Cloud Mobile Upload

Introduction to WhiteHat Mobile Application Security Testing

WhiteHat Sentinel Mobile Application Security Testing combines dynamic and static automated scanning as well as optional manual mobile application-layer penetration testing by the expert security engineers at our Threat Research Center (TRC).

The Sentinel Mobile Standard Edition (SE) provides analyses of developer-signed binaries and assess mobile web view applications and includes the following features:

  • Platform and language agnostic

  • Supports iOS and Android

  • Fast results with binaries scans ready to go to market or code in development

  • No source code required, but can be automated into the CI/CD environment

The Sentinel Mobile Business Logic Assessment (BLA) provides hands-on mobile application penetration testing, including data flow analysis and dynamic testing between the client and server:

  • Deeper cryptography-related checks

  • Analysis of client and server interaction

  • Review of application business logic and workflows

  • Deeper application-layer penetration testing of information storage and data leakage

  • Inter-process communication checks

All cloud upload scan results are deleted after 15 days, regardless of success or failure, and the Asset Management page displays the last five scan results.

Uploading Files During Application Onboarding

To upload files during application onboarding, perform the following steps:

  1. In the Continuous Dynamic Portal, select Assets.

    mobile upload 1

  2. Click Add Asset.

  3. Click Add Mobile Application.

  4. Select a Service Level from:

    • Standard Edition (SE)

    • Express Edition (EE)

      The service level choices depend on the Licenses Available displayed on the right hand side of the page.
      mobile upload 2

  5. Type a Asset Name in the text field.

  6. Select an Industry that best describes the asset.

  7. Click Next.

    mobile upload 3
    Steps 8-10 are only applicable to users running a scan with credentials.

  8. Type the credential Username in the text field.

  9. Type the Credential password in the text field.

  10. Type the Credential password in the text field again to confirm.

  11. Click Next.

    mobile upload 4

  12. Type your Full name in the text field.

  13. Type your Last name in the text field.

  14. Type your Email address in the text field.

  15. Type your Telephone number in the text field.

  16. Optionally, click Add Custom Field to add custom fields.

  17. Optionally, type a Term in the text field.

  18. Optionally, type a Value in the text field.

  19. To delete custom field, click the bin/trash can icon.

  20. Click Next.

    mobile upload 5

  21. To upload the binary file you want to scan, Drag and drop the file into the displayed box or, click browse to browse to the location of your files and select a file to upload.

    Ensure to follow the binary requirements displayed above.

  22. Click Create to finish creating the mobile asset.

Rescanning Files

To rescan a mobile file that you have already uploaded:

  1. In the Portal, click Assets.

    mobile upload 6

  2. On the Asset Management page, click the name of the cloud upload asset you want to rescan.

  3. Click the Scan tab.

  4. Click the Request Scan button.

    The previous scans are listed under Scan Log.

Filtering Mobile Upload Assets

To filter results by mobile application:

  1. Click the Filter button on the Asset Management page.

    mobile upload 7

  2. From the Filter pane, select Mobile Application from the Asset Type dropdown.

  3. Select any other parameters by which you want to filter and click the Filter button.

Failure to reset the filter means that the filtered results will display the next time that you access the Asset Management tab. The filter remains in place even after logging out of the Portal and logging back in again. So if you have finished with the filter, use Reset button.

Reporting Mobile Upload Asset Results

The Portal includes a Vulnerability Detail Report for Mobile Applications. To access this report:

  1. Click Reports.

    mobile upload 8

  2. Select Mobile Applications or Groups from the Vulnerability Detail Reports section.

  3. Select the report Frequency from:

    • One Time

    • Daily

    • Weekly

    • Monthly

For all reports other than the One Time report, a template name must be entered here.
mobile upload 9

  1. To locate specific assets, use the Search bar at the top of the Available or Selected columns.

  2. From the Available table, select the assets that you want to include in the report. You can also click Select All to select all available assets.

  3. Select the right facing arrow to move the selected Assets from the Available table to the Selected table.

  4. Select the Vulnerability Status of the Assets to be included in the report.

  5. Click Generate Report to generate the report for the selected Assets.

If you have selected a one-time report, report generation will begin and you will be notified when it is complete. If you have selected a repeating report, the template you have created will be saved in the Templates tab and it will be run at the next scheduled time.

Understanding Scan Statuses for Mobile Uploads

During the scanning process for mobile uploads, the Scan Status column on the Asset Management page cycles between the following three statuses:

  • Pending WhiteHat Review

  • Scan Running

  • Initial Scan Complete - Configuration In Progress

  • Complete