What is Mobile Application Testing?
Android & iOS
More than half of the worlds web traffic now comes from mobile devices.
Make sure your mobile application is protected through penetration testing.
Mobile devices are an attractive platform for developing applications for all sectors of the industry. Because of their ease of use and handling of sensitive user information, a Mobile Application Assessment is an essential exercise, designed to keep threat actors away.
Cognisys discover new attack vectors and threats against mobile devices and the apps that have been designed to run on them, every single day.
Mobile applications are a daily part of life and it’s our job to find the security gaps before anybody else does.
Our Approach to Mobile Application Pen Testing
We categorise mobile applications into two areas,
Web services/API based applications, which are responsive for compatible interfaces, and:
Native applications developed for a specific platform of the devices only.
Our experience involves testing on the following platforms:
iOS (Apple iPhone, iPad),
What Mobile App Penetration Testing Involves
Our assessment includes both the client and server elements utilised by the mobile app and our methodology is in line with the OWASP mobile assessment framework.
For web service / API assessment, we utilise our web application penetration testing methodology, in line with the OWASP application testing standard.
Our testing team also analyse the network communication protocols to ensure they follow best practices, regarding the confidentiality and integrity of data in transit.
We will identify the web service endpoints and assess the parameters to identify privilege escalation opportunities, error handling problems, injection flaws, broken access controls, and other web application threats.The application is evaluated, with a manual walkthrough designed to identify functionality and key areas to focus on.
The application is further analysed to determine what information is stored locally on the device and could be recovered from a stolen device or via malicious third
party applications. The subsequent review of this cached information ensures that it stores no sensitive data in clear text, as insecure local storage is a concern if the
device is lost or stolen.
Reverse engineering the application helps to identify any sensitive information such as encryption keys, hardcoded database credentials, server IP addresses, or default
credentials left behind by the developers within the binary. The final deliverable contains detailed recommendations to help developers remediate the issues identified
during the assessment. Where an issue cannot be quickly remediated, mitigation strategies will be presented, depending on the environment where the application is implemented
The assessment commences, utilising manual and automated techniques. The following high-level areas are included within the assessment:
• Static analysis
• Network Traffic Analysis
• Authentication and Authorisation review
• Tampering and Reverse Engineering
• Storage Mechanism
• Web Service / API Analysis
The assessment is documented in a simple, easily digestible, format.