MOBILE APPLICATION SECURITY TESTING
What is Mobile App Penetration Testing?
Mobile app penetration testing reveals vulnerabilities in the cyber security posture of a mobile application. Most commonly, it is the safety and security of iOS and Android applications that requires assessment. It is important for both developers and consumers of mobile applications, that appropriate levels of security exist.
This is especially the case for applications that handle sensitive data and functionality. Mobile application security testing gives assurance that the expected security protections exist and are effective.
What Are The Benefits?
Increasingly, mobile applications are the default way that users interact with mobile devices. Applications bring rich and native functionality to a mobile device in a way that exceeds what is generally possible with a web application. The increased prevalence of mobile applications has resulted in increased levels of personal data and sensitive functionality being handled by them.
Mobile app penetration testing involves expert mobile security specialists following a rigorous methodology to determine the overall security posture of a given application. Put simply, these experts replicate the threat posed by an array of threat actors of all sophistication levels. They will be able to determine the resilience level of your mobile application to these different threat actors. Where gaps in security are identified, you’ll be told in easy to understand terms what the impact is and – more importantly – how to remediate the problem. Where positive security controls are identified, an in-depth mobile application penetration test will tell you about that, too, so that you can keep on doing those things, safe in the knowledge that you’re doing things the right way.
There are many groups that benefit from a mobile application penetration test:
- Developers gain assurance that their product is safe and secure for their customers.
- Organisations gain assurance that a given mobile application is safe to introduce to their enterprise environment.
- Users feel safer with the knowledge that a mobile security test has taken place, which in turn allows them to confidently use the application.
Put simply, a high-quality mobile application penetration test tells you what a mobile application is doing right and what it’s doing wrong in terms of its cyber security posture.
Are your mobile apps secure?
Mobile applications are a regular part of today’s world. User behavior and preference is moving increasingly towards a world of mobile computing. The differences between workstations, laptops, tablets and phones are ever diminishing.
Where does cyber security fit into this picture? Did you know:
- Over 5 billion people worldwide are estimated to own at least one mobile device.
- In 2008, the iOS App Store launched with 500 applications. Today, that figure is around 2 million applications.
- Likewise, Android users can now choose from over 2.5 million applications.
Many of those applications store and process sensitive data and functionality. How, then, do we know they’re safe to use? A large part of that question can be answered with a mobile application penetration test.
About The Service
There are many ways in which a mobile application can achieve or fail when it comes to ensuring the confidentiality, integrity and availability of a system and its data. Mobile app penetration testing will uncover the good and the bad when it comes to this cybersecurity posture.
Experts who know what attackers know, will use those same techniques against the mobile application. The well-known OWASP Foundation lists ten commonly found areas of weakness in mobile applications. These, and more, are all examined during a mobile application penetration test:
- Improper Platform Usage. This occurs with the violation of published guidelines, the violation of convention and unintentional misuse. For example, an application that requires permissions surplus to its functional requirements likely increases risk.
- Insecure Data Storage. Imagine a scenario where sensitive data is inadvertently cloud synced to a location that has open access to the public. This would represent high risk for the confidentiality of that data.
- Insecure Communication. Most applications transmit sensitive data, and failure to ensure robust encryption in transit puts that data at risk of unauthorized access.
- Insecure Authentication. Some applications fail to implement any kind of authentication mechanism, or more commonly, implement a flawed authentication mechanism. A mobile banking application without strong authentication could allow an attacker to access and interact with an account they do not own.
- Insufficient Cryptography. This is where some encryption attempt is made, but a flaw in its implementation means that the data is not fully protected. Thus, an attacker may be able to access or manipulate data that is supposed to be unreadable to them.
- Insecure Authorization. Assuming authentication to the mobile application has occurred, flaws in authorization could result in one user being able to access another user’s data or functionality.
- Poor Client Code Quality. This occurs when the device side of a mobile application is affected by an applications poor coding, there is some security impact, and the mobile application code that sits on the device needs rewriting.
- Code Tampering. The degree to which an application must protect the integrity of its own code varies by application purpose. Some applications require high levels of assurance around the integrity of device side code but perform no checks or insufficient checks to prevent code modification, or tampering.
- Reverse Engineering. An attacker may attempt to reverse engineer the mobile applications underlying source code in order to identify and exploit vulnerabilities or compromise intellectual property. There are various levels of defense that can be employed to hinder attackers from employing these techniques.
- Extraneous Functionality. It is not uncommon for applications to include hidden or undocumented functionality that was not designed to make its way into production environment. Such functionality typically reduces the overall security posture of the mobile application.
This is not an exhaustive list, but it does give you an idea of the types of vulnerability that can be identified in a mobile application during a penetration test.
At Nettitude, we understand the need for mobile application assurance. We also understand that not all assurance activities are created equally. We strive to always be a top tier provider of mobile application penetration tests.
