Mobile application

protecting your mobile applications

The use of mobile applications continues to grow and for many organisations, they are now a critical technology on which their business operates.

Mobile applications often handle sensitive information and can provide access to back end systems. This makes them an ideal target for threat actors and vulnerabilities within an application can provide access to sensitive data, as well as your wider network.

The security of mobile applications is therefore vital and needs to be considered at all stages, from development through to deployment.

How is our testing delivered?

Our mobile application tests are delivered remotely, simulating a real-world attack. Engagements can follow a number of different approaches and this will be guided by your requirements/priorities:

Black box testing: This mimics a real-life attack scenario, where we have basic knowledge of the application, but have no access to the source code or any admin/user credentials. Black box assessments are typically used by clients who wish to find out if a malicious threat could potentially gain access to an application from the outside.

White box testing: White box testing provides our consultants with a level of access/information prior to the test, whether that be access to source code or user credentials. This type of testing assumes that an attacker already has some level of access within the application and is designed to understand the potential damage that can be achieved from this.

Grey box testing: This is our preferred approach to mobile app testing, as we believe it provides the best value in terms of results. It is a hybrid approach (combining both white box and black box testing elements) and provides a security overview of the application from both the outside and the inside.

What we test

Our mobile application testing is tailored to your requirements, whether you’re looking to test the entire application or just specific areas of functionality. There are three types of mobile applications we test:

Native apps – Designed specifically for mobile operating systems such as Android, iOS, Windows and BlackBerry

Hybrid apps – Web apps disguised in a native app wrapper that are built with multi-platform web technologies (e.g. JavaScript, HTML5 and CSS)

Web apps – Behave in a similar fashion to native applications, but use a web browser to operate and are typically written in JavaScript, CSS or HTML5

Our consultants will investigate the following areas:

Information gathering: Application architecture and design, platform mapping, languages and frameworks

Client-side attacks: Files analysis, binary analysis and memory analysis

Network-side attacks: Installation traffic and run-time traffic

Server-side attacks: Network layer attacks

Layer 7 attacks: Application layer attacks

It is impossible to exhaustively cover all possible security vulnerabilities that may affect a mobile application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed when necessary.

Our approach to mobile app testing

Every mobile application test goes through a rigorous process to ensure you get the best possible results. Below we outline the key stages:

1. Scoping

We work closely with you and your team to define your exact requirements, to understand your desired goals and to gain comprehensive knowledge of the application to be reviewed.

2. Proposal & prerequisites

A bespoke proposal of work will be drawn up based on your requirements, our experience and our consultant’s expertise. This proposal will outline our recommended test approach and provide details of the number of days we feel are needed to investigate the target application thoroughly.

We will work with you to ensure this proposal meets your exact requirements and once authorised; we will outline any necessary prerequisites that are needed to ensure testing starts on time.

3. Testing

Testing will commence on the agreed date and our consultants will communicate with you throughout the test, to your set requirements.

All our testing is conducted manually, and our consultants will look to identify as many issues as possible in the time allotted, verifying whether these could be exploited.

4. Reporting

A comprehensive, quality assured report of our findings will be delivered within 5 days of the test finishing. Our reports can be tailored to your needs, providing both a technical and managerial overview of findings, as well as our detailed remediation advice. Where required, we can report to the OWASP Mobile Application Security Verification Standard (ASVS).

5. Post-test support

Our job doesn’t finish on the delivery of the report, your test consultant will be available after the test to explain any aspect of the report, as well as provide remediation support to internal teams and/or external suppliers.

6. Retest

You have the option to retest, ensuring reported vulnerabilities have been addressed.

7. Evidence of testing

Many of our clients need to supply evidence of testing for security assurance purposes. We can supply documentation which will provide these assurances to internal and/or external stakeholders.

Why choose us

We act as a trusted adviser, not just a test provider. So, whether it’s your first test or you’ve conducted hundreds, our team are dedicated to making the process as seamless as possible, to pass on their wealth of expertise and to provide you with the information security support you need.

Penetration test experts since 2001

Dedicated account management

Comprehensive, quality assured reporting

Unrivalled post-test support

Optional retest of issues

Contact us

Want to find out more about our mobile application testing services? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.

Our latest research

Our Labs page is the place to discover our latest research, advisories, tool releases and challenges.

Looking to improve your security? Our insights are a great place to start.