Mobile application penetration testing is a consultant lead manual security assessment conducted against a mobile application. Testing is typically dynamic (conducted while the application is running) however, the client has the option to make the source code available for testing. Providing developer provided source code optimises testing time by allowing for faster discovery and validation of security issues and removes the need to reverse engineer binaries. This type of assessment is also commonly referred to as Mobile Application Security Testing, more information on this service is available below.
Table of Contents
Aptive’s Mobile Application Pen Testing methodology is based from the OWASP Mobile Security Project and covers all aspects of the OWASP Mobile Top 10 for 2016 (detailed below) and incorporates experience and testing techniques used in other areas of security testing. An overview of our Mobile Security Testing Methodology is documented below, you can request our full methodology here.
Mobile application penetration testing provides a complete assessment of your mobile application helping identify security risks within your mobile applications. Clear remediation instructions are provided with consultant assisted remediation guidance, helping you understand and secure your mobile applications.
Identify Mobile App Security issues that can endanger your users, expose sensitive information and damage company integrity.
Aptive provide mobile app pen testing for the following mobile platforms:
The first stage of the engagement involves taking time to learn the target applications purpose and assess it’s functionality. This information is then used to correctly scope and assess the level of effort and time required to assess the mobile application.
Building the test environment to conduct the mobile application security test, based on the scoping specifics and data collected at the information gathering stage.
Static Analysis or SAST (Static Application Security Testing) – assess the source code, binaries and other app data included with the application, during testing the application in a non running state. If the source code is not available (preferred) for static analysis then compiled binaries will be reverse engineered, decrypted and decompiled (where possible).
Inspection of the source code is required even on engagements that do not have a source code audit scoped. Analysis of the source code saves time mapping the application and understanding it’s functionality, revealing information such as the backend databases, server side information, authentication system, API’s and the application programming languages and frameworks used.
Dynamic Analysis or DAST (Dynamic Application Security Testing) takes place while the mobile application is running, simulating a real world attack. Information from the Static Analysis section of the assessment (depending on client scoping requirements) can be used to assist and confirm findings during dynamic testing.
You can request our full Mobile Application Security Testing Methodology
All findings are documented in a severity ordered report with clear and concise recommendation instructions.
All our mobile application penetration testing service come with free retesting on reported findings, helping reduce the security risk of your mobile application.