Is it really necessary to perform pentest for my mobile app?

Absolutely yes. If you are releasing a mobile application to the market, it's certainly advisable to get a penetration test to ensure it is secure. If it contains numerous vulnerabilities when it goes live on the marketplace, then the reputational impact could be quite severe. If the app involves collecting user data within the EU, then under GDPR you will have to ensure that you have taken adequate steps to maintain security. A mobile application test can provide this assurance.

At a high level we perform data at rest and data in transit attacks. To be more elaborate, once the pentesting environment and the pentester are prepared, the pentester will conduct the first wave of client attacks. These attacks are staged according to the types of files that the pentester has pre-identified as being their primary goal. Our pentesters will utilize specific methods to obtain mobile app server access to the client-server tier architecture.

The primary function of these initial attacks is to investigate network traffic and layer protection via analyzing code and debugging the source code. Once that task is complete, the pentesters will determine the specific follow up attacks that will help them find insecure files that have less than adequate access controls.

Through utilizing methods such as SQL injections, application fuzzing, and parameter tampering, the pentester can identify vulnerabilities that may possibly reveal API keys that have been secured in an inaccessible folder. Once the pentester penetrates the network architecture without any privileged rights, their main goal is to gain administrator level access and maintain access to the network which essentially gives the pentester the keys to the kingdom.

All we need is your consent to proceed with the testing, and the application binaries. This data is good enough to proceed with the mobile app VAPT.

We take pride in the fact that most of our testing is manual. This is because it is said that real life hackers do not use tools, they are very much their own scripts and methods. We surely use tools to automate some part of the whole task, but the rest is very much manual to cover maximum number of vulnerabilities and achieve greatest levels of accuracy.

We can proceed as soon as the basic paperwork of signing non-disclosure agreement and work contract is completed.

We are innovative and continue to do so. With deep experience in both iOS and Android penetration testing, we understand the unique security challenges and vulnerabilities with each mobile architecture. This expertise allows us to customize assessments to specific concerns, such as reverse-engineering an iOS app or malware threats to an Android app.

Each mobile security assessment simulates multiple attack vectors and risks, including insecure storage, stolen device risk, mobile malware attacks, and both authenticated/unauthenticated app users. Apps residing on in-house mobile devices? We provide custom scenarios to map enterprise conditions as well.

Our mobile security assessments take multiple attack vectors and threats into account, including Jailbroken iOS and rooted Android devices. By comparing the vulnerabilities of both options, we can demonstrate the security risk from multiple user types, including dedicated attackers and everyday users.

  • Name of the cookie
  • Value of the cookie
  • Expiry of the cookie
  • Path
  • Domain
  • Need for a secure connection to use the cookie
  • Whether or not the cookie can be accessed through other means than HTTP (i.e., JavaScript)

Documentation and reporting are important details that we provide in the report. We include both executive summary and technical details to meet the needs of both leadership and app developers. Specifically, this detailed penetration testing reporting is broken down as...

  • Summary Risk and App Strengths/Weaknesses
  • Risk-Prioritized Vulnerabilities and Description
  • Vulnerable Code Sections (when Source Code Review is integrated)
  • Attack Walkthrough (including screenshots)
  • Remediation and Defensive Recommendations

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.