How do we perform Mobile App VAPT?

What we need from you is just the mobile app binaries. At Valency Networks, we believe in mimicking real life hackers. They have access only to your app's binaries and ideally that's all we expect from you. Once we are formally and professionally engaged with you to perform pentesting of your mobile app, we do ask few questions such as below

  • Is your mobile app developed using some framework, or uses native code?
  • Does your mobile app make calls you social media networks?
  • Does your mobile app support in-app purchases / bitcoins etc?
  • Does your mobile app embeds payment gateway within the app?
Mobile App Security Testing Company, How do we perform Mobile App VAPT?

There are few more questions besides above, which are relevant to your application's business functionality. We map all this to do threat modeling of your application and figure out how to perform the vulnerability assessment and penetration testing.

Once the app is mapped, we employ a very methodical, technical and systematic approach to perform penetration testing. While we use the detailed OWASP-Mobile-Top-10 model, the testing is broadly categorized into static analysis (data at rest) and dynamic analysis (data in transit). Please check this page to know how it is done.

What to expect from a Mobile App Pentest?

Mobile app penetration testing typically includes "data at rest" and "data in transit" security testing in context of the mobile application. This is true irrespective of whether it is Android app, or iOS app or Windows Phone app. Penetration testing tools are used as part of a penetration test to automate certain tasks, improve testing efficiency and discover issues that might be difficult to find using manual analysis techniques alone.

Two common penetration testing tool types are static analysis tools and dynamic analysis tools.Customers typically expect the app to be security tested end to end. This involves the mobile app binary as well as the backend web services. Manual penetration testing layers human expertise on top of professional penetration testing software and tools, such as automated binary static and automated dynamic analysis, when assessing high assurance applications.

A manual penetration test provides a wider and deeper approach to ensure great deal of accuracy, which is imperative for the hardening of mobile app from malicious attacks. While the vulnerability assessment does the task of finding security problems, the penetration testing proves that those findings actually do exist and shows ways to exploit those. Thus the penetration testing attempts to exploit security vulnerabilities and weaknesses of the app throughout the environment, attempting to penetrate both at the network level and key applications.

Mobile App Security Testing Company, Exploit Categories

Mobile App Security Testing Features

With the increased use of mobile phones and tablets, many applications are now hosted on Google Play and Apple iTunes for user convenience. Users store more than just photos and messages on their smartphones, making mobile app security critical and necessary. Applications that deal with users' critical data, such as finance, health, and investments, must ensure their mobile application is secure in order to avoid privacy issues and data breach incidents, which can have serious consequences.

Valency Networks employs a technical and systematic approach to mobile app security testing. The process begins with decompiling and detailed analysis of data at rest, followed by identifying data in transit vulnerabilities.

Exploit Categories

  • On device code exploitation

  • Off device code injection

  • Called Web Service Exploits

  • Authentication problems

  • Configuration problems

  • SQLite Database related problems

Vulnerabilities Detected

  • Check for Weak Server Side Controls

  • Insecure Data Storage

  • Insufficient Transport Layer Protection

  • Unintended Data Leakage

  • Checks for Poor Authorization and Authentication

  • Client Side Injection

  • Security Decisions Via Untrusted Inputs

  • Improper Session Handling

  • Lack of Binary Protections

Standards Followed

  • OWASP Mobile Top 10 - 2016

Test Approaches

  • Rooting Android Device

  • Jailbreaking iOS Device

  • Without Rooting/Jailbreaking

  • Data-At-Rest (DAR)

  • Data-In-Transit (DIT)

Testing Approach

  • In the context of the mobile application, mobile app penetration testing typically includes "Data At Rest" and "Data In Transit" security testing. This is true whether the app is an Android app, an iOS app, or a Windows Phone app. Our customers typically expect the app to be thoroughly tested for security. This includes both the mobile app binary and the backend web/API services.

  • Manual methods and penetration testing tools are used in penetration testing. We automate certain tasks to free up time for manual testing, which improves testing efficiency and aids in the discovery of issues that would otherwise be difficult to detect.

  • Static Analysis tools and Dynamic Analysis tools are the two most common types of penetration testing tools. When assessing high assurance applications, our manual penetration testing layers human expertise on top of professional penetration testing software and tools such as automated binary static and automated dynamic analysis.

