 │ 1-877-973-3336  │ proservices@BlackBerry.

com
 │https://www.BlackBerry.com/us/en/services/BlackBerry-cybersecurity-consulting#top

Proprietary and Confidential 0 | Page

Table of Contents
Contacts ........................................................................................................................... 2
Executive Summary .......................................................................................................... 3
Introduction ................................................................................................................... 3
Results ......................................................................................................................... 3
Recommendations......................................................................................................... 3
Risk Summary .................................................................................................................. 5
OWASP Top 10 Categories ........................................................................................... 7
Application Details ............................................................................................................ 8
Attack Narrative ............................................................................................................... 9
Detailed Findings ........................................................................................................... 11
Mobile Vulnerability Assessment .................................................................................... 12
High-Risk Findings ...................................................................................................... 12
MOB-1 WebView Debugging Enabled .......................................................................... 12
MOB-2 Application Uses GPL Code ............................................................................. 14
MOB-3 Application allows Insecure Communication ..................................................... 15
MOB-4 Insecure Android Configuration ........................................................................ 17
MOB-5 Sensitive Information in Server Response ........................................................ 18
MOB-6 Application Logout Does Not Invalidate Session Token .................................... 19
Medium-Risk Findings ................................................................................................. 20
MOB-7 Lack of Hardening ........................................................................................... 20
MOB-8 Outdated JavaScript Libraries .......................................................................... 21
Low-Risk Findings ....................................................................................................... 22
MOB-9 Application Source Code Includes Sensitive Information .................................. 22
MOB-10 Application Lacks Software Update ................................................................ 23
Informational Findings ................................................................................................. 24
MOB-11 Application is Outdated .................................................................................. 24
Appendix A: Web Application Testing Methodology ......................................................... 25
Appendix B: OWASP References .................................................................................... 27

Proprietary and Confidential 1 | Page

Contacts
If you have further questions about how to remediate these vulnerabilities, please set up a
meeting with the Engagement Manager and Sales Director for this assessment, indicated
below. BlackBerry Consulting will be able to answer any of your technical questions. If
there are any general questions about the project, please contact your business's security
leaders.
BlackBerry Contacts
Name Project Role Phone Email
Sue James Engagement 555.555.1234 [email protected]
Manager
Joe Smith Technical 555.555.5678 [email protected]
Consultant
Daniel Lambert Practice 555.555.9012 [email protected]
Director

Client Company Contacts

Name Project Role Phone Email
Client Customer CIO WorkPhone [email protected]

Confidentiality
BlackBerry treats the contents of a security assessment as confidential company material
and will not disclose the contents of this document to anyone without written permission.

Copyright © 2020 by BlackBerry, Ltd.

Proprietary and Confidential 2 | Page

Executive Summary
Introduction
Client Company Bank, (“Client Company”) retained BlackBerry Consulting to perform a
web and mobile penetration test of their IBank mobile application. IBank is a hybrid mobile
application that is used by Client Company customers to access account-related features
such as bill payments and statements. BlackBerry Consulting performed all testing against
a non-production version of the IBank server. All testing activity took place from February
10, 2020, to February 21, 2020. BlackBerry Consulting designed the engagement to
provide Client Company with an unbiased assessment of the security posture of IBank
Mobile.
This report details vulnerabilities that were identified during the security assessment. This
report also includes industry best practices and recommendations for remediation of the
identified vulnerabilities. The results of this assessment are constructed to help Client
Company mitigate potential security risk posed by the identified issues herein. The
recommendations provided represent BlackBerry Consulting’s understanding of the
security posture of the application.
Ultimately, remediation is Client Company's responsibility. Any final decisions on how to
handle these security issues should be verified and approved by Client Company's
information security team. This report contains confidential information. Access to this
information by unauthorized personnel may allow them to compromise Client Company or
users of IBank Mobile.

Results
BlackBerry Consulting utilized a hybrid methodology that combines both an objective -
based and systematic approach based on leading industry standards. This test approach is
designed to identify the real-world risk posed to Client Company and users of the IBank
application.

Figure 1: Network Test Process

BlackBerry identified six high severity vulnerabilities in the IBank mobile application. These
vulnerabilities may present risk to users of the application. Specifically, the lack of secure
communication configurations, debugging related settings, and the lack of application
hardening could allow for attackers to intercept , modify, and access any information
obtained by a user of the IBank application.

