Mobile application penetration testing

Providing the security assurances you need when it comes to your critical mobile applications

Why test your mobile applications?

The use of mobile applications continues to grow and for many organisations, they are now a critical technology on which their business operates.

Mobile applications often handle sensitive information and can provide access to back-end systems. This makes them an ideal target for threat actors and vulnerabilities within an application can provide access to sensitive data, as well as your wider network.

The security of mobile applications is therefore vital and needs to be considered at all stages, from development through to deployment.

Common mobile applications and development languages we test include:

iOS

Android

Windows

Javascript

HTML5

CSS

Find out more about Pentest

Find out more about Pentest, the support we offer and
the reasons clients choose us.

Approaching mobile app testing

Our mobile application tests are delivered remotely, simulating a real-world attack. Engagements can follow a number of different approaches, guided by your requirements and priorities:

Black Box Testing Approach

This mimics a real-life attack scenario, where we have basic knowledge of the application, but have no access to the source code or any admin/user credentials. 

Black box assessments are typically used by clients who wish to find out if a malicious threat could gain access to an application from the outside.

White Box Testing Approach

White box testing provides our consultants with a level of access prior to the test, whether it’s access to source code or user credentials. 

This type of testing assumes that an attacker already has some level of access within the application and is designed to understand the potential damage that can be achieved from this.

Grey Box Testing Approach

This is our preferred approach to web application penetration testing, as we believe it provides the best value test in terms of results. 

It is a hybrid approach (combining both white box and black box testing elements) and provides a security overview of the application from both the outside and the inside.

Not sure what approach is best for you?

Our team will be happy to discuss your individual requirements and provide a no obligation proposal based on your needs.

What we review

Our mobile application testing is aligned with industry standards such as OWASP and is tailored to your exact requirements, whether you’re looking to test the entire application or just specific areas of functionality. Our reviews can include:

Security configuration, authentication & permissions

Application functionality, technology & data flow

Susceptibility to Cross-Site Scripting (XSS), SQL & other injection attacks

Data transfer security, password and sensitive data storage

Logic flaws such as access
control & broken authorisation

Testing against OWASP Top 10 vulnerabilities

It is impossible to exhaustively cover all possible security vulnerabilities that may affect a mobile application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed when necessary.

Our mobile application test process

Every mobile application penetration test goes through a rigorous process to ensure you get the best possible results. Below we outline the key stages our testing goes through:

1. Scoping

Your dedicated account manager (AM) will work closely with you to understand your business, the application under review & the desired outcomes. The AM will then work with the assigned Pentest consultants & your stakeholders to ensure testing meets your exact needs.

2. Proposal

A bespoke proposal of work will be drawn up based on your requirements, our experience and our consultant’s expertise. This proposal will outline our recommended test approach, the prerequisites needed & the time required to investigate the target.

3. Testing

Testing will commence on the agreed date and our consultants will communicate with you throughout the test, to your set requirements.

All testing is conducted manually and our consultants will look to identify as many issues as possible in the time allotted, verifying whether these could be exploited.

4. Reporting

A comprehensive, quality assured report of our findings will be delivered following the test. Our reports can be tailored to your needs, providing both a technical and managerial overview of findings, as well as our detailed remediation advice. Where required, we can report to the Mobile OWASP Application Security Verification Standard (MASVS).

5. Post-test support

Our job doesn’t finish on the delivery of a report, your test consultant will be available after the test to explain any aspect of the report, as well as provide remediation support to internal teams and/or external suppliers.

6. Evidence of testing

Many of our clients need to supply evidence of testing for security assurance purposes. We can supply additional documentation which will provide these assurances to your internal and/or external stakeholders.

Why choose Pentest?

Our test process isn’t the only reason clients choose to work with us. Find out more about Pentest, our ethos and the support we offer our clients.

Contact us

Want to find out more about our mobile application penetration testing service? Our team are on hand to provide you with the information you need. Please fill out the form below and one of our team will be in touch shortly.