Mobile Application Penetration Testing

Comprehensive client, data in transit, and server-side testing of applications developed for iOS, Android, and Windows 8.

Our Methodology

Our mobile application penetration testing methodology is based on OWASP which covers around 100 different tests on the client side device, data in transit, as well as the server side API.

We will perform rigorous testing covering the OWASP top ten mobile risks which address what is considered by industry consensus to be the most critical and prevalent mobile application security flaws:

OWASP M1: Weak server side controls (Tests untrusted input into back end web services, API’s, and traditional websites.)

OWASP M2: Insecure data storage (Tests how securely sensitive data is encrypted and stored on a mobile device to see whether this data could be recovered in if the device was lost or stolen.)

OWASP M3: Insufficient transport layer protection (Tests to see how and if data is encrypted in transit when it is transferred to and from the mobile application.)

OWASP M4: Unintended data leakage (Tests to see if any data is inadvertently stored in an insecure part of the mobile device that may be accessible by other applications.)

OWASP M5: Poor authorization and authentication (Tests authentication schemes that are in place to assess the risk of unauthorised functional execution within the mobile app or back end.)

OWASP M6: Broken cryptography (Tests to see whether an adversary could retrun encrypted data stored by the app to its original form.)

OWASP M7: Client side injection (Tests the execution of malicious code via the mobile app.)

OWASP M8: Security decisions via untrusted inputs (Tests whether an attacker could use hidden functionality in the app to execute functions with elevated permissions).

OWASP M9: Improper session handling (Tests whether an attacker could hijack a user session due to a token being shared unintentionally.)

OWASP M10: Lack of binary protections (Tests to whether an attacker could easily analyse, reverse engineer, or modify an application.)

What You Get

  • 1. Expert security consulting throughout the engagement from end-to-end.
  • 2. A comprehensive report with an executive summary, and vulnerabilities mapped to OWASP category, with a risk rating tailored to your organisation.
  • 3. A manual re-test of vulnerabilities after remediation work is complete to verify they are closed off.

The following flow chart illustrates our quality controlled penetration testing process from the start until the end of the engagement: