Mobile application security testing

More than half of the world’s web traffic now comes from mobile devices. Ensure your mobile applications are secure.

As smartphone and tablet use increases, as does our use of mobile applications. With over 25% of apps containing at least one high-risk vulnerability, mobile application security testing is more important than ever.

Flaws within mobile apps can cause issues not only for the individuals using them but also for application owners or developers too. Data exfiltration is a key concern, which could have a knock-on effect on your organisation’s finances and reputation.

Methodology

We categorise mobile applications into two areas:

  • Web services/API based applications, which are responsive to compatible interfaces.
  • Native applications which are developed for a specific platform i.e. iOS and Android.

Our assessment includes both the client and server elements used by the mobile app, in accordance with the OWASP mobile assessment framework.

For web service / API assessment, we perform a web application penetration test, in line with the OWASP application testing standard.

We identify the web service endpoints and assess privilege escalation opportunities, error handling problems, injection flaws, broken access controls, and other web application threats.

The application is further analysed to determine what information is stored locally on the device and could be recovered from a stolen device or malicious third-party applications.

The subsequent review of cached information checks for sensitive data in clear text, as insecure local storage is a concern if the device is lost or stolen.

Reverse engineering the application helps identify any sensitive information such as encryption keys, hard-coded database credentials, server IP addresses, or default credentials left behind by the developers within the binary.

The final deliverable contains detailed recommendations to help developers remediate the issues identified during the assessment. Where a problem cannot be quickly remediated, mitigation strategies will be presented, depending on the environment where the application is implemented.

Mobile application testing service overview

Testing typically covers:

  • Static analysis
  • Network traffic analysis
  • Authentication and authorisation review
  • Tampering and reverse engineering
  • Storage mechanism
  • Web service/API analysis

Discover how we’ve helped leading organisations

READ OUR CASE STUDIES

RECENT UPDATES

TIPS

Is bringing your own device to work a bad idea?

As ‘Bring Your Own Device’ or BYOD rises in popularity, with more than two-thirds of us using a personal device at work, it’s important for businesses to understand the security risk that this can pose.

TIPS

What is attack path management?

In a world where identities are the new security perimeter, compromising identity platforms like AD and AAD provides the greatest payoff for attackers, ultimately giving them control of all users, systems and data within the organisation.

TIPS

.ZIP domain registration: A risky gateway to nefarious outcomes

In the ever-evolving world of cybersecurity, understanding emerging threats is critical to maintaining a robust defence. One trend currently attracting attention is the registration of .ZIP domains.

Let’s make things happen

Fill in the form and one of our team will be in touch for a no-obligation discussion or quote regarding your requirements.

info@cognisys.co.uk
Leeds office

5 Park Place
Leeds
LS1 2RU

info@cognisys.co.uk
Manchester office

The Sharp Project
Thorpe Road
Manchester
M40 5BJ

LET’S TALK