Mobile app security testing process

  1. Home
  2. Risk Assessment
  3. Mobile App Security Testing

Features

Process

Benefit

FAQ

Related Links

Process

Valency Networks follows a technical and systematic approach to perform security testing of your mobile app. The process starts with decompiling and goes through detailed analysis for data at rest and data in transit vulnerabilities.

Following steps are performed.

  • Binary decompilation
  • Static code analysis for data at rest vulnerability mapping
  • Dynamic analysis for data in transit vulnerability mapping
  • Above for OWASP Mobile Top 10 standard
  • Local storage specific checks
  • Cryptography specific checks
  • User input validation checks
  • App's own security layer bypass checks
  • Unintended data leakage checks
  • Malicious inputs susceptibility checks

The results are compiled and converted into a technical report.


Mobile App Security Penetration Testing Process

Before Testing Starts

  • Sign NDA

  • Freeze on scope

  • Study Mobile App Architecture

  • Study Mobile App Functionality

  • Decide attack vectors and prioritize

  • Allocate single point of contact

During Testing

  • Black box testing (Without device rooting, jailbreaking)

  • Gray box testing (With device rooting, jailbreaking)

  • Automatic and Manual Testing

  • Testing using OWASP-Mobile-Top-10 Standard

  • Scanning

  • Configuration Check

  • Manifest/Binary Config check

  • Gathering Logs

Testing Details

After Testing

  • Analyse logs

  • Confirm results

  • Apply Knowledge

  • Apply Experience

  • Repeat Test if required

Testing Outcome

  • Detailed technical report

  • Executive summary

  • High level fixation solutions

  • Certificate of testing completion (optional)

Testing of Android and iOS vulnerabilities

Below are few quick questions which come to mind, pertaining to the mobile app's security and testing process.

IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt

Q. How the analysis of data in transit between app and caller web services is performed?

A - By capturing the traffic originating from the mobile app, towards the backend cloud or web hosted services. We look for possible injections into that traffic at various parameters. SQL Injection, cookie injection are few examples of it.

Q. How the capturing and analysis of data at rest on the mobile device is performed?

A - Each application stores data on the mobile device in some form or other. The locations can also be different, ranging from the device memory to the external storage. We detect this and see if/how that data can result into potential critical information leakage. Encryption is one of the things that we test, but there are many complex security scenarios (especially in android), that we test the vulnerabilities for.

Q. What Android and iOS specific checks and log capture are performed?

A - Android apps are fragile if care is not taken properly. The same goes with iOS because its taken for granted to be secure by nature. Our years of experience in android and iOS operating system bases and the API's helps us device the platform specific checks which range into hundreds of vulnerability possibilities each. All operating systems give out logs, which we capture too, to figure out data leakage possibilities.

Q. How do you map security scenario attack vectors to ensure accuracy?

A - Its not only about default vulnerabilities , or typical security problems as per OWASP Top 10. We go way beyond that, by understanding business logic, map the application in various business scenarios, and create customized vectors for testing. This method helps us go deep into the security of overall apps functionality, besides the common ones, and thus helps our customer gain accurate results which they need to fix.

IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt
IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt

Q.How do you perform analysis on app code modules?

A - An important steps in mobile app pentesting (VAPT) is to decompile the app. This helps us get under the skin of the app to expose the code. We deep dive into the code modules to find whether or not the coding is done to achieve the security, especially against data privacy thefts. This makes us a unique and best mobile app vapt company, providing VAPT services to customers from all industry sectors.

Q. How do you perform manifest/Binary Config check?

A - For android apps, the manifest exhibits some security issues, which there are multiple binary files under iOS which does the same. We use these details to map into mobile app's security threat modelling and use that information for further penetration testing.

Mobile App Pentesting Checklist

IT Network Penetration Testing Scanning Services Provider Vendor , Network Security VAPT

While android and iOS app pentesting is a very detailed process and results into an elaborate checklist, below details can provide a glimpse of the all the tasks at a high level. All mobile app security testing companies who are best vendors for this task, follow OWASP Top 10 Mobile model and its summarized below. There are multiple mobile app security tools involved in this process, although we take pride in performing the testing manually to achieve best results.

Mobile app security testing is of four stages:

  • Discovery requires the pentester to collect information that is essential in understanding events that lead to the successful exploitation of mobile applications.

  • Assessment or analysis involves the penetration tester going through the mobile application source code and identifying potential entry points and weaknesses that can be exploited.

  • Exploitation involves the penetration tester leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the programmer initially did not intend.

