What is the difference between data leakage analysis and vulnerability analysis? And how much and what kind of vulnerability testing is required for data leakage analysis?
I have to give data leakage analysis report for some mobile applications. According to what I know, data leakage is happening when an app itself is sending important data to outside environment e.g. to remote server or a log file(which is accessible to other apps on mobile OS) or keeping it in some unsafe and vulnerable place.
According to my understanding, I only have to check how is app communicating and saving important data.
As for vulnerabilities and exploitation, so it is possible that some malicious party can use sophisticated and clever ways to hack an app, and steal its data. I.e. they neither hacked the victim's data communication method nor the possible storage locations(e.g. log), but some other component of application. E.g. call a function with a different remote server to send data to....
I understand that some vulnerability analysis will be required, e.g. data posted to server should not be un-encrypted....but how much deep vulnerability analysis is required usually? E.g. the scenario that I mentioned in above paragraph, are such testings required?
Aucun commentaire:
Enregistrer un commentaire