides a set of techniques and methodologies for mobile app security testing along with a list of common vulnerabilities and instructions on how to detect and fix them.

Referring to the OWASP MASTG for mobile security testing is important because:

  1. It provides a comprehensive set of techniques and methodologies for mobile app security testing. The MASTG represents a detailed guidance on mobile app security testing, including all the necessary techniques and methodologies to verify the app security.

  2. It defines the security standards for mobile applications. The MASTG also includes a list of common vulnerabilities and defines the security standards that mobile applications should meet to be considered secure.

  3. It helps identify and fix the vulnerabilities. The MASTG provides a detailed description of how to detect and fix the vulnerabilities present in mobile applications, which helps developers guarantee the security of their applications.

In summary, referring to the OWASP MASTG for mobile security testing is important because it provides a comprehensive set of techniques and methodologies for mobile app security testing, it defines the security standards for mobile applications and helps identify and fix the vulnerabilities present in the applications.

If you need support to fix any security vulnerabilities, you can fully rely on Unlock Security for several reasons:

  1. Expertise and competence. Unlock Security is a company with solid experience in the cybersecurity field and its team is made of highly-qualified experts that are able to give all the necessary support to fix security vulnerabilities.

  2. Advanced methodologies and tools. Unlock Security relies on advanced methodologies and tools to detect and fix security vulnerabilities, ensuring the maximum efficiency and accuracy in the analysis and remediation of any issues.

  3. Custom solutions. Unlock Security provides custom solutions to meet the needs of each client effectively and ensure the best possible protection.

  4. Ongoing support. Unlock Security offers ongoing support to its clients, ensuring prompt feedback and effective assistance in case of issues or questions.

The OWASP Mobile Top 10 is a list of common vulnerabilities that can be found in the applications for mobile devices. Checking this list during a mobile penetration test can help ensure that the apps were tested for the most common and threatening vulnerabilities, which results in protecting the apps and their users' data.

Furthermore, the OWASP Mobile Top 10 is broadly acknowledged as a reference standard for the security of the applications for mobile devices. So, following it ensures that the apps are secure for their users and that they comply with the industry security requirements.