Mobile Application Penetration Testing: What is it? And How Does it Work?

Mobile Application Penetration Testing how is it and how does it workAs mobile apps are more and more used by every field of activity, they become also more and more interesting for malicious attackers. Apps need therefore to have a strong security, just as websites. That’s why we do mobile apps penetration testing that takes into consideration their specificities.

 

Objective of a Mobile Application Penetration Testing?

To strengthen the security of your mobile application, and its API/ web platform/ webservice.

 

What is it?

Penetration test = a realistic potential attack on your mobile application. All the elements used for the functioning of the app are tested:
– the application itself,
– the API (or the webservice) used to exchange and supply data,
– and the server hosting the API.

Our tests use the current tools and methods of malicious hackers. In other words, we attack you as they could do, in order to find flaws (also called vulnerabilities). The aim is that you can fix them before attackers use them against you.

More concretely, we try to access to data, network, services, etc. that shouldn’t be public or allowed for that category of users. We investigate if functionalities could be misused.

 

How Does it Work? How Do we Do Mobile App Penetration Testing?

Let’s have a short reminder about how’s working a mobile application.
A mobile app is a software, installed on a smartphone. When an action is requested by the user, it is transmitted by the mobile application to the API (Application Programming Interface). The API sends back the data needed for the app, which builds then the data into a readable page.

During the test, our pentesters (the security experts specialized in pen testing) intercept the traffic between the mobile application and the API. They verify how the request is written, if they can add elements, modify fields, receive more information…

Their purpose is to understand how is working the mobile application and then to try to manipulate its functioning, in order to make it send “unnormal” answers (not the one planned).

The interesting “unnormal” answers can:

  • display database elements,
  • enumerate documents,
  • disclose technical information (as the technologies and the versions used),
  • bypass restrictions (as sign-in without credentials),
  • crash the service,
  • redirect users on other – potentially malicious – websites,
  • deface webpages (in order to damage the company’s image),
  • etc.

 

What is Tested?

Our pentesters test the mobile application installed on the smartphone as well as the API used by the mobile app, and the server on which the app is hosted.

For the mobile application, we test:

  • Data storage,
  • Network communication (communication with the API),
  • Platform interaction – local identification,
  • Security configurations (signature, debug…),
  • Source code (that is available with the mobile app).

 

And for the API and the server, we test:

  • Every functionality,
  • Implementation & usages of the third-party components,
  • Server and its different services (web, mail, FTP, SSH…),
  • Security configurations of each element,
  • Company’s politic: updates, team work methods (processes, how is the code shared? etc.).

Penetration testing can focus only on technical elements or also include social engineering. For more details, this article explains what social engineering in a web security audit is.

 

What Happens Once the Penetration Testing is Finished?

The results of the tests are reported. We document very precisely what has been tested and what was found. The developers will be using the report to remediate to the vulnerabilities.

It’s mostly a technical report. Everything that was tested is listed, and it details:

  • which flaws were found,
  • where they were found,
  • what they are,
  • why they are an issue, and how they can be used by attackers,
  • how they were exploited during the penetration testing,
  • and remediation recommendations to correct them.

The vulnerabilities are rated taking into consideration the probability and potential impact. You can read more about how risks associated with each flaw are assessed in this article.

 

To go further, we have detailed three main elements for securing mobile applications: server-side controls, data storage and data transportation.

Feel free to contact us to talk together about your specific situation.