Mobile Penetration Testing

What is a Mobile Application Penetration Testing?

Most mobile applications process, store and interact with sensitive information from every market and can introduce additional vulnerabilities to your organization. By thoroughly testing your mobile application and backend web services, you may identify and remediate the risks posed to your organization and customer data.  The Offensive Logic follows a well-defined methodology that covers all aspects of mobile application’s vulnerability identification and allows you to make sound decisions on the proper approach for remediation.

Our Mobile Application Penetration Test is performed from a remote location and covers the OWASP recommended test, including but not limited to, identifying if the application is susceptible to the OWASP Top 10 vulnerabilities.

Testing is initially conducted from an unauthenticated perspective, then it is authenticated with the credentials that you provide to the tester. Testing is steered across both the iOS and Android mobile operating systems and is currently supported by OS versions.

Supported Platforms

Mobile Penetration Testing 1 Mobile Penetration Testing 2

Think about. Quick facts about Smartphone Mobile Usage Statistics

  • 62% of users accessed the internet using their mobile phones. Statista
  • By 2020, the number of smartphone users is projected to reach 2.87 billion. Statista
  • In November 2018, Statisa measured that, mobile devices accounted for 48.2% of website traffic worldwide (excluding tablets). Statista
  • By the start of 2018, consumers downloaded 178.1 billion mobile apps to their smart devices. Statista
  • Consumers spend $930 Billion USD, using mobile payment applications. Upwork

Think about. What does your mobile device know about you?

  • Password stored in the file system and web browser autofill
  • Information in deleted files, files can be recovered until the flash is overwritten
  • Downloaded bank statements
  • Address book and windows contact
  • Credit card numbers from statements and browser autofill
  • Downloaded tax documents
  • Text log stored on the phone
  • Call record stored on the phone
  • Browser history and web cookies
  • Photos and navigation info

Benefits and Value of 

Mobile Penetration Testing

for you

Mobile application security testing provides a considerable risk reduction for your organization, in addition to an increase in confidence in the use of your application.

  1. Perform real-world attacks on Mobile Devices and Mobile Applications
  2. Explore OWASP Top Ten Mobile and Web most common vulnerabilities
  3. Expert testing in a reasonable time frame, and at a reasonable price
  4. Top-skilled, experienced, ethical hackers do manual security testing of your application
  5. Mature, highly-disciplined, well-documented processes and precise results
  6. A tester “playbook” containing the latest attack methods and techniques
  7. Get compliant with PCI DSS or HIPAA certification requirements

Not enough? move on

Ready to start building up your cyber resilience?​

 

Contact us today and find out how our experts can help provide the information security assurances you need.

What other benefits of trying to hack a mobile application?

Benefits of conducting a Penetration Testing of a mobile application include:

Insights

Validate internal security measures and processes against industry best practices

Proactively harden your applications against malicious attacks

Identify and provide remediation guidance on coding flaws

Proactivity

Educate developers on secure coding best practices

Efficiency

Reduce costs associated with security bug fixes by producing secure code on an early stage in the software development cycle

Conduct security assessment of crucial applications and 3rd party software

Compliance

Satisfy compliance requirements such as PCI DSS and ISO27001

What is our Mobile Penetration Testing Methodology?

The testing of mobile applications requires the use of an interactive process, whereby all testing needs to be conducted on both iOS and Android devices and across all supported operating system versions.

We follow the Open Web Application Security Project (OWASP) methodologies in the testing of web applications and websites to ensure a comprehensive coverage of whether testing is authenticated or unauthenticated.

We manually test the security in the following areas: memory, file system, and network communication. Our Mobile Application Penetration consists of:

Kickoff meeting &

discovery

 

Identify Objectives and Threat Modelling. We want to learn about your application’s use cases. For us it is critical to understand the types of bugs that are possible in the code we’re reviewing.

The discovery requires security engineers to collect information that is essential to understanding the events that lead to the successful exploitation of mobile applications.

Assessment: or analysis involves the penetration tester going through the mobile application source code and identifying the potential entry points and weaknesses that can be exploited.

Hands-on
assessment

Exploitation

Involves the penetration tester leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the developers initially did not intend.

i

It’s the final stage of the methodology, and it involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack. A more detailed discussion of the four stages follows.

Reporting

with a detailed analysis and threat report

FAQs

Frequently Asked Questions.
Here are some common questions about iOS penetratration\Android penetration testing

How does your security test a mobile application?

Most vulnerable aspects of the mobile application back-end services are ignored by the developers and security teams.

These back-end services are generally RESTful APIs using JSON, XML or AMF technology. These services are similar to web applications at a High level and are vulnerable to common web application vulnerabilities like injection, RCE, XXE, etc.

