Mobile application security testing is a form a penetration testing that focuses on a mobile application specifically. The assessment is typically dynamic (conducted while the application is running) however, in some cases the source code can be made available for testing. Providing source code optimises testing time by allowing faster discovery and validation of security issues. This type of assessment is also commonly referred to as Mobile Application Penetration Test.
Table of Contents
Performing mobile application security testing helps identify security issues present within mobile applications.
Aptive’s mobile application testing methodology is based from the OWASP mobile security project and covers all aspects of the OWASP Mobile Top 10 for 2016 (detailed below) and incorporates experience and testing techniques used in other areas of security testing. An overview of our mobile security testing methodology is documented below, you can request our full methodology here.
Mobile application assessment provides a complete assessment of your mobile application helping identify security risks within your mobile applications. Clear remediation instructions are provided with consultant assisted remediation guidance, helping you understand and secure your mobile applications.
Identify Mobile App Security issues that can endanger your users, expose sensitive information and damage company integrity.
Aptive provide mobile app security testing for the following mobile platforms:
The first stage of the engagement involves taking time to learn the target applications purpose and assess it’s functionality. This information is then used to correctly scope and assess the level of effort and time required to assess the mobile application.
Building the test environment to conduct the mobile application security test, based on the scoping specifics and data collected at the information gathering stage.
Static Analysis or SAST (Static Application Security Testing) – assess the source code, binaries and other app data included with the application, during testing the application in a non running state. If the source code is not available (preferred) for static analysis then compiled binaries will be reverse engineered, decrypted and decompiled (where possible).
Inspection of the source code is required even on engagements that do not have a source code audit scoped. Analysis of the source code saves time mapping the application and understanding it’s functionality, revealing information such as the backend databases, server side information, authentication system, API’s and the application programming languages and frameworks used.
Dynamic Analysis or DAST (Dynamic Application Security Testing) takes place while the mobile application is running, simulating a real world attack. Information from the Static Analysis section of the assessment (depending on client scoping requirements) can be used to assist and confirm findings during dynamic testing.
You can request our full Mobile Application Security Testing Methodology
All findings are documented in a severity ordered report with clear and concise recommendation instructions.
Our mobile application security testing service come with free retesting on reported findings, helping reduce the security risk of your mobile application.