What is a mobile application penetration test?
Mobile applications are one of the other most targeted assets by the attackers, Therefore, organizations should be the most sensitive in terms of information security and should pay attention to the security of their mobile applications. For the mobile application penetration tests, static analysis, dynamic analysis, reversing tests, network and web based tests are performed on the physical devices and emulators by Ebruu researchers. Like a web application , all input fields of the mobile application are determined and then the technical issues, business logic issues, static/dynamic issues and network-level vulnerabilities in the applications are detected and also exploited(if suitable) to make a POC.
Mobile application testing methodology and stages:
1. Information Gathering
All publicly accessible passive and active information about the mobile application is collected and used as attack vendors during penetration testing. Ebruu researchers will also attempt to gather sensitive information via reversing applications
2. Vulnerability Identification
For each of the mobile applications, a manual test is performed. Following tests are performed:
For Client Assessment:
- Insecure Data Storage
- Unintended Data Leakage
- Broken Cryptography
- Security Decisions Via Untrusted Inputs
- Lack of Binary Protections
For Network Assessment:
- Client Side Injection.
- Improper Session Handling.
- Poor Authorization and Authentication.
Backend Web Service Assesment:
- Weak Server Side Controls
- Insufficient Transport Layer Protection
3. Exploit Progress
Once vulnerabilities are identified, we look for exploits available for those vulnerabilities and identify what, if any sensitive information can be gathered from them. These exploits can include maintaining access for later use or modifying configurations on the mobile application. These activities are all undertaken based on client agreement.
4. Report Writing
Ebruu researchers report all findings of the web application penetration test with risk ratings along with recommendations on solving the issues found in the web application.
5. Verification Test
We also provide a free verification test service for our clients, it is performed once for every single vulnerability after the client has fixed all security vulnerabilities.
Some of our mobile application testing steps;
- Jailbreak Warning Checks
- Certificate Pinning Checks
- Dangerous enabled settings(debug mod etc)
- Decompile/Reversing tests
- Hardcoded Passwords checks in the sources
- Token, 3rd party data leakage checks in the sources
- Information leakage in the real time device logs
- Application logs checks if there is critical information
- Application’s stored cache data checks
- Password protection situation of the local databases
- Sensitive information storing situation of the databases
- Checks all critical files(xml,plist etc)
- Run time tests
- Memory analyse in the run time
- Certificate Pinning Bypass
- Situation of the keyboard cache in the text inputs
- Data storage shared sdcard
- Tcpdump analysis whilst app is working
- All backup file, logs and spesific files analysis
- Sensitive strings search with grep in the whole app directory
- Mobile app recompile tests
- Android APK obfuscation sitiation
- Input manipulation tests
- 2-factor auth tests
- Data transmission security between device and server
- Server side tests
- Full port scan for server IP address
- Full vulnerability scanning for server IP address
- Mobile web site tests like a website test
- Testing app permissions
- Testing critical information in the clipboard
- Application Session Timeout situation.
- Username and password policy check
- Predictable credentials checks
- Login form captcha, anti-csrf usage situation
- Business logic vulnerabilities on the application functions
- Code injection tests
- Command execution tests
- Iframe injection
- LFI/RFI Tests
- LFI via iframe injections on the device
- XSS tests(Reflected,Dom,Stored,Blind)
- XSS tests with payload injections via cross paltforms(mobile-web)
- XXE vulnerability checks
- Technical and business logic tests on the registration form
- Password reset function tests
- Access via web browser to mobile app with useragent changing
- Takeover account tests
- Deployment and configuration issues
- Mobile API and webservices tests
- SSRF Tests(local and remote)
- Insecure Direct Object Reference Tests
- Privilege Escalation with diffrent roles
- Directory traversal
- Advenced authorization and authentication tests
- Username enumeration wia warnin messages or mis-developments
- Automate Scanning
If you would like to find out how Mobile Penetration Testing Service can be beneficial for your company or more information about our service, please contact our security experts to get a free quick consultation.