Mobile Application Penetration Testing

OWASP based manual Mobile Application Security Testing, performed by our CREST accredited team.

Mobile App Penetration Testing

Mobile application penetration testing is a consultant lead manual security assessment conducted against a mobile application. Testing is typically dynamic (conducted while the application is running) however, the client has the option to make the source code available for testing. Providing developer provided source code optimises testing time by allowing for faster discovery and validation of security issues and removes the need to reverse engineer binaries. This type of assessment is also commonly referred to as Mobile Application Security Testing, more information on this service is available below.

What is Assessed during a mobile app security test?

Aptive’s Mobile Application Penetration Testing methodology is based from the OWASP Mobile Security Project and covers all aspects of the OWASP Mobile Top 10 for 2016 (detailed below) and incorporates experience and testing techniques used in other areas of security testing. An overview of our Mobile Security Testing Methodology is documented below, you can request our full methodology here.


  • OWASP Mobile Top 10 – 2016
  • M1    Improper Platform Usage
  • M2    Insecure Data Storage
  • M3    Insecure Communication
  • M4    Insecure Authentication
  • M5    Insufficient Cryptography
  • M6    Insecure Authorisation
  • M7    Client Code Quality
  • M8    Code Tampering
  • M9    Reverse Engineering
  • M10    Extraneous Functionality

Why perform Mobile Application Security Testing?

Help Identify and Secure Against Security Risks

Mobile application penetration testing provides a complete assessment of your mobile application helping identify security risks within your mobile applications. Clear remediation instructions are provided with consultant assisted remediation guidance, helping you understand and secure your mobile applications.

Identify Security Issues that endanger your Users

Identify Mobile App Security issues that can endanger your users, expose sensitive information and damage company integrity.

Supported Platforms

Aptive provide mobile app penetration testing for the following mobile platforms:

  • iOS app penetration testing
  • Android app penetration testing
  • Windows mobile app penetration testing

Mobile Application Penetration Testing Methodology

Information Gathering

The first stage of the engagement involves taking time to learn the target applications purpose and assess it’s functionality. This information is then used to correctly scope and assess the level of effort and time required to assess the mobile application.

  • Application Type – Application type (mobile web, native, cross-platform)

  • Application mapping – manually assessing the application assessing functionality, understanding how the application should function
  • Identifying network interfaces the application uses
  • Determining what network protocols are in use
  • Determining if the application performs payments processing / commerce transactions and how these are stored
  • Determine what hardware is in use – GPS, Bluetooth, TouchID / Camera / Microphone etc.
  • Identify any 3rd party library / software / frameworks are in use
  • Determine if the application interacts with any other applications
  • Assessing server side information to determine what hosting platforms (AWS, Azure, Rackspace, Heroku etc) and technologies (Development language, Single Sign On, 2FA, API’s) are in use

Build the Test Environment

Building the test environment to conduct the mobile application security test, based on the scoping specifics and data collected at the information gathering stage.

Static Analysis – SAST (Static Application Security Testing) – SCR (Secure Code Review) – SCA (Static Code Analysis)

Static Analysis or SAST (Static Application Security Testing) – assess the source code, binaries and other app data included with the application, during testing the application in a non running state. If the source code is not available (preferred) for static analysis then compiled binaries will be reverse engineered, decrypted and decompiled (where possible).

Inspection of the source code is required even on engagements that do not have a source code audit scoped. Analysis of the source code saves time mapping the application and understanding it’s functionality, revealing information such as the backend databases, server side information, authentication system, API’s and the application programming languages and frameworks used.

  • Authentication
  • Authorisation
  • Session Management
  • Data Storage
  • Information Disclosure
  • Web Application Security Issues – XSS, CSRF, SQL Injection, Command Injection, XML Injection, Check Cross Domain Policy, Cookies etc
  • Networking – weak / insecure protocol usage
  • Transport Layer Protection – SSL – Encryption-in-transit

Dynamic Analysis – DAST (Dynamic Application Security Testing)

Dynamic Analysis or DAST (Dynamic Application Security Testing) takes place while the mobile application is running, simulating a real world attack. Information from the Static Analysis section of the assessment (depending on client scoping requirements) can be used to assist and confirm findings during dynamic testing.

  • Application Types – Native, Web Services App (SOAP/REST), Mobile Browser based App, Mobile Hybrid App (Native + Web App)
  • Application Mapping – Establishing a baseline for the application, before and after install – file system usage
  • Debugging – Examining the application with a debugger attached
  • Local Testing – CHecking for exposed IPC interfaces – fuzzing, sniffing authentication bypass testing
  • Cryptography Testing – Checking for weaknesses with cryptography, brute force key attacks, hard-coded keys / secrets other disclosed information
  • Web Application Security Issues – XSS, CSRF, SQL Injection, Command Injection, XML Injection, Check Cross Domain Policy, Cookies etc
  • Authentication – Testing for broken authentication
  • Authorisation – Weak local filesystem runtime permissions – external configuration manipulation
  • File System Analysis – Weak local filesystem runtime permissions – external configuration manipulation
  • Memory Analysis
  • Remote Application / Server Testing Test discovered backend / hosting / API’s – Authentication – Authorisation – Session Management – Transport Layer Testing – Server Side Attacks

You can request our full Mobile Application Security Testing Methodology

Reprting

All findings are documented in a severity ordered report with clear and concise recommendation instructions.

Retesting

All our mobile application penetration testing service come with free retesting on reported findings, helping reduce the security risk of your mobile application.

Why use Aptive for Mobile Security Testing

CREST Accredited Team

Penetration testing performed by CREST registered penetration testers.

OWASP Members

All our testers are members of OWASP.

OWASP Testing Methodology

Aptive performs penetration testing based on the OWASP testing methodology.

Easy to Understand Reports

Discovered security issues in severity order with remediation instructions.

Fixed Price Proposals

Transparent costs and fixed price proposals, giving you peace of mind.

Free Retesting

Free retesting on report documented mobile security issues.