Mobile Device Pentesting for a Healthcare Technology and Research Company
The Customer is a multinational company providing technology solutions, research and consulting services for the healthcare industry. It operates in more than 90 countries and has about 80,000 employees on board.
To conduct commercial clinical trials, the Customer stored, processed and transferred personal health information. To ensure PHI protection and comply with HIPAA regulations, the Customer resorted to security testing after any significant changes in corporate software and IT infrastructure. At this stage, the Customer needed to check Android and iOS mobile devices used by the employees for working purposes for security vulnerabilities that could endanger PHI.
ScienceSoft’s ethical hackers explored the Customer’s corporate Android and iOS mobile devices at the hardware, middleware and software levels. They performed black box and gray box penetration testing, including:
- Assessment of wireless transmission of data.
- Assessment of encryption protocols.
- Assessment of mobile Bluetooth settings.
- Exploration of OS security permissions.
- Analysis of commonly known vulnerabilities of the specific versions of mobile devices and mobile applications under test.
- Attempted SMS-based attacks (DoS, malware dissemination).
- Input data manipulation (SQL injections, buffer overflow, network protocol violations).
ScienceSoft’s pentesters revealed several critical vulnerabilities that had been missed out during previous checks by another vendor. The vulnerabilities included outdated user applications and mobile OS versions, unrestricted access to certain user applications, poorly secured Wi-Fi.
ScienceSoft’s security experts documented all found security gaps and provided recommendations on preventing their exploitation. They advised to implement a reliable network authentication protocol, monitor Wi-Fi access points on the mobile devices, update security patches and mobile OS versions, delete unnecessary user applications, restrict user access to the Suggested Apps feature and emergency apps, etc.
Also, ScienceSoft delivered consultations for the Customer’s IT team to better understand the existing security gaps and best ways to address them.
The Customer received detailed reports on detected vulnerabilities with the classification according to their severity and likelihood and an actionable guidance on vulnerability remediation. Satisfied with ScienceSoft’s professional approach, the Customer decided to rely on ScienceSoft’s security experts for another penetration testing project.
Technologies and Tools
Nmap, Wireshark, Metasploit, custom scripts (Python, C and Perl scripts for the exploitation of vulnerabilities).