Recommendations
Client Company can reduce the current risk profile and associated attack surface of IBank
Mobile. The following outline lists the immediate tactical recommen dations that should be
completed to increase the security posture of IBank Mobile:

• Disable WebView Debugging for the Android application.

• Implement strong TLS related controls such as Application Transport Security (iOS) and
certificate pinning (Android).

Proprietary and Confidential 3 | Page

 • Implement hardening controls such as jailbreak protection, anti-debug checking, and tamper
protection.

Proprietary and Confidential 4 | Page

Risk Summary
Severity is a metric for classifying the level of risk which a security vulnerability poses. The
severity level of each vulnerability is assigned based on the security risk posed to an
organization should the vulnerability be exploited, as well as the degree of difficulty
involved in exploiting it.

Issues that pose Issues that have Issues that are Issues that

MODERATE
HIGH

LOW
CRITICAL

an immediate been proven to likely expose

risk of be exploitable exploitable in unnecessary
compromise and and have a some regard but operation detail
material impact significant do not pose a that could aid
on business impact on significant risk an attacker but
operations or business to business have little to
data operations or functions or negligible direct
data data in isolation impact on their
own

Figure 2: Risk Rating Definitions

Each finding, either strategic or tactical, is evaluated on an individual basis and accounts
for all perceived conditions such as defenses, ease of remediation, ease of access,
reproducibility, and more. The reasons for each rating are described in each fi nding block.
BlackBerry Consulting also evaluates each rating during the peer review process prior to
releasing the report to ensure accurate reporting and to reduce individual biases.

The summary of the number of issues identified by risk category is provided here.

Risk Summary
6

2 2

0 1

Critical High Moderate Low Information

Figure 3: Risk Summary

Proprietary and Confidential 5 | Page

 # Finding Name Risk Rating Status
MOB-1 WebView Debugging Enabled High Open
MOB-2 Application uses GPL Code High Open
MOB-3 Application allows Insecure Communication High Open
MOB-4 Insecure Android Configuration High Open
MOB-5 Sensitive Information in Server Response High Open
MOB-6 Application Logout Does Not Invalidate Session High Open
Token
MOB-7 Lack of Hardening Moderate Open
MOB-8 Outdated JavaScript Libraries Moderate Open
MOB-9 Application Source Code Includes Sensitive Low Open
Information
MOB-10 Application Lacks Software Update Low Open
MOB-11 Application is Outdated Info Open
Table 1: Table of Findings

Proprietary and Confidential 6 | Page

OWASP Top 10 Categories
The Open Web Application Security Project (OWASP) Application Top 10 risks represent a
broad consensus regarding the most critical web application, mobile, and API security
flaws. The following table maps observed issues to the OWASP Top 10 for each category.

# OWASP Mobile Risk Result Findings

M1:2016 Improper Platform Usage Fail MOB-1, MOB-4, MOB-7
M2:2016 Insecure Data Storage Pass
M3:2016 Insecure Communications Fail MOB-1, MOB-3
M4:2016 Insecure Authentication Pass
M5:2016 Insufficient Cryptography Pass
M6:2016 Insecure Authorization Pass
M7:2016 Client Code Quality MOB-8,MOB-9,MOB-10, MOB-
Fail
11
M8:2016 Code Tampering Fail MOB-5
M9:2016 Reverse Engineering Fail MOB-5
M10:2016 Extraneous Functionality Fail MOB-1, MOB-9, MOB-10
Table 2: Findings Mapped to OWASP Mobile Top 10 (2016)

Proprietary and Confidential 7 | Page

Application Details
Client Company provided the following assets for the scope of the assessment.

Tested Applications
Application Name Description SHA-256 Hash
Test.apk Android application 7CFD8A30D78FB2FF73180D35331E
configured for test 1D024D7518E72D5D82D894FBBF71
environment 5425B8A0
IPAtest.ipa iOS application B583E654CDC6804944E5F4AED9E
configured for test B7CB681FE9D93F3329CF84C00B53
environment A2C90473B
Table 3: Table of Tested Applications

BlackBerry also validated that the findings presented in this document were present in the
versions of the application available in the Apple and Android application stores,
respectively.

