fbpx

iHeartLocal – New Way To Discover Local

HIGHLIGHTS
Ranked #1 App in the 2016 Mobile App Showdown.
Rated as 1 of top trustworthy referral networks in US and European countries.
A responsive web version for merchants to set up sale and promotion campaigns & manage customers.

iHeartLocal- Loaded with Features to Keep Customers Engaged

With the belief that: All businesses can succeed. iHeartLocal asked Savvycom to help launch an economy sharing solution as a mobile platform, design and develop a wonderful app, which enables users to discover fantastic deals while promoting local businesses.
Refining their mobile solution, however, required in-depth knowledge when it came to mobile strategy, design, and creative direction.
iHeartLocal required a lot of helpful functions: creating a locations hub to provide trusted reference & ratings through a mobile application, allowing users to connect with the businesses and service providers and building a business ecosystem for merchants that helps them approach potential consumers while tailoring a strong bond on customer relationship. We started with these initial objectives and requirements!
“The most impressive thing was Savvycom satisfied requirements we expected our outsource company to be: culture, communication, skill sets and the desired partnership. It’s collaboration. I really don’t look at it as I’m dealing with a vendor but a partner.”
David Cheng – Founder, iHeartLocal

Savvycom economy sharing solution
Simple Set-up
Signing up for iHeartLocal is quick and easy – sign up with Facebook or E-mail to start sharing today.
Follow Friends
The function of multiple merchants function was added to help businesses manage their places.
Trusted Rating.
Others ask you to accept anonymous reviews with questionable motivation-iHeartLocal is different.
Goodies
Unlike massive group coupon services, iHeartLocal only delivers deals and specials from places you’ve chosen to add
iHeartlocal mobile app economy sharing solution
To be a perfect economy sharing solution, iHeartLocal integrated Real-Time System. The challenge is that all data and information are needed to be instantly showed up and broadcasted on the network. To deal with that, Savvycom’s engineer team applied real-time data streaming that can effectively optimise the speed of transferring data between client and server.
For large user base, iHeartLocal is predicted to serve at least 1 million users within the first year; the question is how to develop a solution to handle enormous and expanding number of requests in the shortest time. For this, iHeartLocal was designed and implemented with scalability from the very start. We enable the system to scale up and deal with massive growing user traffic while maintaining continuous and stable performance.
Utilising Multi-platform compatibility, iHeartLocal proved to be compatible with a variety of platform and operating systems.
A stack of SQLite, Java, Objective C, C++, HTML, HTML5, AngularJS and Gulp was brought into to build a robust application with the highest compatibility.
 
iHeartLocal is rated as number 1 in 2016 Mobile App Showdown, in the framework of CES 2016, the best place to showcase the innovation and ingenuity that today’s app builders have.

Connect us for various frontier technology services and IT excellence:

[widget id=”book_consultation-2″]

8 Best Practices for Penetration Testing Mobile Apps

Mobile applications are being a part of our lives; however, the idea of security in mobile applications is still unclear for the users because we do not know how they developed applications and used them for penetration testing mobile apps.

Downloading and using mobile applications might carry potential risks for both you and your organization since untested mobile apps have security bugs that easily harm your data. Per Axar’s note, most of mobile and healthcare applications contain several security vulnerabilities.

Mobile apps may carry bugs

Mobile apps may contain security bugs.

To avoid the risk of security vulnerabilities, there is an essential solution which is penetration testing mobile apps. Penetration testing mobile application probably provides us a certain confidential, but it needs alternative approaches and setups than web applications.

Here are 8 best practices to help you fight back against mobile hacks with penetration testing:

1. Preparing the security testing plan

The first challenge of penetration testing mobile apps is to have a correct methodology. The map for OWASP iOS shows an overview of the attack vectors.

pen-test

The map above shows each important attack surface. It contains specific areas that are used for assessment. There is an essential technique for each important attack stage:

⦁ Application mapping ⇒ Information gathering
⦁ Client attacks ⇒ Runtime, binary, and file system analysis
⦁ Network and server attacks ⇒ Network analysis and insecure data storage

There is a specific set of tools and skills for each section. To understand the OS being attacked, you must take a close look on the type of mobile application, because each one has different attack vector. A native iOS app; for instant, uses Objective-C or Swift language; however, browser-based or hybrid apps are using traditional web application technologies, made to be run on the device’s web browser.

Main difference in analyzing mobile applications compared to web applications is binary and file system analysis. At this stage, it requires reverse-engineering skills and the use of debugging techniques.

2. Preparing the testing environment

Preparing the testing environment is another stage for penetration testing mobile applications. Mobile apps are not the same with web applications because they do not run on all kinds of platforms and browsers. Thus, it needs a specific device-driven testing environment that is configured.

Best Practices for Penetration Testing Mobile Apps

For the case of iOS devices, a tester should use the evasi0n7 jailbreak that allows you to penetrate the device and get root/admin access to the OS instead of jailbreak and then given the security imposed by Apple. In addition, a tester uses One Click Root for Android to root a device.

3. Building the attack arsenal

Building the attack arsenal is necessary to analysis and information – gathering purpose when the device is ready for penetration testing. Cydia; an app store of jailbroken iOS, helps to download essential hacking tools. Debuggers, Decryptersare and other tools that help you to understand the mechanics of application.

It recommends Android Apktool and Android Reverse Engineering virtual machine for binary analysis. Moreover, Burp Proxy, Android Proxy, OWASP ZAP, Wireshark, and Tcpdump are just a few of the tools available for network analysis.

