Mobile Application Testing
The Mobile Applications we use daily have significantly advanced in recent years. This advancement and reliance upon such services have exposed users to a variety of new security risks. Protecting these applications from new threats is a constant challenge, especially for developers who may not be security-aware and typically work toward a performance deadline.
Pentest People have a wealth of knowledge in the area of Mobile Application Security Testing, and the professional Mobile Application Security Testing Service can be used to identify vulnerabilities that exist on your Mobile applications.
Listen to one of our Mobile Application Testing experts
breakdown this Pentest People Service
Overview of Mobile Application Testing Methodology
Mobile Applications can use a variety of technologies and development frameworks, so Pentest People’s exact technical approach to each application may be very different. However, there are certain fundamental areas that are examined, which are as follows:
What are the Risks?
Mobile Applications are becoming increasingly complex, as they do so their threat landscapes are becoming larger with more personally identifiable and business critical data being stored.
Insecure applications may result in sensitive data being exposed to other applications on the device, the ability to trigger application components to perform malicious actions amongst other attack vectors. Mobile Applications typically make use of on API to send and retrieve data from the server, this is also a focal point of assessment with our full API methodology being covered.
How Can Our Mobile Application Testing Help?
Pentest People can help alleviate the risks associated with Mobile Applications by identifying vulnerabilities that exist within the app in both IOS & Android Operating Systems.
Pentest People’s Mobile Application Testing service looks at mobile applications at a storage level by reverse engineering the application package and viewing the database and configuration files. We use specialised technology to simulate a malicious application stored on the phone alongside your application to check for vulnerabilities that require a malicious application to exploit.
We also examine the API backend using our full API methodology which covers all of the OWASP top 10 vulnerabilities, common misconfigurations and in depth business logic testing.
Our Mobile Application Security service would be delivered as part of the Pentest People Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.
The Mobile Application Assessment
Allows Access to SecurePortal
Until now, the traditional deliverable from a Penetration Test engagement has been a lengthy 100+ page PDF report.
Pentest People have developed a solution to this issue where you interact with your vulnerabilities within the SecurePortal.
Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape.
Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on an interactive dashboard.
Rest assured that your assessments are performed by qualified Security Consultants.
Our specialised team of security consultants hold industry qualifications such as CHECK Team Member & Team Leader, CCIE, CISSP and CEH.
Mobile Application Testing Overview Transcript
Our team of highly skilled mobile application penetration testers can assess either your iOS or Android application for vulnerabilities. This is done by assessing both the client and the API that will be tested.
Our methodology includes but is not limited to reverse engineering, the application, exploiting services, broadcast receivers and other components, file checks. So looking at the database, looking at encryption, and attempting to communicate with the application from other apps on the device, the API will also be tested. We can also potentially bypass routes or jailbreak detection, or SSL pinning as part of our testing. We will also look at the local runtime storage and look for any sensitive data that’s being leaked in the memory or in your logs.
Understand the security risks associated with Mobile Applications through a thorough assessment.
- The application will be reversed engineered to check for misconfigurations or missing core security defences such as root detection, SSL pinning and code obfuscation.
- The source code of the application will be analysed to look for misconfigurations, hardcoded credentials or keys. There is no need to supply us with the source code, this will be available via reverse engineering the application.
- The application-level will be analysed for weaknesses such as weak passwords policies, insecure change password functionality and extraction of data from the application. The logs will also be viewed whilst performing actions to find any sensitive data being logged.
- Services, Broadcast receivers and activities will be tested in an attempt to trigger these outside of the normal business logic of the application. This often finds authentication bypasses and the ability to interact with the application and its data in a malicious way.