Description
IBank Mobile is a mobile iOS and Android application which is publicly available. It is a
commercial product customized for Client Company. It presents the same functionality that
is present via the IBank HTML5 web interface. The application contains bundled JavaScript
code that utilizes the ReactJS and AngularJS libraries to implement its functionality.

Scope
Client Company defined the scope for application assessment. The following URLs were
considered in-scope for the assessment:

URL Description Notes

http://10.0.1.1/* Mobile IBank Test Access through VPN only
Environment
Table 4: Application Scope

The following accounts were used during the assessment.

# Test Account Description

1 test01 Application User
2 test02 Application User
Table 5: Table of Accounts

Testing Limitations
Testing was limited to static analysis and the test environment. No tests were performed
against the production version of the IBank application.

Proprietary and Confidential 8 | Page

Attack Narrative
BlackBerry began the engagement by obtaining the Client Company IBank applications
from the Android and Apple App Stores. BlackBerry used the open-source tool Frida-Ios-
Dump 1 to extract the unencrypted iOS application binaries. BlackBerry obtained the
Android application binaries using APKPure 2.

BlackBerry noted that both packages contained two files, 'index.html' and 'main.js' which
implemented the main functionality of the applications.

Figure 4: HTML and JavaScript in iOS bundle

Figure 5: HTML and JavaScript Bundles, Android

Based on this analysis, BlackBerry determined that both applications were implemented
using an HTML5 framework. BlackBerry performed static analysis of both applications
using the Mobile-Security-Framework 3 and identified several potential security issues,
including WebView Debugging (see MOB-1 WebView Debugging Enabled ) as well as
insecure Android and iOS configuration settings.
BlackBerry then obtained specialized versions of both applications from Client Company,
which were configured to access a non-production API endpoint. These versions were
used for all dynamic testing during the test window.
BlackBerry connected to a VPN provided by Client Company to allow the applications to
access the internal host, 10.0.1.1.
BlackBerry configured the test devices to access the remo te service using an intercepting
proxy server, BurpSuite Pro 4. This tool allowed BlackBerry to observe the communications
between the application and the remote endpoint.

1 https://github.com/AloneMonkey/frida-ios-dump
2 https://apkpure.com/
3 https://github.com/MobSF/Mobile-Security-Framework-MobSF
4 https://www.portswigger.io

Proprietary and Confidential 9 | Page

 Figure 6: Monitoring traffic with Burp

At this point, BlackBerry noted that the Android application was unable to communicate.
After several attempts to determine the cause of this issue, BlackBerry determined that the
Android version present on the test device did not allow for the application to use cleartext
traffic without an explicit network security configuration. BlackBerry repackaged the
application with a modified network security configuration as was able to resume testing.

BlackBerry continued the engagement by reviewing the static and dynamic analysis results
from MobSF, manually reviewing the JavaScript source code bundled in the application
and observing the HTTP and HTTPS traffic between the application and the remote server.
All findings in this document were initially observed when using the test environment
configurations but were verified to be present in the released versions unless otherwise
noted.

Proprietary and Confidential 10 | P a g e

Detailed Findings
The following section of this report explains, in detail, the weaknesses and the techniques
that BlackBerry Consulting used to identify, validate, and potentially exploit the
vulnerabilities. Studying the weaknesses provides Client Company with a better
understanding of the underlying security fundamentals and pr inciples that require
improvement. These fundamentals and principles can be applied to areas of weakness
throughout the organization to improve security posture.

Proprietary and Confidential 11 | P a g e

Mobile Vulnerability Assessment

High-Risk Findings

MOB-1 WebView Debugging Enabled

Risk Category HIGH

Vulnerability Summary
The IBank Android application consists of a customized 'WebView' which loads local
JavaScript and HTML files. This WebView provides the core functionality of the IBank
application.
WebView debugging is a setting that allows remote devices to inspect the internal state of
the application's Web View. An attacker may be able to use this to obtain sensitive
information or take over an affected user's setting.

Issue Details
# Status Affected Endpoint Issue Detail
1.1 Open Android Application WebView Debugging was enabled.

Recreation Steps
This finding was identified using the Mobile Security Framework (MobSF 5) testing suite.
Upon observing the report, BlackBerry used the Chrome browser to connect to the
application's internal web server and inspect its internal state.