4. Preparing the test cases: Application Mapping

In penetration testing, observing application at functional level and analyzing its behavior is necessary. Breaking down all framework and taking note the followings will create an accurate modeling that applies the same principles for creating a test suite as explained in the OWASP testing guide:

  • Identity, authentication, and access control => Key chains, brute-force attacks, parameter tempering
  • Input validation and encoding => Malicious input, fuzzing
  • Encryption => SQLite database password fields, configuration file encryption
  • User and session management => Session IDs, time lockouts
  • Error and exception handling
  • Auditing and logging => Logs, access control to logs.

5. Attacking the client: Binary and file analysis

In penetration testing, a tester applies binary and file analysis to discover insecure API calls and files with adequate access controls. There are some tools to find out insecure files such as IDA Pro or the Hopper App that debugs and analyzes the code. But in this case it should not discard Buffer overflows.

Mobile UI vector elements

Moreover, a tester uses fuzzing the application or applying malicious inputs techniques to find out vulnerabilities such as SQL injections. Most of techniques used to find out vulnerabilities in native applications are similar to penetration testing web app, however, instead of using a proxy to understand the inner workings of the app, a tester shoul use debugging software.

In Addition, some of these techniques involve testing approaches like those used in the OWASP testing guide. Instead of being assisted using an attack proxy to inject malicious input during web pen testing, penetration testing mobile apps just need a tool like iOKit to support it.

To evaluate risks related to data storage for iOS and Android, a tester applies database browsing with SQLite database browsing to determine how it secures database. If it is encrypted, you finally verify the type of encryption used in sensitive data fields. Also, it uses analyzed proper storing of API key chains’ location and access control for client attack testing.

6. Network attacks: Install traffic, run traffic

For mobile application featured with a clear-server tier architecture, testers should notice to network attacks. So, an essential way to investigate network attacks is to capture network traffic and discover transport layer protection with an assistance of attack proxies like ZAP. The process should invlove more of effective tests, such as:

Best Practices for Penetration Testing Mobile Apps

  • Authentication:

It is likely to realize vulnerabilities that involve authentication by observing the request and responses between client and server. If it uses HTTP basic authentication in the application, then it contains risks. If so, it should be done through SSL.

  • Authorization:

Parameter tampering cannot cover roles and access controls between them. Also, file analysis (native apps) or spidering the application (web-based apps) cannot cover Securing the API key properly in an inaccessible folder.

  • Session management:

Session ID tokens sent through GET methods and placed in the URL are visible while proxying the application or sniffing the network.

Weak encryption and protocols. Mobile applications are more vulnerable at these areas. Therefore, a tester should make category for wireless vulnerabilities that is revolving around encryption protocols used by the device.

7. Staging server attacks

In this part, tester uses Nmap tool and other penetration testing to test infrastructure, which is server hosting the mobile web app, to map and find out potential vulnerabilities and threats. Moreover, the area of testing should include random file upload, cross-origin resource sharing or open redirect to ensure the lowest potential threats.

Another concerned point is to prevent of conducting attacks that try to bypass authentication mechanisms between client and server. Thus, a tester should notice it when making a test on hybrid or web-based mobile applications.

Apple case in 2013 is an excellent example of server-side attack. The case is that it easily to attacks accounts of Apple ID iCloud by resetting the password. Because it just requires only email and date of birth of the owner. This weak control of authorization was a major cause of the problem.

8. Getting know more about mobile vulnerabilities

It is no doubt to say that nothing perfect without practices. As a result, Testers should keep in mind that the way to learn more about security vulnerabilities occurred in mobile applications is to know that vulnerable mobile applications designed with this purpose in mind. Hence, there are some recommended vulnerable applications that a tester should know:

⦁ Damn Vulnerable iOS Application (DVIA)
⦁ MobiSec
⦁ Androick Project Page

The Damn Vulnerable iOS app is a full package of document that includes some instruction articles about discussing setting up a testing environment, runtime analysis, and network traffic, among many other detailed examples.

Loc TranSavvycom Blog

 

For further enquiries, please do not hesitate to contact Savvycom at:

Why Testing is very Important?

Hiring professional developers always helps a business run efficiently. In that case, whether a business should invest in testing or not, essentially when QA will take a large amount of business budget?

It is a big question for almost managers to optimize the business budget. And here, in this blog post, my answer is “Of course, yes, they are very important.” and my explanation for that answer.

bad-code-good-code

It’s very important

In the position of users, I remember using an app that always gets crashing. Then I understood the feeling when meeting the bad-quality apps. The software should be a tool that helps people do their jobs more efficiently than there are not, but the tools that make people angry because of always crashing.

It is not a freeware

When customers pay for the app, of course, they have the right to use a perfect one, which they should not re-login so many times just because the app does not work well.

Proud of product

As someone who starts life working in IT, they will own the proud of their created applications. Therefore, they will never want to introduce their apps which bugs always occur.

Problem is not only finding a bug

Quality assurance isn’t just about finding what doesn’t work.

It also has to make sure that a feature or a product does what it should do, and follow the logic of the users. This is as important as bug finding and involves looking at the product through the customer’s eyes.

Nobody is perfect

We can have the great, awesome developer team, but this does not mean that they will never make mistakes. And to ensure our final product/application is the perfect one. And QA will be the person who helps us unsure about the best quality of the final product.

So, they are my idea. How’s about you? Please leave your comments below!

  • Phone: +84 24 3202 9222
  • Hotline: +1 408 663 8600 (US); +612 8006 1349 (AUS); +84 32 675 2886 (VN)
  • Email: [email protected]
  • Visit us at our website!

ebook ito pop up 2

You’re in the right place
We’re ready to help you

Speak to our experts

Please fill the form below.

Booking Footer Pop Up 1