esChecker - Mobile Application Security Testing Tool

Suphi Cankurt
Suphi Cankurt
Founder @ AppSec Santa
Summary

esChecker is a dynamic security scanning tool for Android and iOS mobile applications to test the apps' self-protection and identify vulnerabilities and misconfigurations with no false positives.

12 min read

You will learn
  • The basics of DAST scanning in mobile applications
  • Differences between SAST and DAST in mobile app scanning
  • The pricing details of esChecker

What is esChecker?

esChecker is a Mobile Application Security Testing (MAST) tool for mobile applications, running both Static (SAST) and Dynamic Tests (DAST), straight from the binary (blackbox).

 

It executes your applications on real mobile devices and launches attacks to detect failures in self-protection on .apk or .ipa files.

 

Thanks to having its device farm, it has unique capabilities to trigger attack techniques like reverse engineering or code tampering.

 

Let's run an example scan:

 

1- First, you need to upload your application file (.apk/.ipa) 

esChecker upload your app

2- You can record a test sequence to guide the scanner to go through the most critical screens of your apps, allowing full code coverage.

3- Now, you can choose a scanning campaign depending on the type of your applications: Banking, gaming, healthcare or others.


These preset campaigns are provided in line with the OWASP recommendations.

esChecker scan campaigns

4- and you will get the scan results in 20-30 min.

esChecker Report Dashboard

What makes esChecker unique?

esChecker is the only solution that executes your apps on a real device and runs attacks.

 

Most of the other mobile application security testing solutions use emulators to run the app and execute the attacks through it.

 

However, this methodology is limited when it comes to code coverage. Plus, if the apps are protected against the usage of emulators, the report would be biased.

 

Your apps will be running on a real device, and you will record your user journey and design your attack scenarios.

 

You can fine-tune your scans to recognise popups or error handling messages so your scan results will always reflect the right vulnerabilities. (no false-positive)

How is esChecker pricing works?

It is an annual subscription that you can buy for a number of applications. It is $10k per application approximately.

 

There is no limit on users or how many times you can scan your applications during the year.

What is esCoaching?

esCoaching is a learning platform for mobile application security where you can interact with security experts in real-time.

 

Some of the topics:

Mobile App Essentials: Android Reverse Engineering

-Static Analysis of an Android application

-Android basics from the reverse engineer point of view

-Android: Crack-me Challenge

-Dynamic Analysis of an Android application

 

Mobile App Essentials: iOS Reverse Engineering

-Static Analysis of an iOS application, Part 1

-Static Analysis of an iOS application, Part 2

-Dynamic Analysis of an iOS application

-iOS: Crack-me Challenge

-iOS basics from the reverse engineer point of view

 

Mobile App Advanced

-Introduction to P-Code and GHIDRA SLEIGH

-Code instrumentation with FRIDA

-Deep dive into Linux/Android loader and Dynamic Linker

-Panda-RE

-Symbolic Execution

-Code Review of ARM Assembly Code

-Identifying C constructs in ARM using GHIDRA

-Practical Introduction to GHIDRA

-Static Analysis of a virtual machine using GHIDRA

-Reverse engineering a Virtual Machine using Unicorn

 

Mobile App: White-Box Cryptography Analysis

-Breaking a White-Box implementation embedded in an Android Application 

-Side Channel Marvels Tools & Double Fault Injection Attack

-Breaking a White-Box implementation embedded in an Android Application (Intermediate Level)

-WBC Binary Instrumentation

 

On this page:

AppSec Santa