Figure 7: WebView Debug Enabled

5
https://github.com/MobSF/Mobile-Security-Framework-MobSF

Proprietary and Confidential 12 | P a g e

 Figure 8: WebView Debugging with Google Chrome

Recommendation
Change the WebView.setWebContentsDebuggingEnabled() argument to false for
production builds.
BlackBerry noted that the debug setting was enabled for both production builds and test
environment builds.

Proprietary and Confidential 13 | P a g e

MOB-2 Application Uses GPL Code
Risk Category HIGH

Vulnerability Summary
The GNU General Public License (GPL) is an open-source license used by many
developers of free software. The license requires that any application which links with
components that are subject to the GPL licensed must also be distributed under the terms
of the GPL. Proprietary applications such as IBank cannot use GPL software unless the
proprietary application is also licensed under the GPL.

Issue Details
# Status Affected Endpoint Issue Detail
2.1 Open Android Application The Android application uses the GPL
licensed 'Mixare 6' engine.
2.2 Open iOS Application The iOS application uses the GPL licensed
'Mixare' engine.

Recreation Steps
The GPL license was identified by reviewing the strings associated with the Android and
iOS applications. The full text of the General Public License was present in the application
binaries.
The license for the Mixare component is shown below :

Figure 9: Mixare GPL License

Recommendation
Remove the Mixare component to mitigate the potential for legal liability due to the
violation of the Mixare GPL license.

6http://www.mixare.org/

Proprietary and Confidential 14 | P a g e

MOB-3 Application allows Insecure Communication
Risk Category HIGH

Vulnerability Summary
Mobile applications should use encrypted communications protocols such as HTTPS for all
outgoing connections to remote services.

BlackBerry observed that the application was allowed to communicate with any outside
service over HTTP and HTTPS. BlackBerry did not observe any additional controls which
protect the application from traffic interception based attacks.

Issue Details
# Status Affected Endpoint Issue Detail
3.1 Open iOS Application Missing App Transport Security (ATS)
configuration.
3.2 Open Android Application Missing Network Security configuration.

Recreation Steps
For Android applications:
1. Unpack the application using 'apktool d Application.apk'.
2. Review the AndroidManifest.xml and xml/network_security_config.xml files.
3. Observe that the configuration does not prevent insecure communications.

Figure 10: No Network Security Configuration - Android

For iOS applications:

1. Unpack the application by extracting the '.ipa' file using an unzip utility.
2. Review the 'Info.plist' file.
3. Note the weak ATS configuration, including the insecure "NSAllowsArbitraryLoads" flag.

Figure 11: NSAllowsArbitraryLoads Enabled

Note: BlackBerry validated that this finding was present in both the production and test
versions of the iOS and Android applications. These settings may be disabled for test
builds that are not distributed to the public.

Proprietary and Confidential 15 | P a g e

Recommendation
Mobile banking applications require a high level of security and should not be allowed to
use insecure communication protocols.

Android
Android applications should utilize certificate pinning and network security configuration
files.

<?xml version="1.0" encoding="utf-8"?>

<manifest ... >
<application
android:networkSecurityConfig="@xml/network_security_config"
... >
...
</application>
</manifest>
Figure 12: Example Network Security Configuration

The network_security_config.xml should restrict connections to only those in which the

application is required to access and disable all cleartext traffic as specified in the Android
Security Config guide. Additional steps, such as certificate pinning, will further increase the
security of the Android application.

iOS Applications
iOS Applications should utilize Apple's Application Transport Security (ATS) settings to
protect the application from insecure communications. BlackBerry recommends enabling
the "nsRequiresCertificateTransparency" setting and restricting the domains to which the
application is allowed to communicate.
Apple no longer allows applications to be submitted to the app store with
"NSAllowsArbitraryLoads" enabled. This change will be required before Client Company
can release a new version of the mobile iBank application on iOS.

Proprietary and Confidential 16 | P a g e

MOB-4 Insecure Android Configuration
Risk Category HIGH

Vulnerability Summary
Android applications contain several settings that relate to the security posture of the
application. BlackBerry identified four weak or missing security-related Android
configuration settings in the AndroidManifest.xml file that pose potential risk to users of the
IBank application.

