A mobile or desktop application pentest enables to perform specific tests on native applications (iOS, Android, Windows, Linux, MacOS) or hybrid applications, in order to assess and strengthen the security.
Mobile applications are a weak point of information systems, due to the fact that many developers are not aware of security issues.
While most mobile apps do not store sensitive information, they can manipulate personal data through APIs and act as gateways to servers.
In addition, mobile applications themselves, as well as desktop applications, can be attacked to be copied or corrupted. Therefore, in themselves, they are also an element to be protected for the companies that developed them.
A mobile application pentest tests the application itself, as well as the APIs and servers that host them. A pentest of the mobile or desktop application itself is particularly focused on cryptographic analysis and reverse engineering.
To define the scope of this type of pentest, the following questions must be answered:
The first step is to understand the risks, in order to define the scope and duration of the pentest.
The audit preparation phase enables the following questions to be answered: dates of the pentest, access to the target, communication plan during the tests. If the application to be tested is not public or not yet available on download platforms, the client can provide the application directly to Vaadata.
The Vaadata team gets in touch with the client's technical team during the start of the pentest. The results are reported at the end of the audit, except in the case of a specific request for real-time reporting.
The security audit of a mobile application includes the study of the application’s logic, a technical analysis, and the analysis of elements that could be extracted (reverse engineering). We refer to static analysis and dynamic analysis.
Common vulnerabilities of mobile applications are related to the following:
Mobile APIs are a security priority because they manipulate data and communicate with servers. Securing the API is a necessary step (and the most essential step) in securing a mobile solution.
An API pentest is similar to a Web application pentest, with regard to the tools used and the types of flaws sought.
Common vulnerabilities of APIs are related to the following:
A desktop application penetration test is similar to a mobile application penetration test, although the technologies used to develop them are not necessarily the same.
Therefore, the vulnerabilities found are often linked to problems of storage or unsecured network communications.
If the desktop application does not communicate with the outside, the main security tests are cryptographic analysis and reverse engineering.
Our white paper "How to define the scope of a pentest" gives you clues to define the scope and a pentest strategy. It brings together the key points resulting from our discussions with around 200 companies.
Reverse engineering (or back engineering) consists in extracting static elements from the audited application, such as source code or meta-information. The elements are then analysed and studied until their functioning is understood.
The pentester’s aim is to modify a feature or to derive information from it in order to find vulnerabilities.
Insecure data storage is the most common issue, found in 76% of mobile applications
2019 Vulnerabilities and threats in mobile applications. Ptsecurity. (p. 9).
2 in 3 applications fail to pass initial tests based on the OWASP Top 10 and SANS 25 industry standards.
State of Software Security Volume 10. Veracode. (p. 5).
Our range of pentests
We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.