Mobile Application Penetration Testing

Mobile applications are a convenient way for your users to access information, but they can also be a way for attackers to access theirs. Our mobile application penetration testing service finds any vulnerabilities that attackers could exploit to bypass security measures, putting your users’ information and privacy at risk.

Book a Demo

Powered by Informer

Our scalable SaaS solution reforms traditional mobile application penetration testing, harnessing the power of both automated scanning and integrated expert penetration testing to provide business-critical security insights and efficient attack surface management in a single platform.

mobile application penetration testing

REAL-TIME RESULTS

View your mobile application penetration testing results instantly from day one instead of waiting weeks for your report

Web Application Penetration Testing

REMEDIATE FASTER

Add additional team members and set up alerts and integrate Informer into your remediation workflow with integrations

Informer Platform Web Application Vulnerability

AUTOMATED RE-TESTING

One-click retesting allows you to validate identified vulnerabilities that you have fixed for added assurance

Our approach to mobile application penetration testing

Our specialist penetration testers use a combination of automated and manual testing to assess iOS and Android applications. The OWASP Mobile Security Guide and eWPT methodologies are used together with our own proprietary methodology and checks.

Our testing approach has two main objectives; to security assess the installed mobile app, and the APIs that manage the information that is sent to and from the app.

How we security test mobile apps

All mobile application security tests cover a wide range of tests that assess the security robustness of the installed app and the app service APIs.

  • Find sensitive information mobile devices – the mobile device is assessed to ascertain whether suitable security measures have been taken to protect sensitive information in the event that devices with the application have been stolen/entered the wrong hands.
  • API security – We will identify any unauthorized access to data using APIs that the mobile device uses and whether suitable protection has been applied for secure communications between the device and the service.
  • Sensitive information in-app diagnostics log data- crash reporting and app diagnostics services will be analyzed to identify personal and sensitive data that could have been included in diagnostics data, which could violate GDPR and other data protection regulations.
  • App permissions- device components that the app is using will be examined to determine the suitability to access these, such as camera, microphone, and clipboard.

The following areas are included in mobile security testing:

  • OWASP Mobile Top Ten checked
  • Authentication and session implementation
  • Static analysis of the application binary
  • Jailbreak detection
  • Broken access control
  • SSL pinning countermeasure
  • Testing the APIs for injection

Each testing phase builds upon the other that results in the full attack surface of the web application and gives you the information that you need to action and reduce your security risk:

  • API and app mapping and analysis
  • Attack vector discovery
  • Vulnerability identification and exploitation

Successful application security testing is dependent upon mapping the entire app’s functionality and touchpoints from an unauthenticated perspective and from an end user’s perspective.

Vulnerabilities are identified by exploiting them. We go beyond the OWASP and advise on defence-in-depth security approaches so that you can strengthen the application if a vulnerability was introduced.

In-depth dynamic security testing with multiple user levels gives us greater application visibility and coverage. This approach gives us access to wide-ranging functionality that could contain a variety of vulnerabilities that lead to sensitive information exposure.

Instant online reporting

The web app penetration testing service is delivered through our Informer platform. You can start to remediate vulnerabilities as soon as our testers find them and connect Informer to Jira for automatic ticket creation for your developers to get to work on fixing issues without the need to access Informer.

A summary of the test is provided for each test and gives you a non-technical overview of the results of the test.

For each vulnerability discovered, Informer provides a:

  • Description of the finding
  • Evidence detailing the location and parameters affected
  • Screenshots
  • Remedial action and recommendations
  • References to more information if you need to dig deeper

If you would like a PDF penetration testing report, you can download that in a number of report formats at any time during or after the test.

Technical support

We go beyond providing reports by offering a comprehensive debrief session so our penetration testing team can discuss the findings. This is a great opportunity for you and your security, IT, and development teams to ask any questions or seek additional advice.

We're CREST Penetration Testing Accredited

Informer is a CREST Penetration Testing accredited company. We invest in our team to ensure our pen testing methodologies, knowledge, skills, and experience are at the forefront of mobile application penetration testing.

37838_Crest icons_2022_4_PT-
Shield icon

Jailbreak bypass detection

does the app detect that the device has been jailbroken/rooted?

People Logo

User privacy

assesses permissions to the device’s components

Owasp Logo

Data remnants and artifacts

identifies sensitive data present on the device

Person icon

User separation

app enforcement of user authorization

Browser Logo

Binary analysis

potential manipulation of app to subvert protection

ID Badge icon

Authentication methods

assess suitable authentication e.g. 2FA implementation

Frequently asked questions

If you have any further questions, get in touch with our friendly team.

Do you test iOS and Android mobile applications?

Yes. Our penetration testing labs are set up for Apple (iOS) and Android environments, so we can test applications on both platforms.

Do you test the user sign up process?

We will test a self-registration process and the account verification process to give you and your customers confidence in your security/keep you and your customers assured.

Is the application reverse engineered?

We will reverse engineer the application where we can look for evidence regarding how the application has been developed and also for hardcoded sensitive information, such as API keys and credentials.

What is Mobile Application Penetration Testing?

Mobile application penetration testing is the process of assessing and identifying a mobile app’s vulnerabilities and security issues to improve both safety and security.