Penetration testing and vulnerability assessment for iOS apps were outsourced to Optymize professionals, who were asked to do black box security testing for a healthcare app. The app is aimed to assist physicians in checking in for their visits and shifts, as well as updating information about their patients’ condition and treatment. Both non-jailbroken and jailbroken smartphones were used to test the app.
The app was designed to work with sensitive information and enable access to the stored sensitive information. Fiddler, an application developed by Google, was used in motion security testing. Researchers focused on extracting user passwords and sensitive data parts from data saved in device keychains and cache databases to examine how attackers might access them.
The client team was able to launch the software on a jailbroken smartphone, allowing them to evade SSL pinning. The updated version of the app was then given to Optymize specialists for a second round of testing. It worked flawlessly on non-jailbroken devices, although it needed third-party tools to install before it could be run.
Device-server connectivity has also been improved, and users’ passwords are no longer exchanged in plain text, but via a complicated unique access key.
“The project was a success, and it contributed to increased customer trust in the system’s security. Optymize performed efficiently and gave good outcomes for a reasonable rate. They communicated effectively, ensuring that their partners felt on the same page throughout the engagement.”