Plynt Certification Criteria for Mobile Applications
The awarding of the Plynt Certificate establishes that a web application has adequate measures to guard against remote adversaries and protect against a wide range of threats.
This document defines the Plynt Certification Standard for Mobile Applications. It details the criteria that a Mobile application must meet in order to be awarded the Certificate.
(Plynt)… Provided cost effective security testing service and exceeded Medmarc’s technical expectations. Their professionalism is evidenced by their high quality work.
– Richard Wilkins, Medmarc Insurance
The Certification Standard Is Composed of 10 Criteria
Defends against Business Logic Threats
The application must demonstrate its defence against threats specified in a Threat Profile that has been developed specifically for the mobile application.
Defends against code tampering
Self-signing the recompiled APP build can breach the trust of users, as it contains modified data. An attacker can upload the replica of the APP to the store with a relevant name, wherein the details of legitimate users get exposed.
Defends against the unauthorized usage of device resources
The application must ensure that untrusted input is validated before it is used by any device resource. The application must not abuse the device resources.
Operating Systems implement functionalities that use mobile OS-related features. The application must implement these features securely, without introducing vulnerabilities.
Protects against data leakage
The application must demonstrate adequate measures to protect sensitive data from being accessed whenever the device is lost or stolen. The application must not store sensitive data in the local storage, APP installation and property files.
The application must not leak data through channels such as the application cache, logs, temporary directories, etc. wherein the data is usually retained indefinitely.
Protects against popular server-side attacks
The application must demonstrate, through testing, that it is not vulnerable to popular server-side attacks.
Protects sensitive data in transmission
The application must take adequate measures to protect sensitive data from being stolen over the network. It must protect the data in transmission by implementing strong encryption.
Backend services and servers protected against known vulnerabilities
Mobile applications connect to backend services in order to send and receive data. These services must be protected against vulnerabilities that are directly exploitable throughout the application.
The backend server must be updated and protected against known vulnerabilities. The web service running on the server that houses the application must not be vulnerable to publicly known exploitable vulnerabilities.
No sensitive data in the APP build
The application must not retain hardcoded data like passwords and encryption keys.
Strong code obfuscation and cryptography techniques
The application’s source code must be protected against data leakage, while disassembling the application package.
Sensitive activities are re-authenticated
The application must re-authenticate the user before allowing the user to perform an operation involving sensitive data. Examples of operations involving sensitive data are Change Password, Payments and Transaction Approval.
Resources
Sample Penetration Test Report
Request a Proposal
Our quote contains the best price, the time estimate, and our
methodology; and we’ll mail you the quote in 24 hours
