Using a combination of automated and manual testing, our team will conduct a thorough assessment of your mobile application, identifying vulnerabilities that may be exploitable and suggesting how to mitigate them.
Mobile applications designed for Apple iOS and Android have a unique set of security risks and challenges compared to desktop or server based applications. The mobile application itself and any API or web services it communicates with need to be designed and implemented with security in mind in order to prevent theft or manipulation of the data by the device user or other applications on the device. This is especially important for applications with process high value data such as payment or health information and for applications that offer in-app purchases.
Methodology
All application testing will be conducted in line with the current standards and methodologies produced by the Open Web Application Security Project (OWASP). Using the latest version of OWASP’s Mobile Application Security Verification Standard (MASVS), we can provide testing to either MASVS Level 1 (for general security) or MASVS Level 2 (for higher risk applications such as healthcare and financial services).
Using OWASP’s Mobile Application Security Verification Standard (MASVS), we will concentrate on the following OWASP Top-10 vulnerabilities that commonly affect mobile applications:
- Improper Platform Usage
- Insecure Data Storage
- Insecure Communication
- Insecure Authentication
- Insufficient Cryptography
- Insecure Authorisation
- Client Code Quality
- Code Tampering
- Reverse Engineering
- Extraneous Functionality
In addition to the common vulnerabilities listed above, we also conduct testing around the following areas:
- Architecture, Design and Threat Modelling
- Data Storage and Privacy
- Cryptography
- Authentication and Session Management
- Network Communication
- Platform Interaction
- Code Quality and Build Settings
- Resilience against tampering and reverse engineering
By using a combination of automated tools and in-depth manual testing, we can efficiently and accurately test your application – maximising the level of testing that can be performed in the available time.
Prerequisites
- A signed and completed testing consent form
- A copy of the compiled mobile application
- A copy of the application source code in a working development environment
- Developer keys and certificates so the app can be installed on our device(s)
- Access to any API or back end services the application requires
Deliverables
Engaging with SecureTeam for your Mobile Application Penetration Test will provide you with the following:
In-flight Support
Prior to your test commencing, our consultant(s) will discuss the scope of work with you, so that a full understanding is obtained of what your mobile application is used for, and any services it connects to – either in your network or over the Internet. This not only allows the test to run more efficiently, but also allows the discovered vulnerabilities to be rated more accurately in terms of risk.
During the testing phase, our consultant(s) will engage directly with you – notifying you of any critical vulnerabilities that may be present within your application or infrastructure and any evidence in our results that indicates a security breach may have already taken place.
Reporting
Once the mobile application penetration test has been completed, you will be provided with the following:
Comprehensive Technical Report
Our clear & concise reporting format contains an Executive Summary that can be understood by all members of your organisation – including individuals who may be in management or non-technical roles. All vulnerabilities are explained to a sufficient level of technical detail, so that your development team and systems administrators can quickly pinpoint the root cause of the vulnerability and apply the recommended course of action.
Technical References
Where applicable, we provide additional reference URLs for each vulnerability, so that further information and mitigation advice can be obtained from reputable sources of technical information.
Risk-Based Approach with CVSS Scoring
A risk-based approach is used throughout the report and all vulnerabilities are scored in line with CVSS (Common Vulnerability Scoring System). This allows the contents of the report to be fed into your own internal risk assessments and allows a plan to be developed to address the vulnerabilities which present the highest risk to your organisation.
Secure & Encrypted Report Delivery
Due to the sensitive content which may be contained in our test reports, all test reports are delivered to our customers through a secure file delivery mechanism. All test reports are encrypted using AES-256 encryption and are secured with a strong, randomly-generated password which is delivered ‘out-of-band’ to you via SMS. The encrypted file is then delivered to you through an encrypted & expiring URL link – allowing you to download the test report securely to your workstation.
After Care
Once our consultancy engagement is complete and our final report has been delivered to you, our consultancy team remain available to you indefinitely for any questions you may have surrounding the report’s findings or our consultancy engagement with you.
We pride ourselves in partnering with our customers to provide adhoc security advice and to ensure that our engagement with you doesn’t simply end once the final report has been delivered.
We are committed to ensuring that you receive the utmost value out of our consultancy services and look forward to developing a long-lasting business relationship with you.
Conference Call
Once you have received our final report, you have the option of attending a conference call between the consultant(s) involved in delivering your project and individuals within your organisation who you feel would benefit from a more in-depth discussion of the report’s findings.
A conference call is suitable for both management and technical staff. It provides you with the perfect opportunity to ensure that all vulnerabilities and their recommended course of action are fully understood by stakeholders the technical staff who will be tasked with applying the recommended course of action.
Find out more
If you'd like to find out more about our services or would like us to provide you with a quotation, please fill out the following form and one of our team will get in touch with you.