Penetration Testing

What is Mobile Application Penetration Testing?

Mobile Application Penetration Testing (a.k.a. Mobile Pentest, Mobile VAPT, Mobile Pen Testing) reveals vulnerabilities in the cyber security posture of a mobile application. Applications running on iOS and Android application commonly require this assessment.

The main attack surface for a mobile security test consists of a conjunction of multiple and different tiers of components: app, communication, and back-end server.

logo-crest-2

is a CREST accredited Penetration Testing provider.

img-mobile-application

App

Insecure data storage, poor resiliency against reverse engineering etc.

Communication

Usage of insecure or unencrypted communication channel, missing SSL certificate pinning etc.

Back-end Servers

Flawed authentication and session management, vulnerable server-side functions etc.

Objective of this assessment

Identify gaps in security of the mobile application, and its API/ web platform/ webservice
Ensure the expected security protections exist and are effective
Compliance with regulations

Approach & Methodology

icon-Information-Gathering

Application Walkthrough and Binary Analysis

icon-Vulnerability-Analysis

Vulnerability Identification

icon-Exploitation

Vulnerability Exploitation

icon-Reporting

Reporting

Mobile Application Penetration Testing methodology is based upon industry standard Open Web Application Security Project (OWASP Mobile) and our internal manual checklist developed from our research lab. It covers vulnerabilities including, but not limited to:

Weak server-side controls, e.g.
(a) Injection flaws; (b) Access controls; (c) Improper session handling; (d) Un-trusted inputs; (e) Poor authorization and authentication; (f) Application logic flaws. Test and review business logic exposures and verify results from automated tools.
Insecure data storage. Review contents of mobile device to identify sensitive information stored, e.g.
(a) Credentials on file system; (b) Credentials in memory; and (c) Data stored on file system
Insecure transport layer protection;
Unintended data leakage, e.g.
(a) Clear text data; (b) Backdoor data; and (c) Clear text credentials
Broken cryptography;
Client-side injection including code tampering;
Lack of binary protection;
Decompiling, analysing and modifying the installation package;
Improper platform security (e.g. jailbreak, phone, user)

The vulnerabilities are evaluated using Common Vulnerability Scoring System) (CVSS) method to assess and evaluate the risk.