Issue Details
# Status Affected Endpoint Issue Detail
4.1 Open Android Launchmode The 'launchMode' setting, SingleTask, could
expose the internal application state to other
Android applications.
4.2 Open External Storage The application uses functions that write to
Access external storage.
4.3 Open Application Data The application allows its data to be backed
Backup up.
4.4 Open Unprotected Intent The 'InlineBrowser' intent is exposed to all
applications and unprotected.

Recreation Steps
This finding can be validated by reviewing the AndroidManifest.xml file after unpacking the
application.

Recommendation
• Set 'launchMode' to 'standard' in AndroidManifest.xml.
• Remove '<uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>' from
AndroidManifest.xml.
• Remove 'android:allowBackup=true' from AndroidManifest.xml.
• Add 'android:exported=false' to the 'uy.com.infocorp.framework.androidUI.InlineBrowser'
activity.

References
• https://developer.android.com/guide/topics/manifest/activity-element#exported
• https://developer.android.com/guide/topics/manifest/activity-element#lmode

Proprietary and Confidential 17 | P a g e

MOB-5 Sensitive Information in Server Response
Risk Category HIGH

Vulnerability Summary
BlackBerry noted that the application server included sensitive information, including the
logged-in user's pass number. This sensitive information was not requested or used by the
application and should never be transmitted unless it is necessary for the applicatio n to
function.

Any sensitive information should be masked or removed from all server responses.

Issue Details
# Status Affected Endpoint Issue Detail
5.1 Open http://10.0.1.1/Client 'passNumber' included in server
Company.IBank.WebApi/api/adminis response.
tration/general/signIn
5.2 Open http://10.0.1.1/Client 'home' included in server
Company.IBank.WebApi/api/adminis response.
tration/general/signIn
5.3 Open http://10.0.1.1/Client 'city' included in server response.
Company.IBank.WebApi/api/adminis
tration/general/signIn

Recreation Steps
This finding was identified by logging the HTTPS requests and responses while using the
application.

Figure 13: Passport Number in Server Response

Recommendation
• Do not send any sensitive information which is not required for the application to function.
• If the information being sent is required, it should be obscured or encrypted.

References
• https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-
Sensitive_Data_Exposure

Proprietary and Confidential 18 | P a g e

MOB-6 Application Logout Does Not Invalidate Session
Token
Risk Category HIGH

Vulnerability Summary
Mobile applications use a variety of authentication schemes. Tokens obtained by the
application can be used to access all features of a user's account. When a user logs out of
the application, the associated token should be revoked.

Issue Details
# Status Affected Endpoint Issue Detail
6.1 Open http://10.0.0.1:8888/Client Application sign out did not
Company.IBank.WebApi/api/administrat invalidate the session token.
ion/general/signOut

Recreation Steps
1. Configure the application to use an intercepting proxy server.
2. Sign in to a valid account and perform a variety of actions.
3. Use the 'log out' function of the application.
4. Using a tool such as Burp's Repeater module, replay a previous request.
5. Note that the request succeeds even though the user requested to terminate the session.

Recommendation
• When the user logs out of the application, all session tokens should be revoked. Any
attempts to reuse them should result in an error.

References
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Proprietary and Confidential 19 | P a g e

Medium-Risk Findings

MOB-7 Lack of Hardening

Risk Category MODERATE

Vulnerability Summary
Mobile IBank applications present a high level of risk if the application is tampered with or
modified. A mobile banking application running on a jailbroken device could be modified to
redirect traffic to attacker-controlled servers or perform other malicious functions.
Applications that process or access sensitive data should be equipped with a variety of
hardening and tamper resistance controls.

Issue Details
# Status Affected Endpoint Issue Detail
7.1 Open Android Lack of root detection
7.2 Open iOS/Android Lack of HTML/JS tamper detection
7.3 Open iOS/Android Lack of debug protection
7.4 Open iOS/Android Lack of binary obfuscation
7.5 Open iOS Lack of jailbreak detection
7.6 Open iOS/Android Lack of repackaging detection

Recreation Steps
This finding was identified by running the application on insecure devices and verifying that
no action was taken.

Recommendation
Implement strong controls that protect the application from tampering by a malicious user.
All HTML and JavaScript files should contain robust integrity checks. The application
should detect and respond to attempts to run it on a compromised device. The application
binaries and JavaScript files should be obfuscated to make it more difficult for an attacker
to reverse engineer the application.

