As smartphone and tablet use increases, as does our use of mobile applications. With over 25% of apps containing at least one high-risk vulnerability, security testing is more important than ever. 

Flaws within mobile apps can cause issues not only for the individuals using them but also for application owners or developers too. Data exfiltration is a key concern, which could have a knock-on effect on your organisation’s finances and reputation.  

Reference: https://cybersecurity.asee.co/blog/mobile-app-statistics-to-keep-an-eye-on/ 

We categorise mobile applications into two areas:

• Web services/API based applications, which are responsive to compatible interfaces.
• Native applications which are developed for a specific platform i.e. iOS and Android.

Our assessment includes both the client and server elements used by the mobile app, in accordance with the OWASP mobile assessment framework. 

For web service / API assessment, we perform a web application penetration test, in line with the OWASP application testing standard.

We identify the web service endpoints and assess privilege escalation opportunities, error handling problems, injection flaws, broken access controls, and other web application threats.

The application is further analysed to determine what information is stored locally on the device and could be recovered from a stolen device or malicious third-party applications. 

The subsequent review of cached information checks for sensitive data in clear text, as insecure local storage is a concern if the device is lost or stolen.

Reverse engineering the application helps identify any sensitive information such as encryption keys, hard-coded database credentials, server IP addresses, or default credentials left behind by the developers within the binary.

The final deliverable contains detailed recommendations to help developers remediate the issues identified during the assessment. Where a problem cannot be quickly remediated, mitigation strategies will be presented, depending on the environment where the application is implemented.

Testing typically covers: