Mobile application penetration test
Mobile application penetration test, similarly to the web application penetration test represents the activities of malicious hacker, trying to cause damage to an organization. In other words the purpose of the security test is to identify and verify the discovered issues. Mobile application penetration test uses a different approach. In comparison the traditional application test considers the primary threat as originating from Internet. Therefore Mobile application penetration test focuses more on client-side, hardware, file system and network security testing. In comparison with other applications, mobile application allows the end user to control the application. The following are part of the testing:
- Architecture, Design and Threat Modelling
- Data Storage and Privacy
- Cryptography Verification
- Authentication and Session Management
- Network Communication
- Environmental Interaction
- Code Quality and Build Settings
- Resiliency Against Reverse Engineering
White box vs Black box testing
- Black Box Testing – It requires no knowledge of internal paths, structures, or implementation of the tested software.
- Gray Box Testing – In Gray Box testing a tester attempts to find security bugs with incomplete information of the software product’s inner code structure.
- White Box Testing – White Box testing provides the tester with knowledge of the application structure and functionality. In other words the purpose of the white box testing is to test the application from developer’s point of view.
Penetration testing report covers the activities, performed during the penetration testing. Therefore the report represents the discovered vulnerabilities in two parts:
It is intended for the management of the structure and contains:
- A general description of the security of the systems.
- The impact that the discovered vulnerabilities might have on the information security.
- Required security measures to address the problems.
After that it provides an overview for the technical department of the structure and contains:
- Definition and classification of risk levels, used to classify the detected vulnerabilities.
- Description of the information gathering phase for identifying information systems.
- Results of scanning and exploitation of detected vulnerabilities, description, impact, criticality, affected asset, proof of concept, vulnerability replication method, and remediation steps.