> Side Channel Analysis
Ready-to-use side channel tools to assess cryptography algorithms.
> Fault Injection: Laser, EM & Glitching
Make sure your chip withstands different techniques of physical fault injections.
> Firmware Security Analysis
Qualify embedded code binaries without physical devices and benches.
> Security Failure Analysis
Photoemission analysis to explore internal information in a chip.
> Vulnerability Research
Dynamic analyses at a system level for investigating potential vulnerabilities.
> esDynamic for EDU SCA and FI
A learning center for academics to teach and perform side-channel analysis and fault injection
> Data Science Platform
esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.
> esFirmware Engine
Assess the security of the firmware of IoT devices against logical and physical attacks.
> esReven Engine
Record and replay vulnerability researches within reverse engineering processes and tools.
> Cybersecurity Training
Grow your expertise with training modules driven by a coach.
> Hardware Evaluation Lab
High-end laboratory capabilities specialized in hardware security evaluations.
> Mobile App Security
Onboard your Team into your Security Challenges.
Integrate the security protections verification in your CI/CD pipeline.
> PCI MPoC
Prepare your product to meet this new mobile payment standard.
> Mobile App Security Testing (MAST)
esChecker SaaS: automating the security testing of your mobile app binary.
> Mobile App Penetration Testing
Testing the resiliency of your Mobile App, SDK or RASP tool.
> Backend Penetration Testing
Testing the resiliency of your Web App, API or Backend Systems.
> Coaching for Mobile App Developers
Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.
Go to our German website
In July 2022, Gartner© released its yearly Hype Cycles™ which “provide a graphic representation of the maturity and adoption of technologies and applications, and how they are potentially relevant to solving real business problems and exploiting new opportunities” (Gartner Hype Cycle)
In its report "Hype Cycle for Application Security, 2022", Gartner© lists Mobile Application Security Testing solutions (MAST) and mentions eShard’s MAST esChecker.
Mobile application security testing solutions can be subdivided into two technologies:
The mobile application shielding providers are maintained in the “trough of disillusionment” category. Perceived as costly, they may not be considered for hardening a mobile application yet. This could push some stakeholders to manage their own code protections. However, it is likely that maturity will grow in that space, since it requires expertise resources to keep pace with the attack techniques and the mobile platforms for a consistent protection.
And what about mobile application security testing? Inherited from the Application Security Testing space, MAST starts to create its own space. Mobile application security testing is considered as a moderate priority by Gartner®, since back-end verifications have a higher stake. MAST shall be implemented in the next 2 to 5 years, which means that you need to start working on it now!
Digital transformation is ongoing for many services to the point where the most successful businesses nowadays are either built almost exclusively around their mobile application, or were required to create their own to keep up with the times.
In 2022, 91% of the global population own a mobile device, making more than 50% of the entire web traffic coming from mobile. (according to Google's latest statistics). And 72% of the fraud involves the mobile channel. This is not a surprise when looking at the customer's shift from web browser to mobile app.
The popular adoption of mobile applications comes with the trust that cyber risks have already been taken into account. But, being in the cybersecurity business for as long as I have, it's not rare to hear (sometimes from developers themselves) that protecting mobile applications is not necessary. Or it is delayed for later. And this, in spite of the fact that mobile applications are part of the digital system, the company should feel accountable for the risks. It is a bit like avoiding going to the doctor while feeling that something is wrong.
They look like normal human reactions showing resistance. Certainly because security is perceived as expensive. But also due to a lack of knowledge in the mobile hacking ecosystem.
Here are some discussions we've had in the past few months:
Mobile application is part of the system and therefore requires cyber assurance. Even though it is not the most critical component to secure, it deserves attention. More specifically, one has to assume that mobile applications may be executed on untrusted and unsafe devices. The exposition to reverse engineering or hacking must be considered as high.
Mobile devices represent a specific ecosystem, by both the environment execution and the attack techniques. An exploit may come out of the blue and have a sudden impact for many years. Here is a recent example on Google Pixel 6. A second example concerned Apple iPhones, when Checkra1n exploit was made public and resulted in accessible jailbreak of many phones without physical tampering.
In short, a corporate organization shall work on the assumption that:
Following that line of conduct, it’s necessary to:
It could be summarized in the following equation of trust:
Develop code with the aim to remove vulnerabilities. For this, a first layer can be managed by following good practices, like for instance those defined in OWASP MASVS. The second layer of attention would look at the so-called assets, either data value, intellectual property or transactional operations. It requires relying on the right mobile device resources or software technologies.
Application shielding to harden the code layers and make attack techniques more difficult. Commercial solutions implement a full range of technologies, including code obfuscation (java and or native), a RASP (Runtime Application Security Protection) or even whitebox cryptography layers. Some are available by embedding a dedicated SDK or library. Code hardening is being integrated into the compilation chain or by depackaging or repackaging techniques.
Quality means continuous testing. It may look obvious, but it is necessary to verify the job was properly done. When it comes to security protections, verifications can prove tricky. For instance, in order to trigger a root detection, the developer has to be in the position of testing with rooted devices. As for any other modern development process, the test must come together with the feature, without hindering the development cycle. As such, the process must be built for quick and numerous updates — test automation is a must. While DevOps has become a norm for efficient development, the Security part must be integrated for a DevSecOps chain: all security tests must be run in the CI/CD pipeline.
What is so special in the equation of trust? The ‘X” operator. If either the development, the app shielding or the quality is missing, the value is 0, resulting in a trust yielding 0. Who can afford having a 0 trust in the binary pushed on the store ?
Security verifications can be performed at the code or at the binary level. There are 10 commercial solutions identified as Mobile Application Security Testing (MAST). Indeed, testing solutions for mobile applications is specific from a technological perspective.
Here are some tips on how to choose the best MAST tool for your mobile application.
eShard is proud to share that esChecker has been listed by Gartner© to be a leading edge MAST solution. One of the few taking the mobile application binary as input. This is the final check before the application goes live.