  • Our experience in manual penetration testing takes a broader and deeper approach to ensure high accuracy, which is critical for protecting mobile apps from malicious attacks. While vulnerability assessments identify security flaws, penetration testing confirms that those flaws exist and opens the door to exploiting them. Thus, in penetration testing we try to exploit the app's security flaws and vulnerabilities all through the environment, attempting to breach both the network and key applications.

Steps involved in a mobile app pentesting

  • Data Collection:
    Collect the apk from the customer or download the app apk from the PlayStore. Collect the application's credentials from the customer.

  • Vulnerability Assessment
    Analyze the apk files and run scanning tools to find security flaws in the app.

  • Vulnerability Exploitation
    Conduct various attacks using various manual techniques to find exploits in the application.

  • Evidence Collection & Report Creation
    Gather evidence and generate a report for the vulnerabilities discovered.

Services for Mobile Application Penetration Testing

Vulnerabilities Detected, Mobile App Security Testing Company

  • Testing for popular Platforms and Devices
  • Testing for data at rest problems
  • Testing for data in transit problems
  • Testing for backend web services vulnerabilities
  • Testing for business logic specific problems
  • Testing for framework related inherent vulnerabilities
  • Testing for in-app purchases vulnerabilities
  • Testing for in-app social media usage vulnerabilities
  • Testing for in-app payment gateway calls vulnerabilities

The OWASP Mobile Top 10 model is used in the mobile application penetration testing methodology to ensure that all angles of security threat vectors are tested. Valency Networks is known to be one of the top VAPT services company as it uses an integrated approach to identify security risks before they are exploited, combining the strengths of manual penetration testing, jail breaking technology, and mobile platform appropriate tools.

OWASP TOP 10 for Mobile App Security

For mobile applications, OWASP has developed separate guidelines and attack vectors. Along with which we also have our own test cases and checklists pertaining to the application business logic. Because mobile apps include both static and dynamic code analysis, it is critical to cover these angles with a carefully crafted vulnerability assessment checklist. OWASP TOP 10 Mobile security issues have been listed below:

  • M1: Improper Platform Usage

    This issue includes exploiting platform features or bypassing security controls on the platform. This may involve intent, permissions, TouchID abuse, or any other security feature of a mobile OS.

  • M2: Insecure Data Storage

    The development teams assume that users or malware won't have access to a mobile device's filesystem and, consequently, store sensitive data in data-stores of the device, leading to insecure data storage problems. This can result in the loss of data of a user or, in worst-case scenario, of multiple users.

  • M3: Insecure Communication

    Mobile applications frequently have trouble safeguarding network traffic. SSL/TLS may be used during authentication but not elsewhere. This inconsistency raises the likelihood of data and session IDs being disclosed.

  • M4: Insecure Authentication
  • One of the root causes of many security risks is poor authentication. Examples of Insecure authentication attacks include authentication bypass, information disclosure via debug messages, and session invalidation.

  • M5: Insufficient Cryptography
  • The process of converting plain text data into an unreadable form is known as cryptography. Most developers ignore cryptography because it is difficult to implement, whereas cyber-criminals or hackers take full advantage of it.

  • M6: Insecure Authorization
  • Several mobile applications have insufficient permission, allowing low-level users to access information belonging to any high-level user. This introduces a variety of business-level problems.

  • M7: Client Code Quality
  • Ensuring code quality is critical while developing mobile applications. Buffer overflow, cross-site scripting, and blind XSS attacks occur as a result of poor code quality, which leads to unsafe design.

  • M8: Code Tampering
  • Code tampering is a technique in which hackers or attackers make code alteration through malicious versions of softwares published in third-party app stores accessible over the internet.

  • M9: Reverse Engineering
  • Reverse engineering is the process of decompiling a mobile application in order to understand its logic. Code obfuscation is used to prevent attackers from reading the application code and understanding the logic.

  • M10: Extraneous Functionality
  • Cybercriminals or hackers, attempt to comprehend the additional functions of the mobile application. The primary purpose is to understand and investigate the backend framework's underlying functions.

We also follow our expert's checklist on Mobile applications security for manual testing. Manual testing helps in digging deep into the application and it functionalities to find security vulnerabilities. Find more about this :

How to test android app security

Mobile App Testing

VAPT for Mobile App Frameworks

We support following frameworks while pentesting a mobile app:

  • Flutter

  • React Native

  • Ionic

  • Xamarin

  • Swiftic

  • Apache Cordova

  • jQuery Mobile

  • Corona

  • PhoneGap

  • Intel XDK

  • Mobile Angular UI

  • Appcelerator Titanium

  • Framework 7

  • Onsen Ui

  • Native Script

  • Sencha

  • Monoca

Vulnerabilities Detected, Mobile App Security Testing Company

Top 10 Mobile Risks

  1. Weak Server-Side Controls

    Mobile Internet usage has exceeded fixed Internet access. This is primarily due to the expansion of hybrid and HTML5 mobile applications. Application servers, which serve as the foundation for these applications, must be secured on their own.

