Mobile Application Penetration Testing

Our approach to mobile application penetration testing

Our specialist penetration testers use a combination of automated and manual testing to assess iOS and Android applications. The OWASP Mobile Security Guide and eWPT methodologies are used together with our own proprietary methodology and checks.

Our testing approach has two main objectives; to security assess the installed mobile app, and the APIs that manage the information that is sent to and from the app.

How we security test mobile apps

All mobile application security tests cover a wide range of tests that assess the security robustness of the installed app and the app service APIs.

• Find sensitive information mobile devices – the mobile device is assessed to ascertain whether suitable security measures have been taken to protect sensitive information in the event that devices with the application have been stolen/entered the wrong hands.
• API security – We will identify any unauthorized access to data using APIs that the mobile device uses and whether suitable protection has been applied for secure communications between the device and the service.
• Sensitive information in-app diagnostics log data- crash reporting and app diagnostics services will be analyzed to identify personal and sensitive data that could have been included in diagnostics data, which could violate GDPR and other data protection regulations.
• App permissions- device components that the app is using will be examined to determine the suitability to access these, such as camera, microphone, and clipboard.

The following areas are included in mobile security testing:

• OWASP Mobile Top Ten checked
• Authentication and session implementation
• Static analysis of the application binary
• Jailbreak detection
• Broken access control
• SSL pinning countermeasure
• Testing the APIs for injection

Each testing phase builds upon the other that results in the full attack surface of the web application and gives you the information that you need to action and reduce your security risk:

• API and app mapping and analysis
• Attack vector discovery
• Vulnerability identification and exploitation

Successful application security testing is dependent upon mapping the entire app’s functionality and touchpoints from an unauthenticated perspective and from an end user’s perspective.

Vulnerabilities are identified by exploiting them. We go beyond the OWASP and advise on defence-in-depth security approaches so that you can strengthen the application if a vulnerability was introduced.

In-depth dynamic security testing with multiple user levels gives us greater application visibility and coverage. This approach gives us access to wide-ranging functionality that could contain a variety of vulnerabilities that lead to sensitive information exposure.

Instant online reporting

The web app penetration testing service is delivered through our Informer platform. You can start to remediate vulnerabilities as soon as our testers find them and connect Informer to Jira for automatic ticket creation for your developers to get to work on fixing issues without the need to access Informer.

A summary of the test is provided for each test and gives you a non-technical overview of the results of the test.

For each vulnerability discovered, Informer provides a:

• Description of the finding
• Evidence detailing the location and parameters affected
• Screenshots
• Remedial action and recommendations
• References to more information if you need to dig deeper

If you would like a PDF penetration testing report, you can download that in a number of report formats at any time during or after the test.

Technical support

We go beyond providing reports by offering a comprehensive debrief session so our penetration testing team can discuss the findings. This is a great opportunity for you and your security, IT, and development teams to ask any questions or seek additional advice.