It is not possible to crawl through the mobile application like in web applications. For security testing, it is essential to crawl and capture the traffic manually, save it as a consumable format and provide it to, for example, Burp Suite Scanner.

Why use Manual Mobile Penetration Testing?

Penetration Testing can be expensive and can take a long time in comparison to automated scans. However, the automation alone is not enough to ensure that an application has been thoroughly tested from a security perspective. For example, business logic vulnerabilities require a human to be in the loop to exploit and verify the vulnerability. Only Mobile PT can provide identification and a manual validation of these vulnerabilities.

 

Automated tools can also be used for information gathering techniques, which can be very useful before starting the discovery phase. Hence, in such cases, we can use an automated tool to find the right target, after which we can use a manual assessment to exploit the vulnerability.

How to build a secure mobile application?

Take into account the OWASP Mobile Security Testing Guide which Defines the industry standard for mobile application security. The OWASP Mobile Application Security Verification Standard (MASVS) is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

Native or hybrid, which is secure?

Hybrid apps are more vulnerable to attacks than mobile apps. Hybrid apps are written in a native binary code because JavaScript and HTML typically require less skill to reverse, engineer and tamper with.

If you are developing an application for banking/e-commerce, which requires the best security requirements, then a native app is the best option for you

What is the right Skill Set to do mobile penetration testing?

As the mobile security is a relatively new subject and not many resources are available on the Internet, finding a person with excellent mobile security skills is a little tricky.

Specifically, in the case of mobile apps, running an automated tool is relatively easier than doing a manual penetration test. A manual penetration test obviously requires an expert or a team of experts.

Android vs. iOS application: Which is more secure?

Apple’s iOS operating system has long been considered the most secure of the two operating systems. Android is more often targeted by hackers because this operating system powers too many mobile devices today.

What do we really do during Mobile Application Security Assessment?

Mobile penetration testing requires both bits of knowledge of web application vulnerabilities and mobile-specific vulnerabilities, tools, and techniques. It requires the penetration testing engineer to check the application before and after installation. The different mobile application security assessment techniques that come across within the Mobile Application Penetration Testing Methodology contain:

Local File System Analysis The pentester checks the local files written on the file system by the application to ensure that there are no violations.

Archive Analysis — The penetration tester extracts the application installation packages for the Android and iOS platforms. A review is then done to ensure that there are no modifications done to the configurations of the compiled binary.

Reverse Engineering — This involves converting the compiled applications into a human-readable source code.

Static Analysis — During static analysis, the penetration tester does not execute the application. The analysis is done on the provided files or a decompiled source code.

Dynamic Analysis — The pentester reviews the mobile application as it runs on the device. Done reviews include a forensic analysis of the file system, an assessment of the network traffic between the application and the server, and an assessment of the application’s inter-process communication (IPC).

There are a couple of tools that are available to the pentester for an automated and manual source code analysis. These include:

  • Android: Androwarn, Andrubis, and ApkAnalyser
  • iOS: Flawfinder and Clang Static Analyzer

Inter-Process Communication Endpoint Analysis: The pentester reviews the different mobile application IPC endpoints. Assessment is performed on:

  • Content Providers—These ensure that access to databases is achieved.
  • Intents—These are signals used to send messages between the components of the Android system.
  • Broadcast Receivers—These receive and act on intents received from other applications on the android system.
  • Activities—These make up the screens or pages within the application.
  • Services—These run from the background and perform tasks regardless of whether the main application is running.
What mobile application security vulnerabilities are checked?

Application testing includes checks for the presence of the most critical vulnerabilities, including the OWASP OWASP Top Ten Mobile and Web most common vulnerabilities, such as:

  • Weak Server-Side Control
  • Insecure Data Storage
  • Insufficient Transport Layer Protection
  • Unintended Data Leakage
  • Poor Authorization and Authentication
  • Broken Cryptography
  • Client-Side Injection
  • Security Decisions via Untrusted Input
  • Improper Session Handling
  • Lack of Binary Protections

 

  • Binary Analysis
  • Local File System Analysis
  • Runtime Analysis
  • Application Vulnerabilities and Exposures
  • Web Service Vulnerability and Exposures
  • Client Side Attacks
  • Protocol Insecurities
  • Improper Session Handling
  • Privilege Escalation (Horizontal / Vertical)
  • Proper Cache Handling
  • Authentication
  • Authorization
  • Data Storage and Encryption 
What is Mobile Penetration Testing Deliverables?

This engagement culminates in the production of a deliverable report as follows:

  • Non-Technical Executive Summary
  • Methodology and Approach
  • Details of findings and penetration achieved per OS and OS version:
  • Description and severity of vulnerabilities identified.
  • Definition of potential Impact

Contact