ASPIRE’s Mobile App Security Testing service provides a detailed security analysis of your phone or tablet based app. A key feature of this service is manual testing by experienced security professionals, which typically uncovers many more issues than automated tests alone.
Today’s internet traffic is moving from desktop browsers to mobile browsers, because of the increased usage of mobile apps. Unfortunately, mobile applications are not safe, in fact they introduce serious cyber security problems for the “data in transit” and the “data at rest”.
Mobile App Security Testing Features
Before Testing Starts
• On device code exploitation
• Off device code injection
• Called Web Service Exploits
• Authentication problems
• Configuration problems
• SQLite Database related problems
Standards Followed
• OWASP Mobile Top 10 – 2020
Vulnerabilities Detected
• Check for Weak Server Side Controls
• Insecure Data Storage
• Insufficient Transport Layer Protection
• Checks for Poor Authorization and Authentication
• Client Side Injection
• Security Decisions Via Untrusted Inputs
• Improper Session Handling
• Lack of Binary Protections
Test Approaches
• Rooting Android Device
• Jail breaking iOS Device
• Without Rooting/Jail breaking
Mobile App Security Penetration Testing Process
We follow a systematic and yet agile approach to test website security. This helps our customers gain an extremly accurate and elaborate results along with a knowledge base and years of experience on the subject matter.
Before Testing Starts
• Sign NDA
• Freeze on scope
• Study Mobile App Architecture
• Study Mobile App Functionality
• Decide attack vectors and prioritize
• Allocate single point of contact
During Testing
• Black box testing (Without device rooting, jailbreaking)
• Gray box testing (With device rooting, jailbreaking)
• Automatic and Manual Testing
• Testing using OWASP-Mobile-Top-10 Standard
• Scanning
• Configuration Check
• Manifest/Binary Config check
• Gathering Logs
Testing Details
• Analysis of data in transit between mobile app stack
• Analysis of data in transit between app and caller web services
• Capture and analysis of data at rest on the mobile device
• Perform Android and iOS specific checks and log capture
• Map security scenario attack vectors to ensure accuracy
• Perform analysis on app code modules
• Manifest/Binary Config check
After Testing
• Analyse logs
• Confirm results
• Apply Knowledge
• Apply Experience
• Repeat Test if required
Testing Outcome
• Detailed technical report
• Executive summary
• High level fixation solutions
• Certificate of testing completion (optional)
ASPIRE Mobile App Security Testing service
The service is designed to rigorously push the defences of not only the app itself, but also the servers it interacts with. It is suitable for commissioning, third party assurance, post-attack analysis, audit and regulatory purposes where independence and quality of service are important requirements.
A final written report provides an analysis of any security or service problems discovered together with proposed solutions, links to detailed advisories and recommendations for improving the security of both the app and the web services it uses.
The Mobile App Security Testing service can be used to ensure compliance with PCI DSS v2.0 requirement 11.3, (penetration testing) as it includes both network and application layer testing. Netcraft is a PCI Approved Scanning Vendor (ASV).