    A complete compromise of the application server may be caused by flaws like injections, unsecured direct object references, insecure communication, and others. Once hackers have taken control of the compromised servers, they can push malicious content to all application users while also compromising user devices.

  2. Insecure Data Storage

    As the name implies, Insecure Data Storage is concerned with the security of data in storage. Mobile applications are used for a wide range of tasks, including gaming, fitness tracking, online banking, stock trading, and so on, and the majority of the data used by these applications is stored on the device itself in SQLite files, XML data stores, log files, and so on. Alternatively, they are sent to cloud storage.

    These applications may store sensitive data ranging from location information to bank account information. Application programming interfaces (APIs) that handle storage of data must use encryption algorithms so that a malicious user with direct access to these data stores through theft or malware is unable to decipher the sensitive information stored in them.

  3. Insufficient Transport Layer Protection

    All hybrid and HTML 5 apps use a client-server architecture, with an emphasis on data in motion because the data must travel through various channels and is vulnerable to eavesdropping and tampering by hackers. SSL/TLS controls, which enforce data confidentiality and integrity, must be verified for proper deployments on the communication channel between the mobile apps and its server.

  4. Unintended Data Leakage

    Certain mobile application modules may store sensitive user data in areas where it can be accessed by other applications or even malware. These features may be present to improve usability or user experience, but they may have negative long-term consequences.

    Malicious actors can use actions such as OS data caching, key press logging, copy/paste buffer caching, and implementations of web beacons or analytics cookies for advertisement delivery to obtain information about victims.

  5. Poor Authorization and Authentication

    Because mobile devices are the most personal devices, developers take advantage of this by storing critical data such as credentials locally on the device and developing specific mechanisms to authenticate and authorize users locally for the services that the user is requesting via the application.

    If these mechanisms are not well developed, hackers may be capable of bypassing these controls and perform unauthorized actions. Because the code is available, they can perform binary attacks and recompile it to directly access authorized content.

  6. Broken Cryptography

    This relates to ineffective data protection controls. The use of weak cryptographic algorithms that can be cracked, such as RC2, MD5, and others, will result in encryption failure.

    Poor encryption key management, such as storing the key in locations accessible to other apps, or the use of a guessable key generation process, will also cause the cryptographic approaches to fail.

  7. Client-Side Injection

    Injection vulnerabilities are caused by faulty inputs, which result in unwanted events such as database query changes, command execution, and so on. Malformed inputs in mobile applications can pose a major hazard both at the local application level and on the server side.

    Injections at the local application level, which primarily target data stores, may result in problems such as access to premium material that is restricted to trial users or file inclusions, which may lead to the abuse of functionalities such as Messaging.

  8. Security Decisions via Untrusted Inputs

    Some functionalities, such as the use of hidden variables to check authorization status, can be bypassed by interfering with them during transit via web service calls or inter-process communication calls. This may result in privilege escalation and undesired mobile application behavior.

  9. Improper Session Handling

    On successful authentication with the mobile application, the application server returns the session token. These session tokens are utilized by mobile applications to make service requests.

    If these session tokens remain active for an extended period of time and attackers can obtain them through malware or theft, and the user account can be compromised.

  10. Lack of Binary Protections

    Everyone has access to the source code for mobile applications. An attacker can reverse engineer the application and install malicious code components, which are then recompiled.

    If a user installs this altered software, they will be vulnerable to data theft and become victims of unwanted activities. Most apps do not have features such as checksum controls, which aid in determining whether or not the application has been tampered with or not.

