Mobile applications and the devices upon which they run have quickly become a core part of everyday technology. With such a surge in mobile application development, attack surfaces have increased remarkably, and so there is a need for mobile application penetration testing.

Mobile device testing and mobile app penetration testing

Nettitude has a team of mobile application and mobile device security experts who are able to provide assurance around a multitude of technologies. So, whether it’s iOS, Android or something else entirely, Nettitude are well equipped to provide mobile penetration testing and device testing services. This allows you to:

  • Ensure your mobile applications or mobile devices are not presenting an easy point of entry for attackers.
  • Ensure organization owned mobile devices are safe to use by employees.
  • Integrate secure development practices into the mobile application software development lifecycle.

What kind of Mobile Applications Should Be Tested?

No matter how basic, any mobile application forms part of an organization’s attack surface and should therefore be included within the scope of regular penetration testing. Mobile applications which exhibit the following traits should be a particular priority for penetration testing:

  • Access to sensitive data
  • Perform critical functionality
  • Interact with assets housed in an organization’s estate

When is Mobile Device Penetration Testing Applicable?

Nettitude routinely deliver mobile device penetration tests, which focus on the configuration of an entire mobile device, rather than the applications which sit upon the device. Where applicable, Nettitude will also review the Mobile Device Management (MDM) policy associated with the device.

Situations in which a mobile device penetration test may be particularly important include:

  • Devices aimed at a vulnerable demographic, for example children
  • Devices configured for remote workers to access organization data and infrastructure
  • Devices designed to handle critical data and functionality
  • Devices that have been restricted to run only a limited number of allowed applications

How Do We Perform Mobile Penetration Tests?

The exact methodology employed will vary based on the specific requirements of the mobile penetration test, which are gathered early on in the process.  Areas inspected include, but are not limited to:

  • Architecture and design
  • Data handling
  • Cryptography
  • Authentication
  • Authorization
  • Session management
  • Network communication
  • Environmental interaction

Nettitude can replicate threat actors of varying sophistication and prior knowledge. Depending on the requirements of the engagement, the exact approach will vary across a spectrum of ‘black box’ to ’white box’. The former replicates an attacker with no prior knowledge of the target, whereas the latter tends more towards full access to developers, source code, credentials, documentation, etc.

What Is The Output From A Mobile Penetration Test?

Whether it’s a mobile application penetration test or a mobile device penetration test, the output remains the same. Nettitude produce one management report and one technical report per engagement.  The former is designed for a non-technical audience and describes the outcome of the engagement in terms of risk. The latter describes the findings in depth and is designed for a technical audience.  All Nettitude reports are subject to a rigorous quality assurance process prior to delivery.

Remedial advice is of key importance and to that end Nettitude provide clear, relevant and actionable next steps, which can be followed to improve the mobile application or device’s security posture. Finally, Nettitude strongly encourages a debrief (or ‘readout’) at the end of the mobile penetration test. A debrief is conducted by the lead security consultant from the engagement and provides an open real time forum to ensure maximum understanding and value is obtained from the engagement.