Mobile Application Penetration Test

During a mobile application penetration test, we look for vulnerabilities in the implementation of data storage on the smartphone, in client-server communication and on the server itself. We have experience with both Android and iOS platforms.

Benefits

Although mobile applications often resemble their web counterparts, they introduce new security risks. Developers may incorrectly assume that mobile devices are more trustworthy than web browsers, causing them to neglect proper input validation.

Mobile apps are commonly installed on phones with weak PINs or unsupported versions of the OS, which can jeopardize stored data. Another risk is the ease of decompilation of applications, which allows attackers to extract hidden API endpoints, encryption keys, or API keys.

Lastly, server APIs created specifically for mobile applications may pose a risk, as they are not covered during other penetration tests.

We recommend performing a penetration test on all types of mobile applications: those intended for end customers (e-commerce, customer portals), those working with critical data (banking), and even those for internal systems.

In cases where the mobile application simply embeds the functionality of a web application (WebView), a Web Application Penetration Test may be sufficient.

Testing Process

We offer tests for Android and iOS, both platforms can be tested simultaneously.

The tests begin by installing the application on our devices, either from official stores (Google Play, App Store), from beta testing portals, or directly from packages (APK, IPA). To improve the quality of the results, it is recommended to provide the application's source code. For tests that examine application logic and access control, login credentials are required.

Testing is based on the OWASP MASVS methodology, with a focus on the OWASP Mobile Top 10. We primarily check the following areas:

• Data storage on the device
• Cryptographic failures
• Authentication and authorization
• Network communication
• Platform interaction
• Code quality (if the source code was provided)

We perform both static and dynamic analysis of the applications. If needed, we develop custom scripts and tools.

Additionally, we also assess the security of the server with which the mobile application communicates, following the OWASP WSTG methodology.

Other Types of Tests

Mobile applications often exist as part of a larger system. Therefore, it may be beneficial to simultaneously test related web applications, desktop applications, and APIs.

We also offer a wide range of other penetration testing services, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.