Mobile Application Testing
The Mobile Applications we use daily have significantly advanced in recent years. This advancement and reliance upon such services has exposed users to a variety of new security risks. Protecting these applications from new threats is a constant challenge, especially for developers who may not be security aware and typically working toward a performance deadline.
Pentest People have a wealth of knowledge in the area of application security testing, and the professional Mobile Application Security Testing Service can be used to identify vulnerabilities that exist on your Mobile applications.
Overview of Methodology
Mobile Applications can use a variety of technologies and development frameworks, so Pentest People’s exact technical approach to each application may be very different. However, there are certain fundamental areas that are examined, which are as follows:
The application is mapped and key files analysed to gain an understanding of the mobile application’s logic, data and potential entry points and architectural vulnerabilities.
The mobile application is assessed from both an automated and manual perspective, attempting to discover any logical flaws. Intents, receivers and any inter-application communication channels will be also analysed.
The application will be examined to find any security misconfigurations. These include (but are not limited to) insecure backup settings, Lack of SSL Pinning and Jailbreak/root detection and use of insecure random number generators.
Many mobile application vulnerabilities are the result of poor (or non-existent) input validation, sanitisation, and output encoding. All user-controllable input is closely tested to identify any instances of malicious code injection weaknesses. Common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injection fall within this category.
What are the Risks?
Mobile Applications are becoming increasingly complex, as they do so their threat landscapes are becoming larger with more personally identifiable and business critical data being stored.
Insecure applications may result in sensitive data being exposed to other applications on the device, the ability to trigger application components to perform malicious actions amongst other attack vectors. Mobile Applications typically make use of on API to send and retrieve data from the server, this is also a focal point of assessment with our full API methodology being covered.
How Can We Help?
Pentest People can help alleviate the risks associated with Mobile Applications by identifying vulnerabilities that exist within the app in both IOS & Android Operating Systems.
Pentest People’s Mobile Application Assessment looks at mobile applications at a storage level by reverse engineering the application package and viewing the database and configuration files. We use specialised technology to simulate a malicious application stored on the phone alongside your application to check for vulnerabilities that require a malicious application to exploit.
We also examine the API backend using our full API methodology which covers all of the OWASP top 10 vulnerabilities, common misconfigurations and in depth business logic testing.
The service would be delivered as part of the Pentest People Penetration Testing as a Service (PTaaS) and full access to the SecurePortal and other complementary tools would be provided.
The Mobile Application Assessment
Allows Access to SecurePortal
Until now, the traditional deliverable from a Penetration Test engagement has been a lengthy 100+ page PDF report.
Pentest People have developed a solution to this issue where you interact with your vulnerabilities within the SecurePortal.
Constantly updating Vulnerability Information to stay in touch with the emerging threat landscape.
Receive overview and trend data of all of the current security issues you face in your organisation. All viewable on an interactive dashboard.
Rest assured that your assessments are performed by qualified Security Consultants.
Our specialised team of security consultants hold industry qualifications such as CHECK Team Member & Team Leader, CCIE, CISSP and CEH.
Understand the security risks associated with Mobile Applications through a thorough assessment.
- The application will be reversed engineered to check for misconfigurations or missing core security defences such as root detection, SSL pinning and code obfuscation.
- The source code of the application will be analysed to look for misconfigurations, hardcoded credentials or keys. There is no need to supply us with the source code, this will be available via reverse engineering the application.
- The application-level will be analysed for weaknesses such as weak passwords policies, insecure change password functionality and extraction of data from the application. The logs will also be viewed whilst performing actions to find any sensitive data being logged.
- Services, Broadcast receivers and activities will be tested in an attempt to trigger these outside of the normal business logic of the application. This often finds authentication bypasses and the ability to interact with the application and its data in a malicious way.