The awarding of the Plynt Certificate establishes that a web application has adequate measures to guard against remote adversaries and protect against a wide range of threats.
This document defines the Plynt Certification Standard for Mobile Applications. It details the criteria that a Mobile application must meet in order to be awarded the Certificate.
(Plynt)… Provided cost effective security testing service and exceeded Medmarc’s technical expectations. Their professionalism is evidenced by their high quality work.
– Richard Wilkins, Medmarc Insurance
The application must demonstrate its defence against threats specified in a Threat Profile that has been developed specifically for the mobile application.
Self-signing the recompiled APP build can breach the trust of users, as it contains modified data. An attacker can upload the replica of the APP to the store with a relevant name, wherein the details of legitimate users get exposed.
The application must ensure that untrusted input is validated before it is used by any device resource. The application must not abuse the device resources.
Operating Systems implement functionalities that use mobile OS-related features. The application must implement these features securely, without introducing vulnerabilities.
The application must demonstrate adequate measures to protect sensitive data from being accessed whenever the device is lost or stolen. The application must not store sensitive data in the local storage, APP installation and property files.
The application must not leak data through channels such as the application cache, logs, temporary directories, etc. wherein the data is usually retained indefinitely.
The application must demonstrate, through testing, that it is not vulnerable to popular server-side attacks.
The application must take adequate measures to protect sensitive data from being stolen over the network. It must protect the data in transmission by implementing strong encryption.
Mobile applications connect to backend services in order to send and receive data. These services must be protected against vulnerabilities that are directly exploitable throughout the application.
The backend server must be updated and protected against known vulnerabilities. The web service running on the server that houses the application must not be vulnerable to publicly known exploitable vulnerabilities.
The application must not retain hardcoded data like passwords and encryption keys.
The application’s source code must be protected against data leakage, while disassembling the application package.
The application must re-authenticate the user before allowing the user to perform an operation involving sensitive data. Examples of operations involving sensitive data are Change Password, Payments and Transaction Approval.
Our quote contains the best price, the time estimate, and our
methodology; and we’ll mail you the quote in 24 hours