Mobile Applications

Mobile applications (Android/iOS) often process sensitive data directly on the device and communicate with a web interface in the background. This means they offer two attack surfaces: the app itself and the interface. We examine mobile applications from the installed package to web communication – from customer and service apps to banking applications.

Why Pentests for Apps

s

Our main reason for penetration testing mobile applications is to uncover vulnerabilities through which:

  • Sensitive data on the device can be read or manipulated
  • App protection mechanisms can be bypassed
  • Further attacks on data and the mapped processes are possible via web interfaces

 

When to Pentest Apps

In our view, the best times are:

  • During development to address design flaws early
  • Ideally before release in the store
  • With new features, framework changes, or major updates
  • Regularly, to test vulnerabilities against new attack methods

 

Results

i

Typical pentest results are:

  • Technical vulnerabilities that, for example, enable unauthorized access to locally stored data or make communication with the backend vulnerable
  • Weaknesses against checkpoints from the OWASP Mobile Application Security Testing Guide (MASTG)
  • Deviations from the requirements of the OWASP Mobile Application Security Verification Standard (MASVS)
  • Vulnerabilities in business processes, such as bypassing authorization checks or repeatedly executing one-time actions
  • Statement about the security level of the app and the connected web interfaces

 

What we need from you

For the penetration test of a mobile application, we need the following from you:

  • The app as an installable file, in a testable version
  • User accounts for all roles to be tested
  • If possible: Provision of the app’s source code
  • Whitelisting our IP address for the web interfaces in any protection systems (e.g., WAF, IPS)
  • Indication of whether testing should be done on a test or production environment
  • Inform involved parties, such as external hosts or service providers
  • Feel free to provide us with technical worst-case scenarios that we will specifically examine
  • We install the application on our test devices – we work with emulators and, if necessary, with physical devices.

Project in Planning?

Whether it's a pentest, red teaming, or a custom request –
we look forward to speaking with you!

Contact
Configurator