Strategies to Secure Mobile Apps

  1. General Considerations

    • Take a security-first approach and provide proper protection for sensitive data.
    • Educate users about what information the app will access or upload and why.
    • If personal information will be gathered, provide a personal information collection statement.
    • Use the "least privilege" principle to run the app with the few system privileges and access rights possible.
    • Create and deploy the app in line with best practices.
    • Configure the app to accept security patch updates.
    • Decline to execute the app or notify users if jailbreaking or rooting is discovered if the app contains critical or sensitive data.
    • Verify every data provided by the client before processing it against an expected whitelist of data kinds, data ranges, and data lengths.
  2. Authentication and Session Management

    • To identify the device, do not rely exclusively on device-provided identifiers (such as UID or MAC address), but rather use identifiers unique to the app as well as the device.
    • Employ a suitable authentication system, such as two-factor authentication, based on the mobile app's risk assessment.
    • Avoid keeping passwords; instead, wipe/clear memory regions that contain passwords immediately after their hashes have been determined.
    • To secure user credentials, always use the most recent security method supplied by the mobile platform.
    • Check to determine if the user is logged in at the beginning of any action. If not, redirect to login.
    • After an app's session expires or the user logs out, discard and delete all memory connected with the user data, as well as any master keys used to decrypt the data.
  3. Data Storage and Protection

    • Only acquire and transmit data that is essential for the app's business usage.
    • Determine the sensitivity of data storage and apply measures accordingly. Data should be processed, stored, and used in accordance with its classification.
    • Application data should not be saved in external storage unless adequate security mechanisms are implemented (e.g., robust encryption).
    • For data safety, employ encryption with an appropriate algorithm and key length when storing or caching sensitive information to non-volatile memory, and preserve only the minimal amount of data required for mobile app operation.
    • Validate input and check related places where the app can receive data to prevent client-side code injection or screen hijacking.
    • When no longer required, discard and delete all sensitive data from memory.
    • Use sandboxing technologies to boost performance and improve security. This helps isolating applications from interacting with one another.
  4. Communication Security

    • Any sensitive data, such as personal information or credit card information, should be transmitted using end-to-end encryption (e.g., TLS).
    • Check for HTTPS connections with every request.
    • When implementing TLS, apps must enforce certificate validation features and not accept self-signed or untrusted certificates.
    • Activate per-app VPN to protect access to corporate network resources from any mobile device and from any location.
  5. Server Controls

    • Examine mobile app backend services for vulnerabilities and ensure that the backend system operates in a hardened configuration with the most recent security updates deployed.
    • Ensure that sufficient logs or information are kept on the backend servers to detect, respond, and investigate events.
    • Examine the app's code to avoid unintended data transfer between the mobile app and the backend servers.
  6. Use of Third-Party / Open-Source Libraries

    • Utilize trustworthy and/or updated versions of software development tools (e.g., software development kits, software libraries) to prevent unintentionally adding Trojan Horses or backdoors.
    • Monitor third-party frameworks/APIs utilized in the mobile app for security updates and upgrades.
    • Verify any data obtained from and sent to untrustworthy third-party apps (e.g., ad networks) before putting it into the mobile app.

What Android and iOS specific checks and log capture are performed?

Android apps are fragile if care is not taken properly. The same goes with iOS because it's taken for granted to be secure by nature. Our years of experience in android and iOS operating system bases and the API's helps us device the platform specific checks which range into hundreds of vulnerability possibilities each. All operating systems give out logs, which we capture too, to figure out data leakage possibilities.

How do you perform analysis on app code modules?

An important step in mobile app pentesting (VAPT) is to decompile the app. This helps us get under the skin of the app to expose the code. We deep dive into the code modules to find whether or not the coding is done to achieve the security, especially against data privacy thefts. This makes us a unique and best mobile app VAPT company, providing VAPT services to customers from all industry sectors.

How the analysis of data in transit between app and caller web services is performed?

By capturing the traffic originating from the mobile app, towards the backend cloud or web hosted services. We look for possible injections into that traffic at various parameters. SQL Injection, cookie injection, script injection are few examples of it.

How the capturing and analysis of data at rest on the mobile device is performed?

A - Each application stores data on the mobile device in some form or other. The locations can also be different, ranging from the device memory to the external storage. We detect this and see if/how that data can result into potential critical information leakage. Encryption is one of the things that we test, but there are many complex security scenarios (especially in android), that we test the vulnerabilities for.

Can a mobile app pentesting be performed remotely?

Yes. If the application is not hosted, the mobile application apk or ipa can be shared. Pentesting the mobile application using the apk or ipa file won't be a challenge.

How often should a mobile app security testing be carried out?

Mobile app security testing is to be carried out before deployment of the application and every time a new functionality or feature is added. Other than that, quarterly or half yearly VAPT/security testing need to be done on the mobile application to ensure the application is secure against the daily emerging new attacks and techniques.

Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.