- We have penetration testers that specialize in different disciplines. You will always get one or more testers that specialize in mobile application security specifically. You won’t find us putting web application penetration testers on your mobile application test if they don’t also specialize in mobile applications.
- We have the credentials to back it up. While we don’t think certification is the only important factor, we do understand its importance. Our team of penetration testers has a very wide array of highly sought-after practical certificates, including CREST and Offensive Security.
- We don’t use a cookie cutter approach. We take the time to understand your organisation, your objectives and your primary security concerns. We conduct your mobile application penetration test with those aims at the forefront of our mind.
- We provide a penetration test, not a vulnerability scan. The core value of a mobile application penetration test from Nettitude comes from one or more expert penetration testers thinking like an attacker and manually assessing your mobile application. We are big on exploitation: we will establish rules of engagement and then, within those rules, demonstrate the impact of a vulnerability by fully exploiting it.
- We have a team of enthusiastic security experts. We are passionate about cyber security and we understand the importance of a happy team that stays at the cutting edge. All employees have access to our research and innovation team, receive regular training and often go to conferences. This translates into the highest possible quality mobile application penetration test for you.
- We provide a highly consultative service. We are not a black box where a scope enters, and a report exits. The entire process is communicative and consultative. We pride ourselves on keeping our clients in the loop throughout the entire process.
- We report in a flexible and easy to comprehend manner. By default, you’ll receive a management report which speaks in terms of business risk, and a technical report which goes into more detail – including clear impact statements, a description of exploitation, clear reproduction instructions, and customized remediation advice. If you need output that’s a little bit different, then tell us: we pride ourselves on our flexibility.
- We offer executive and technical debriefs for every single mobile application penetration test we conduct, regardless of whether the test lasted for one day or one hundred days. Our penetration testers are trained to be able to speak in both technical and business terms.
- We aim to forge lengthy relationships. We want to be your cyber security partner, and that includes making our entire team available for you well after your mobile application penetration test ends, included as part of the service.
We are CREST accredited as an organization, and each one of our employees is highly certified. The certifications we believe are most relevant to mobile application penetration testing are shown below. All of these require a rigorous practical demonstration of skill to obtain.
- CREST CRT. Most of our penetration testers hold the CRT, and we consider it to be one of the ways to demonstrate competency for penetration testing in general, when it comes to certification.
- CREST CCT. We have many testers with the Infrastructure and the Application variant of this certificate; some even hold both. It is a more specialized and advanced certificate compared to the CRT. For your mobile application penetration test, the Application variant is more relevant.
- Offensive Security OSCP. Obtaining the OSCP requires the successful completion of a 24-hour practical exam that assesses a broad range of penetration testing skill. Testers with this can really think like an attacker.
- Offensive Security OSCE. Obtaining the OSCE requires the successful completion of a 48-hour practical exam that assesses a more specialized set of skills, including binary exploitation. Many of the concepts demonstrated in the exam are relevant for mobile application penetration testers. This is not an exhaustive list of our certifications – that would take up a lot more space!
We are often asked similar questions about mobile application penetration testing. We have collated those questions and answered them here.
- What is your lead time for a mobile application penetration test?
We have a team of expert mobile application penetration testers and they are always in demand. We match internal training and recruitment with external demand as efficiently as possible. Our aim is to be able to commence mobile application penetration tests within two weeks. Where there’s urgency, we can usually do what it takes to meet your deadlines.
- How long does a mobile application penetration test take?
The length of a mobile test very much depends on the complexity of your requirement and the level of assurance you require. Most mobile tests are at least three days per application. We are providing a manual penetration testing service rather than an automated scan. Speak to one of our experts in order to get a bespoke proposal for your mobile application test.
- What is your mobile application penetration testing methodology?
Our mobile testing methodology follows the key phases of reconnaissance, enumeration, discovery, exploitation and post exploitation. We do use automated tools in places in order to achieve breadth of coverage, but most of the value comes from manual penetration testing. Here, we provide depth of coverage and it’s what we spend most of our time doing. We are happy to provide more detailed information on request.
- How will you tell me what the findings of my mobile application penetration test are?
We are communicative and consultative. During the engagement, we’ll periodically update you with the findings so far – both positive and negative. Where we identify critical severity flaws, we will let you know via telephone immediately, and follow up in writing. At the end of the engagement, you’ll receive a summary of all findings. By the time you receive your in depth reports a few days later, you’ll have no surprises: we communicate as we go. After delivery of the reports, we’re more than happy to give you technical and executive level debriefs. Finally, you have full access to our team of mobile application penetration testers after the engagement has completed. We’re here to answer any security questions you may have into the future.
- Will you help me to remediate vulnerabilities identified during the penetration test?
Our team of mobile application testers understand how to build applications, as well as how to break them. We will give you custom remediation guidance for every vulnerability that we identify during the test. If you have constraints, we’ll work with you to understand those and propose an appropriate solution to any given vulnerability.