“We continue to find Ambersail and its penetration test team professional and capable. Costs are obviously a factor when choosing suppliers, so to use a company that provides such a high quality service with competitive pricing, is a real advantage.”
Network Manager, Counter Solutions.
What Is Mobile App Penetration Testing?
It is the process of analysing a mobile app to find security weaknesses. This will review front-end user interfaces, back-end web services, web services (API) and supporting networks.
Testing will review features such as cryptography, password hashing and data storage. Also confirming any mobile platform features such as the iOS keychain, or the fingerprint scanner are secure.
The Internet contains a vast amount of information on how to test. That said, when we test, we follow the guidance on the OWASP Mobile Security Project (https://www.owasp.org/index.php/OWASP_Mobile_Security_Project). This provides a detailed framework, respected by experts from all over the world.
A mobile app can be built in one of several ways. For example:
Native. The App installs and executes on the mobile device.
Hybrid. Part of the App installs and executes on the mobile device. However, it operates as a web application which is served from an external web server.
Web or Progressive Web App (PWA). The App executes from a web server. However, it utilises platform specific features on the mobile device. This could include the fingerprint reader for authorisation, or the camera for barcode scanning.
When mobile app penetration testing, we pay close attention to how the mobile app is built. This includes what runs on the mobile device and on supporting networks. For example, is the communication between the app and back-end server network secure? Our test team investigates ways to access confidential data for other app users via API security failures.
Mobile App Technology Is Developing Rapidly.
As a result, developers must constantly innovate. This is also true when penetration testing mobile apps. For example, we pay close attention to:
Security Frameworks. Apps frequently use JWT (JSON Web Tokens, aka RFC7519 https://tools.ietf.org/html/rfc7519), SWT (Simple Web Tokens) and SAML (Security Assertion Markup Language).
This is important because these standards provide authentication, authorisation and access control features. Consequently, they use cryptographic standards such as x.509 to sign and encrypt data. Often, we see that these standards are poorly implemented. For example, untrusted certificates are accepted, or weak passwords have been used to generate keys.
API Calls. We spend time intercepting RESTful API calls made to back-end servers and tampering with the data within each call.
This allows us to check for critical vulnerabilities such as SQL Injection. We also see instances where an authentication token is retained for longer than necessary. This is interesting as it allows tampering with the API payload and can result in data compromise.
Object Serialisation. Where the API uses object serialisation, we test to see that standards such as JSON Web Token (JWT) are appropriately implemented. For example, a JSON structure that contains confidential data should be encrypted rather than simply obfuscated using default Base64 encoding.
On Demand Mobile App Penetration Testing.
Our experienced UK Based team is ready to test the security of mobile apps when you need us. We can work at short notice and respond to the most urgent of requests.
If you need guidance on what needs to be tested, our team is ready to help you. We want you to get the best value from penetration testing.
You can expect that:
- Our UK based, CREST team performs testing.
- We hire app developers to join our team. These are experts in re-engineering apps to find problems.
- Flexibility is important to us and we can perform most work requests at short notice.
- We don’t charge the earth. You will get great value services with full access to our team.
- You will get easy to understand reports with clear advice.
Contact us to get started.
Need To Know More On How We Do Things?
Helping you understand how and what should be tested.
The mobile app is often just a front-end user interface which provides access to a cloud-based or other web-based service. These back-end web services may also require a web service API test, and a network penetration test.
Many vulnerabilities are dependent on the platform of the mobile app, e.g. iOS or Android. For this reason, we would suggest mobile app penetration testing is performed on every platform that your app supports.
For native apps on iOS, where a .ipa file is available, the tester can unpack the application and start examining the contents of the application archive.
For native apps on Android, it is slightly easier to download an .apk file from the Google Play store.
If these files are not made available, testing can take place on a jailbroken iOS device, or on an Android device or virtual machine emulator.
From here, various attempts are made to decompile the application and discover how the application logic functions, to re-create source code, and to see which third party components might be used within the app.
Most apps (especially Web or PWA) will communicate with a server using an API over a network connection. Our test team will intercept this connection via a proxy on the tester’s network. This is similar to what would be done in a web application test. The data transmitted via the API is then manipulated to test input validation controls, finding issues such as SQL injection.
Running The Test At A Time To Suit You.
We have made a big deal about flexibility and being ready to help you assess your app. Experience tells us that mobile app penetration testing needs a flexible approach. Clients often contact us that have not considered penetration testing until the app has entered Pre-Production. This leaves little or no time to organise a security review.
Do not panic. Our team will cope with whatever mobile app environments need reviewing. We quickly understand what needs to be tested, agree costs and get started. Once complete we turn around reports so you can understand and apply the required fixes to meet deadlines.
Minimum Disruption To Your Business Operations.
You will know exactly what we are going to test and when we are going to test it. It will not matter if we are testing in a live or a system test environment, we always take great care. Thus making sure the risk of disruption is reduced to an absolute minimum.
What We Look For When Mobile App Penetration Testing.
Mobile app binaries and other code will be inspected using reverse engineering techniques. The objective here is to find vulnerabilities such as hardcoded credentials, database queries, encryption keys or other sensitive data or intellectual property. We will also attempt to use code tampering in both the application and mobile device platform to subvert the functionality of the app.
We will assess how securely the app saves and stores data on the mobile device, to determine whether it handles data securely. This data will also be tampered with to uncover any vulnerabilities in the application.
Data transmissions will be monitored and analysed to determine what data is being sent to and from the mobile device, including network connections, Bluetooth and NFC. Any sensitive or unexpected data will be highlighted.
Any functionality in the app will be inspected to ensure that it is an intended part of the app. It must function according to the security design specifications, providing no means for attackers to exploit the application.
If the network that supports the app needs to be tested, we will find design issues that can then be exploited. This includes insecure permissions, privileges and missing access controls.
Useful Information On Mobile App Penetration Testing.
Getting the most from your Mobile App Penetration Test. Some straightforward advice on how you can better prepare for a testing. How to tell the test team what needs to be assessed so that you get best value for money.