A mobile or desktop application pentest performs specific tests on native applications (iOS, Android, Windows, Linux, MacOS) or hybrid applications.
Mobile applications are a weak point of information systems, due to fact that many developers are not aware of security issues.
While most mobile apps do not store sensitive information, they can manipulate personal data through APIs and act as gateways to servers.
In addition, mobile applications themselves, as well as desktop applications, can be attacked to be copied or corrupted. Therefore, in themselves, they are also an element to be protected for the companies that developed them.
A mobile application pentest tests the application itself, as well as the APIs and servers that host them. A pentest of the mobile or desktop application itself is particularly focused on cryptographic analysis and reverse engineering.
To define the scope of this type of pentest, the following questions must be answered:
The first step is to understand the risks, in order to define the scope and duration of the pentest.
The audit preparation phase answers the following questions: dates of the pentest, access to the target, communication plan during the tests.
If the application to be tested is not public or not yet available on download platforms, the client can provide the application directly to Vaadata.
The Vaadata team gets in touch with the client's technical team during the start of the pentest. The results are returned at the end of the audit, unless the client specifically requests real-time reporting.
The security audit of a mobile application includes the study of the application’s logic, a technical analysis, and the analysis of elements that could be extracted (reverse engineering). We refer to static analysis and dynamic analysis.
Common vulnerabilities of mobile apps are related to the following:
Mobile APIs are a security priority because they manipulate data and communicate with servers. Securing the API is a necessary step (and the most essential step) in securing a mobile solution.
An API pentest is similar to a Web application pentest, with regard to the tools used and the types of flaws sought.
Common vulnerabilities of APIs are related to the following:
The security audit of a desktop application is similar to the security audit of a mobile application, although the technologies used to develop them are not necessarily the same.
Therefore the vulnerabilities found are often linked to problems of storage or unsecured network communications.
If the desktop application does not communicate with the outside, the main security tests are cryptographic analysis and reverse engineering.
Reverse engineering (or back engineering) consists in extracting static elements from the audited application, such as source code or meta-information.
The elements are then analyzed and studied until we understand how the application works.
The pentester’s aim is to modify a feature or to derive information from it in order to find vulnerabilities.
Insecure data storage is the most common issue, found in 76% of mobile applications
2019 Vulnerabilities and threats in mobile applications. Ptsecurity. (p. 9).
2 in 3 applications fail to pass initial tests based on the OWASP Top 10 and SANS 25 industry standards.
State of Software Security Volume 10. Veracode. (p. 5).
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.