  • Reporting is the final stage of the methodology and it involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack. A more detailed discussion of the four stages follows.

Discovery

Intelligence gathering is the most important stage in a penetration test. The ability to discover hidden cues that might shed light on the existence of a vulnerability might be the difference between a successful and unsuccessful pentest.The discovery process involves:

Open Source Intelligence (OSINT) -The pentester searches the Internet for information about the application. This might be found on search engines and social networking sites, leaked source code through source code repositories, developer forums, or even on the dark web.

Understanding the Platform -It is important for the penetration tester to understand the mobile application platform, even from an external point of view, to aid in developing a threat model for the application. The pentester takes into account the company behind the app, their business case, and related stakeholders. The internal structures and processes are also taken to account.

IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt
IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt

Client-Side vs Server-Side Scenarios - The penetration tester needs to be able to understand the type of application (native, hybrid, or web) and to work on the test cases. The application's network interfaces, user data, communication with other resources, session management, jailbreaking/rooting behavior are all taken into account here. Security considerations are also made; for example, does the app interact with firewalls? Databases or any servers? How secure is this?
Collected information may include:

  • The user session remains active until a manual log off is performed.
  • No financial transactions are performed.
  • The application is built not to run on jailbroken devices.
  • The actions that are performed on the server include database additions, deletions, and pulls.

Assessment / Analysis

The process of assessing mobile applications is unique because it requires the penetration tester to check the applications before and after installation. The different assessment techniques that are encountered within the MAPTM include:

Local File Analysis -The pentester checks the local files written on the file system by the application to ensure that there are no violations.

Archive Analysis - The penetration tester extracts the application installation packages for the Android and iOS platforms. A review is then done to ensure that there are no modifications done to the configurations of the compiled binary.

Reverse Engineering - This involves converting the compiled applications into human-readable source code. The penetration tester reviews the readable code in order to understand the internal application functionality and search for vulnerabilities. Android application source code may be modified once reversed and recompiled. The following tools can be used while conducting reverse engineering:

  • Android-dex2jar, JD-GUI
  • iOS-otool, class-dump-z

Mobile App Security Testing Company, Exploit Categories
Mobile App Security Testing Company, Exploit Categories

Static Analysis - During static analysis, the penetration tester does not execute the application. The analysis is done on the provided files or decompiled source code.

Dynamic Analysis - The pentester reviews the mobile application as it runs on the device. Reviews done include forensic analysis of the file system, assessment of the network traffic between the application and server and an assessment of the application's inter-process communication (IPC). There are a couple of tools that are available to the pentester for automated and manual source code analysis. These include:

  • Android: Androwarn, Andrubis, and ApkAnalyser
  • iOS: Flawfinder and Clang Static Analyzer

Reverse Engineering - This involves converting the compiled applications into human-readable source code. The penetration tester reviews the readable code in order to understand the internal application functionality and search for vulnerabilities. Android application source code may be modified once reversed and recompiled. The following tools can be used while conducting reverse engineering:

  • Android-dex2jar, JD-GUI
  • iOS-otool, class-dump-z

Inter-Process Communication Endpoint Analysis: The pentester reviews the different mobile application IPC endpoints. Assessment is performed on:

  • Content Providers - These ensure that access to databases is achieved.
  • Intents - These are signals used to send messages between components of the android system.
  • Broadcast Receivers - These receive and act on intents received from other applications on the android system.
  • Activities - These make up the screens or pages within the application
  • Services - These run from the background and perform tasks regardless of whether the main application is running.

Information obtained from the assessment may be used to create a threat model. For example, we can consider the following:

  • Discovered Vector - The app communicates with a database on a remote server.
  • Possible Threat - Unauthorised reading of data traffic while communicating with the server.
  • Relating Countermeasure - Implementing a secure transport layer protection (SSL, TLS).
  • Possible Test Case - Attempt to sniff traffic between the app and server backend.
Mobile App Security Testing Company, Exploit Categories

Exploitation

IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt

The pentester acts upon the information discovered from the information-gathering process to attack the mobile application. Thoroughly performed intelligence gathering guarantees a high chance of successful exploitation hence a successful project.

The pentester attempts to exploit the vulnerability in order to gain sensitive information or perform malicious activities, then finally performs privilege escalation to elevate to the most privileged user (root) so as to not face any restrictions on any activities being performed. The pentester then persists within the compromised device.

This simply means that he/she executes modules that allow for backdooring the device with the motive of showing the ability to perform future access.

