MAST practices:

Mobix implements Mobile Application Security Testing (MAST) practices that run a combination of static and dynamic analysis:

This comprehensive approach enables Mobix to precisely detect software vulnerabilities and ensure high quality of mobile application security testing.

[BCA] Byte Code Analysis

Mobix performs a static analysis of the decompiled source code. It determines that the application is misconfigured, has incorrect parameters or attributes of some elements, etc. Mobix searches the decompiled source code and application resources for the values of sensitive information it has found through dynamic and interactive analysis, such as a password, a token, an encryption key, and other insecure things.

[DAST] Dynamic Application Security Testing

DAST considers an application as a black box. Mobix performs a set of different dynamic checks. It injects data and looks for fuzzing entry points in the application. To improve the efficiency of DAST, Mobix collects information about what interfaces the application has, how those interfaces are used, and what parameters the interface receives.

[IAST] Interactive Application Security Testing

IAST identifies vulnerabilities based on data collected while the application is running. Mobix detects sensitive and confidential data processed by the application and verifies its secure use and storage. Mobix implements effective IAST using data collected during autotests or manual testing of the application.

[SAST] Dynamic Application Security Testing

Mobix implements an array of security checks from the «classic» SAST using decompiled code that is used for data flow analysis, taint analysis, pattern-based analysis, etc.

[API ST] Application Programming Interface Security Testing

API ST is used to test the backend (i.e. API) of a mobile application. It is based on a message exchange between the application frontend and backend. Mobix implements an intelligent API ST based on the requests and responses collected during autotests or manual testing. This allows you to handle the application not as a “black box” and create additional API ST test cases that simulate different types of attack attempts on the backend.