References
• https://mobile-security.gitbook.io/masvs/security-requirements/0x15-v8-
resiliency_against_reverse_engineering_requirements

Proprietary and Confidential 20 | P a g e

MOB-8 Outdated JavaScript Libraries
Risk Category MODERATE

Vulnerability Summary
The IBank application consisted of an HTML5 web application that utilized several third-
party JavaScript libraries. BlackBerry observed that one library, AngularJS, was outdated
and contained several known vulnerabilities. Although BlackBerry did not exploit these
vulnerabilities during the testing window, outdated libraries still pose a risk to the
application.

Issue Details
# Status Affected Endpoint Issue Detail
8.1 Open iOS/Android The application contains AngularJS 1.5.0rc1 ,
AngularJS which contains known vulnerabilities.

Recreation Steps
This finding was identified by reviewing the JavaScript files which were bundled within the
application. The AngularJS version, 1.5.0RC1 contains vulnerabilities , including CVE-
2019-10768.

Figure 14: AngularJS Version

Recommendation
Update the application to use the latest version of AngularJS.

Proprietary and Confidential 21 | P a g e

Low-Risk Findings

MOB-9 Application Source Code Includes Sensitive

Information
Risk Category LOW

Vulnerability Summary
Hybrid mobile applications, which are mobile applications built using JavaScript
frameworks such as ReactJS, often contain code that is unused in production builds. This
code can sometimes include sensitive information, such as internal IP addresses or
hostnames used during development, which can provide value to an attacker.

Issue Details
# Status Affected Endpoint Issue Detail
9.1 Open main.js /integration URLs
9.2 Open main.js /demo URLs

Recreation Steps
Unpack the application and inspect the 'main.js' file. Note that the file contains
unnecessary information which should not be present in production builds.

Recommendation
All JavaScript code should be sanitized when building the application. No debug code or
additional information should be included unless it is necessary for the application to
function. Internal URLs, test environment URLs, and comments should be removed or
sanitized.

Proprietary and Confidential 22 | P a g e

MOB-10 Application Lacks Software Update
Risk Category LOW

Vulnerability Summary
Hybrid mobile applications such as IBank consist of bundled HTML and JavaScript files
that are difficult to update after the application has been released. If a security
vulnerability is found, Client Company will be forced to disable the application until a new
version can be approved by the Apple and Android app stores and distributed. During this
time, Client Company users will be unable to use the application.
Apple and Android allow distributors of hybrid applications to use third -party services such
as Microsoft CodePush 7 to perform updates of the embedded HTML and JavaScript code
after the application has been released, provided that the updates are minor and do not
modify the core functionality of the application.

Issue Details
# Status Affected Endpoint Issue Detail
10.1 Open Android/iOS The application cannot be updated without
resubmitting to the Apple and Android app
stores.

Recreation Steps
This finding was identified by a manual review of the native iOS and Android code, in
addition to noting that the application did not perform any updates during the testing
window.

Recommendation
Choose a solution that allows for Client Company to update the application in the event
that a security update is required.

7 https://appcenter.ms/?utm_source=CodePush&utm_medium=Azure

Proprietary and Confidential 23 | P a g e

Informational Findings

MOB-11 Application is Outdated

Risk Category INFO

Vulnerability Summary
Mobile applications that are outdated pose a risk to Client Company and its users. These
applications lack important security updates and execute on devices which contain known
vulnerabilities that could compromise the application fun ctionality remotely.

Issue Details
# Status Affected Endpoint Issue Detail
11.1 Open Android Application Minimum Android Version is too low
11.2 Open iOS Application Application built with XCode 7.3.1 and runs
on iOS 9.x.x.

Recreation Steps
Review the 'MinimumSDKVersion' (Android) and 'MinimumOSVersion' (iOS) settings.

Recommendation
The application should be updated to build with newer versions of Android Studio and
XCode. Additionally, the application should refuse to run on all unsupported OS Versions
(such as Android versions before API level 26, and iOS versions before 10.3.3).