Reporting

IT Network Penetration Testing Scanning Services Provider Vendor , Types of network vapt


A good report communicates to management in simple language, clearly indicating the discovered vulnerabilities, consequences to the business and possible remediation or recommendations.

The vulnerabilities must be risk rated and proper technical communication done for the technical personnel, with a proof of concept included to support the findings uncovered.

List of Android App VAPT Tools

  1. ImmuniWeb MobileSuite

  2. Zed Attack Proxy

  3. Kiuwan

  4. QARK

  5. Micro Focus

  6. Android Debug Bridge

  7. CodifiedSecurity

  8. Drozer

  9. WhiteHat Security

  10. Synopsys

  11. Veracode

  12. Mobile Security Framework (MobSF)

  13. AndroBugs

Does OWASP apply to mobile app security?

Yes. OWASP has created separate guidelines and attack vectors for mobile applications. Since the mobile apps contain a static code analysis along with the dynamic one, it is imperative to cover these angles via a carefully created vulnerability assessment checklist. TOP10 Mobile security issues have been listed below:

  • M1: Improper Platform Usage

  • M2: Insecure Data Storage

  • M3: Insecure Communication

  • M4: Insecure Authentication

  • M5: Insufficient Cryptography

  • M6: Insecure Authorization

  • M7: Client Code Quality

  • M8: Code Tampering

  • M9: Reverse Engineering

  • M10: Extraneous Functionality

How do you security test a mobile app?

We follow a systematic and yet agile approach to test mobile App security. This helps our customers gain extremely accurate and elaborate results. We follow OWASP Top 10 standard to find and report vulnerabilities. While we do use automated tools, we focus more on manual testing to mimic the real life hackers.

IOS specific checks:

How to test iOS app security

Android specific checks:

How to test android app security

How do I make my mobile apps secure?

Yes. OWASP has created separate guidelines and attack vectors for mobile applications. Since the mobile apps contain a static code analysis along with the dynamic one, it is imperative to cover these angles via a carefully created vulnerability assessment checklist. TOP10 Mobile security issues have been listed below:

  1. Enforce Strong Authentication:

    2. Use authentication mechanism to restrict login to only the authorized user. Using Multi-Factor authentication provides extra layer of protection. If the application deals with sensitive data or stores critical information enforcing a strong authentication mechanism is a must to protect against authentication Bypass attacks.

  2. Encrypt Communication & Data:

    • Ensure your application data is transmitted using the HTTPS protocol.
    • Any sensitive data like password that is being transmitted need to be encrypted.
    • Enforce encryption of the cache/temporary data that the application stores in the users device.

  3. Protect app data:

    4. Implement data security policies and guidelines in the application to ensure users don't fall prey in the trap set by hackers.

  4. Use minimal application permissions:

    5. Giving too many permissions in the application may end up being used by hackers for their entry point. So, limit the applications permissions to its functionality areas.

  5. Certificate pinning:

    6. Implement certificate pinning to guard the application's Data in transit from Man In the Middle attacks.

  6. Perform VAPT :

    7. Get Vulnerability Assessment and Penetration Testing done for the application to find and fix the security vulnerabilities/ loopholes.


Read more on common loopholes found in Mobile applications:

Benefits

What are the steps involved in a mobile app pen test?

  • Data Collection

    1. Collect the apk from customer or download the app apk from playstore
    2. Collect credentials for the application from customers

  • Vulnerability Assessment

    • Find security loopholes in the app by analyzing the apk files and running scanning tools.

  • Vulnerability Exploitation

    • Perform the different attacks using various manual techniques to find exploits in the application.

  • Evidence Collection & Report Creation

    • Collect evidences for the vulnerabilities found and generate the report.

Read more:

Mobile app security testing process

IT Network Penetration Testing Scanning Services Provider Vendor , Network Security VAPT

Can a mobile app pentest be performed remotely?

Yes. If the application is not hosted, the mobile application apk or ipa can be shared. Pentesting the mobile application using the apk or ipa file won't be a challenge.

How often should a mobile app security testing be carried out?

Mobile app security testing is to be carried out before deployment of the application and every time a new functionality or feature is added. Other than that quarterly or half yearly VAPT/security testing need to be done on the mobile application to ensure the application is secure against the daily emerging new attacks and techniques.

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.

Android iOS Application Security Testing (VAPT) Consultancy vendor company

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate
for 3+ yrs
Android iOS Application Security Testing (VAPT) Consultancy vendor company

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate
for 6+ yrs
Android iOS Application Security Testing (VAPT) Consultancy vendor company

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,
for 3+ yrs