Mobile Application Penetration Testing
Mobile applications are ubiquitous and are often used to access sensitive information and functionality. Unless developers build mobile applications with security in mind, these applications can present serious security exposures, including insecure storage and transmission of sensitive information and/or sensitive client-side business logic, and mobile platform-specific vulnerabilities.
Performing security assessments of mobile applications poses some unique challenges due to the variety of mobile devices and operating systems. Testing techniques vary based on device type and the nature of the application, AppSec Consulting’s general approach is detailed below. We use dedicated physical devices as well as device emulators during the testing process. A code review is recommended to supplement runtime testing and can enable us to perform the most thorough assessment possible in the time allotted.
The AppSec Consulting Difference
- You're guaranteed to receive a high-quality, thorough test due to our proprietary testing methodology, which involves a large amount of manual testing and includes specific checks for each mobile platform (including iOS, Android, Windows Mobile, etc.) to validate proper security features.
- Our security professionals have significant mobile application security experience, which means that they understand how the applications are designed and coded. We have consultants on our security testing team that have developed mobile applications, have presented on mobile security at conferences like Defcon and Black Hat, and have tested the security of numerous mobile applications. They use this knowledge to effectively identify security weaknesses and provide practical remediation advice.
- Our reporting differentiates us from the competition – clients receive a custom-written report containing expert and actionable remediation advice tailored to your business, not just automated scan results.
- We're with you every step of the way throughout the remediation phase beginning with a thorough debriefing of all findings.
- Preparation - AppSec Consulting arranges a conference call to walk through your application, obtain any necessary testing information such as URLs, credentials, application builds, and source code, provide an overview of our testing process, and discuss any special testing requirements.
- Application Footprint Analysis – The application is installed on the mobile device, with a before and after snapshot taken of the file system and (if applicable) registry. All files related to the application are analyzed to determine whether they contain sensitive information, such as passwords, credit card numbers, etc. The file system is examined again after performing significant transactions, such as money transfers, to determine which files are being changed and whether or not they can be manipulated to exploit the application.
- Reverse Engineering – If source code was not provided, the application is decompiled in order to uncover the underlying programming logic. This code is examined to determine whether or not it is possible to exploit the application by modifying or removing key pieces of programming logic. Our consultants attempt to uncover design flaws with the application and hidden secrets such as passwords and encryption keys in the code. Modified versions of the application are built if necessary to explore potential vulnerabilities.
- Code Review – If source code was provided, AppSec Consulting examines the code for traditional vulnerabilities such as SQL Injection as well as mobile application and platform specific vulnerabilities.
- Traffic Interception and Analysis – Most mobile applications interact with a server through HTTP/HTTPS or other means. Our consultant will configure the mobile device to route traffic through a proxy such as Burp Suite in order to examine the server communication. This communication will be analyzed to look for authorization issues, injection flaws, etc.
- Report Preparation – AppSec Consulting takes the results of all testing and code review and compiles a consolidated report, detailing all vulnerabilities uncovered during the testing process along with severity levels and recommendations for how to remediate each vulnerability that was identified.
- Debriefing – AppSec Consulting presents all findings to executives and key stakeholders, answers all questions, and provides remediation advice.
What You Get
- An actionable, custom-written Mobile Application Security Assessment Report, which describes the application's security posture and lists all vulnerabilities identified. For each vulnerability, we provide a custom risk rating and remediation advice that is tailored to your specific business and technical situation.
- Expert consultation throughout the remediation phase.
- Two rounds of remediation testing within 6 months of the initial security assessment to ensure that all issues are effectively remediated