Mobile Applications Penetration Testing
Mobile application penetration test, similarly to the web application penetration test represents the activities of malicious hacker, trying to cause damage to an organization. In other words the purpose of the security test is to identify and verify the discovered issues. Mobile application penetration test uses a different approach. In comparison the traditional application test considers the primary threat as originating from Internet. Therefore Mobile application penetration test focuses more on client-side, hardware, file system and network security testing. In comparison with other applications, mobile application allows the end user to control the application. The following are part of the testing:
Methodology
-
- Architecture, Design and Threat Modelling
- Data Storage and Privacy
- Cryptography Verification
- Authentication and Session Management
- Network Communication
- Environmental Interaction
- Code Quality and Build Settings
- Resiliency Against Reverse Engineering
White box vs Black box testing
Black Box Testing
It requires no knowledge of internal paths, structures, or implementation of the tested software.
Gray Box Testing
In Gray Box testing a tester attempts to find security bugs with incomplete information of the software product’s inner code structure.
White Box Testing
White Box testing provides the tester with knowledge of the application structure and functionality. In other words the purpose of the white box testing is to test the application from developer’s point of view.
Reporting
Penetration testing report covers the activities, performed during the penetration testing. Therefore the report represents the discovered vulnerabilities in two parts:
Management part
- A general description of the security of the systems.
- The impact that the discovered vulnerabilities might have on the information security.
- Required security measures to address the problems.
Technical part
- Definition and classification of risk levels, used to classify the detected vulnerabilities.
- Description of the information gathering phase for identifying information systems.
- Results of scanning and exploitation of detected vulnerabilities, description, impact, criticality, affected asset, proof of concept, vulnerability replication method, and remediation steps.
Details
- Your developers might be good in the development of functional, fast and scalable applications, but security is another topic. Pentest is recommended for those without Internal pentesting team.
- Penetration tests are often required by mandates like PCIDSS, HIPAA/HITECH and FINRA.
- Web application penetration testing is especially valuable if your business is dependent on your application, it holds your clients private data or it as options for onlie payments and orders.
- Penetration testing can help you comply with the technical requirements of GDPR.
5 to 30 days for a single Web Application, depending on the complexity.
Our experts hold various certificates in the area, like CEH, OSCP, CCSA and more.
We can engage our partners to fix your vulnerabilities if you lack expertise. We avoid fixing them on our own due to conflict of interests.
Our process
Scoping
- Define time frame
- Set the scope
Reconnaissance
- Passive data gathering
- Active data gathering
Scanning
- Automated scan
- Results review
- False positives validation
- Manual findings verification
Exploitation
- Manual testing
- Exploitation of vulnerabilities
Reporting
- Summarization of the information
- Management reporting
- Technical report