Security assessment for Enterprise Java and Android applications
Protect your application. Protect your business.
Hi! My name is Andrew Rukin.
I have created and now support this site and I specialize in information security.
Most of the time I work with huge corporations. However, recent awareness of corporate vulnerability has brought many start-ups and small companies to me as new clients.
My testing includes the following client-side activities:
Decompilation of the installed app
Searching for sensitive information hard-coded within the app
Verifying the security of locally stored credentials
Checking that SSL certificates and signatures are properly validated
Discovering insecure use of cryptography for transmitting data or for local storage
Source code analysis (if appropriate)
Checking that automatic updates do not provide a conduit for attackers to install arbitrary code
Verifying all sensitive information is removed after uninstalling the app
Looking for unintended transmission of data, such as the user’s phonebook when it is not required
The app testing service also includes testing of the web services used by the app. The following aspects are examined in detail to ensure that the backend servers do not expose customer data to other parties:
Server configuration errors
Loopholes in server code or scripts
Advice on data that could have been exposed due to past errors
Testing for known vulnerabilities
Reducing the risk and enticement to attack
Advice on fixes and future security plans
Within my scope of work, I will:
Identify the issues,
Give advice on how to fix them
And control how they are fixed.
Typical issues discovered during a mobile app and server test:
Vulnerability to man-in-the-middle (MITM) attacks
Insecure storage of sensitive data on mobile devices
Insecure use of cryptography
Weak session management
Unauthorised access to other users’ accounts
Well-known platform vulnerabilities
Back doors and debug options
Errors triggering sensitive information leaks
Broken ACLs/Weak passwords
See example Security Audit Report to get a feeling for what you would receive.
Please, contact me: firstname.lastname@example.org