Proprietary and Confidential 24 | P a g e

Appendix A: Web Application Testing
Methodology
BlackBerry Consulting used both commercial and proprietary tools during the assessment.
BlackBerry uses a combination of automated and manual tools to perform the analysis.
Additionally, we use a hybrid methodology consisting of both manual testing techniques
and, where appropriate, automated testing to provide accurate results. All vulnerabilities
identified were verified unless otherwise noted. BlackBerry Consulting's methodology
includes coverage of the OWASP Top 10 Application Security Risks and OWASP Mobile
Top 10 Risks.
The objective of an application penetration test is to ascertain the current security posture
of the application through the identification of vulnerabilities and weaknesses. The mobile
application testing methodology is generally organized into the following categories:

Conf iguration &

Discovery Authentication Authorization
Deployment

Identity & Error Handling &

Input & Data
Session Inf ormation Cryptography
Validation
Management Leakage

Reverse
Client Side Business Logic
Engineering

Figure 15: Assessment Methodology

Discovery: Performance of reconnaissance and information gathering to obtain a thorough

understanding of the application and the environment it operates within , so we
appropriately and effectively target resources. The reconnaissance includes the discovery
of the services, API endpoints, user interfaces, and enumeration of any associated
components.
Security Misconfiguration: Assess the security configuration of the application and web
server. Servers and applications are often featured rich and contain many configuration
options, which also means that they can be misconfigured.
Authentication: Assess the authentication mechanism and data upon which the
authentication is based. Ensure that authentication accurately identifies users before
allowing access to information, systems, or processes
Access Control: Defeat and circumvent authorization checks to verify only legitimate,
authorized users should be allowed access to functionality and resources.
User and Session Management: Evaluate the strength and security of user and session
management in the application. The web is inherently stateless , so session management is
necessary. Also, the majority of applications have to support and identify individual users.

Proprietary and Confidential 25 | P a g e

Data Validation: Ensure that the application is resilient to all forms of data input. Verify
integrity checks, maximum and minimum length, data types, ranges, values, names,
existence, and business rules. Failure to properly validate input from all sources is the
most common web application security weakness. Failure to properly validate input from all
sources is the most common application security weakness.

Information Leakage and Error Handling: Identify any information leakage generated
through error messages or other sources that could be useful for an attacker. The methods
for handling errors can potentially reveal a critical system and application information. This
may include a review of log management practices.
Logging and Auditing: Evaluate the logging and auditing of the application to determine
what type of data is stored and transmitted, and how. Logging and auditing play important
roles in supporting the application and environment , depending upon application
functionality.

Data Transport Storage Protection: Identify sensitive information that may be residing on
the client or server. Ensure that sensitive data is properly protected with strong
cryptographic practices and ciphers for data in transit and at rest.
Client-side Logic: Client-side testing is concerned with the execution of code on the
client, information disclosure, or data tampering , typically natively from a web browser or
browser plugin/extension.
Business Logic: Testing for business logic flaws in a multi -functional dynamic application
requires thinking in conventional methods. Testing of business logic flaws is similar to
functional tests that focus on logical or finite-state testing.
Reverse Engineering (if applicable to client application) : This may include attempts to
reverse engineer the application to circumvent security controls and discover
vulnerabilities. Extracting data and code are included. Data and code extraction varies
based on application type, components, scope chosen by the client, and the time allotted
for the engagement.

Proprietary and Confidential 26 | P a g e

Appendix B: OWASP References
Prevention
OWASP Projects is a list of useful software security projects. It is a rich resource of c oding
guides and knowledge, security software, reference material, documentation, and a
community all working to secure the world's software.
OWASP Testing and OWASP Code Review Guides: These guides are openly available
documents to teach developers how to test for vulnerabilities. They contain great content ,
including descriptions, testing examples, technology -specific code snippets, screenshots,
and references to other documents and tools.
OWASP Application Security Verification Standard (ASVS) Project provides a basis for
testing web application technical security controls and also provides developers with a list
of recommended security requirements for secure development.
CIS Benchmarks: CIS Benchmarks help you safeguard systems, software, and networks
against today's evolving cyber threats, including 100+ security best practice configuration
guidelines for various technology groups.

OWASP Software Assurance and Maturity Model (SAMM) , which provides an effective and
measurable way for all types of organizations to analyze and improve their software
security posture.

Remediation
OWASP Cheat Sheet Series provides a concise collection of high-value information on
specific web application security topics.

Proprietary and Confidential 27 | P a g e