Gray Box Pentesting of Web, iOS, and Android Apps for Interprefy
Summary
As a part of long-term cooperation with Interprefy, ScienceSoft performed gray box pentesting of its web, iOS, and Android apps. It confirmed the efficiency of Interprefy’s security management program and provided insights into further security enhancements.
About Our Customer
Interprefy is the world's leading provider of multilingual live translation solutions. Powered by cloud technology and AI, Interprefy’s solutions enable remote simultaneous interpretation in multiple spoken and signed languages, as well as real-time text-to-speech conversion. As of September 2023, Interprefy has facilitated over 50,000 live and virtual events, including political and academic conferences, global sports events, and business functions for Fortune 500 companies.
Regular Pentesting as Part of Robust Information Security Management
Information security is paramount at Interprefy, as its solutions handle sensitive data, including personal information, intellectual property, and business secrets. To protect its customers' data, Interprefy implemented a robust information security system and achieved ISO 27001 certification. In line with its risk management strategy, Interprefy regularly undergoes security testing.
Interprefy first engaged with ScienceSoft in 2019 for pentesting of its web and mobile applications. The collaboration was successful and Interprefy involved our security experts to perform several subsequent checkups. Each time, Interprefy was satisfied with the quality of deliverables, ScienceSoft’s mature approach to testing, and smooth communication. In turn, ScienceSoft’s team appreciated Interprefy's dedication to security, well-defined requirements, and responsiveness.
Gray Box Pentesting of the Web App Prompted Security Improvements
In the most recent project, ScienceSoft’s team planned gray box penetration testing of Interprefy's web application based on PTES, OWASP Web Security Testing Guide, OWASP Mobile Security Testing Guide, and NIST 800-115 methodology.
Interprefy provided ScienceSoft’s team with the credentials for four user roles: Speaker, Audience, Interpreter, and Moderator. As a result of automated and manual checks, the testers revealed several security issues and classified them according to OWASP Top 10. The detected flaws did not pose critical risks to data protection. However, ScienceSoft’s experts outlined the required remediation measures that should be applied promptly to eliminate any potential security loopholes.
Broken access control
The web application enumerated user names, which could potentially facilitate brute-force attacks or account takeover attempts. To mitigate these threats, ScienceSoft's security engineers recommended configuring access control for each user role and processing requests according to the role. They also advised creating unique, hard-to-guess IDs for each user and restricting the number of requests of the same type.
Security misconfigurations
It was possible to manipulate the cross-origin resource-sharing policy by changing the Origin header. As a result, a potential attacker could make the server recognize malicious requests as legitimate. ScienceSoft’s experts recommended validating the Origin header and whitelisting specific domains or subdomains that are allowed to make cross-origin requests to the server.
Also, important security headers were missing, including Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options. Implementing those headers was necessary to enhance protection against MIME sniffing, cross-site scripting, and other web security threats.
Vulnerable and outdated components
The web application content analysis revealed an outdated version of Angular. While it was not likely that an attacker could exploit its vulnerabilities, ScienceSoft's team recommended upgrading Angular to the latest version.
Pentesting Confirmed High Security of iOS and Android Apps
To detect security flaws in the iOS and Android apps, ScienceSoft applied reverse engineering and static and dynamic analysis. The testers tried exploiting the weaknesses to evaluate their potential impact on the applications. Having analyzed the findings, they were pleased to report the high security of both apps.
The iOS app had just one low-severity vulnerability: a binary used a malloc function that could be exploited to cause a denial of service under some rare circumstances. ScienceSoft suggested using a calloc function for dynamic memory allocation as it is preferable according to cybersecurity best practices.
ScienceSoft’s team also suggested a few measures to enhance the cyber resilience of the Android app, such as:
- Employing secure pseudo-random number generation to ensure that random numbers remain unpredictable over time and better protect cryptographic operations.
- Transmitting data over securely encrypted communication channels to protect it from interception and unauthorized alteration.
Markus Aregger, Head of Marketing at Interprefy, says:
In over three years of cooperation, ScienceSoft has always provided excellent service, guaranteeing the safety of our web, iOS, and Android applications. Seeing the exhaustive test coverage and the detailed documentation they provide, we can confidently say our clients’ sensitive data is safe with us. Plus, like Interprefy, ScienceSoft has an ISO 27001 certification, so we felt secure giving their team access to our environment for gray box testing.
Key Outcomes for Interprefy
- Practical evidence of Interprefy’s web and mobile apps’ resilience to potential security threats.
- Enhanced security of the applications as a result of regular penetration tests and implementation of cybersecurity best practices.
- Transparent reports that prove Interprefy’s adherence to ISO 27001 requirements, showcasing its proactive and responsible approach to data security management.
Technologies and Tools
Metasploit, Wireshark, Nessus, BurpSuite, Acunetix, cURL, MobSF, jadx, Apktool, Frida, Objection, Android Studio.
