Mobile Application Penetration Testing

Threats already rampant on web applications can be equally effective on native
mobile applications, with Cross Site Scripting (XSS) still topping the list.

FREE CONSULTATION & QUOTE

What is a mobile application Penetration Test?

A Mobile Application Penetration Test is an authorised and simulated hacking attempt against a native mobile application such as Android, Windows, and iOS. The purpose of this test is to identify and exploit vulnerabilities in an application, and the way it interacts and transfers data with the backend systems.

Shearwater’s Mobile Application Penetration Testing Methodology

Reconnaissance and Analysis

This stage consists of the following steps:

Mapping the application:

During this stage we will run the application using emulators, and examine traffic using proxies. This will provide information about the application and its interaction with the backend. We will then conduct tests to identify content that may be available to unauthorised users. We will also manipulate traffic flow to determine the various different responses provided by the service and server, including examining responses for debug behaviour and identified technologies in use.

Reviewing the application code:

We will attempt to affect the client application on the mobile device by attacking the code directly via the network. Many mobile applications expect input from backend infrastructure and modify their behaviour. By manipulating this information it may be possible to affect the functionality on the client and therefore interact with the backend systems in unexpected ways.

Analysing the results:

We will examine the results to determine: the application’s functionality, potential entry points into the service, and the technology used. We will then assess how these could be used to detect and successfully exploit vulnerabilities in the backend and client application.

Testing and Exploitation

Using the information collected we test various aspects of the application to find potential vulnerabilities. We then attempt to exploit these vulnerabilities and take maximum advantage of the application. This will allow your organisation to produce an accurate threat and risk assessment. We will use a variety of methods that attackers typically use to compromise a hosted environment. These proven methods of compromise will produce the most valuable output for your organisation.

We test areas that could pose as an avenue of exploitation. These typically include:

Authentication Issues – Session Management – Access controls – Fuzzing – Server and Hosting Issues – Logic flaws

We will also examine how information is stored on the mobile device and whether the information is available to other applications. We will examine threats such as sidejacking, XSS, Client side injection, and SQL injection

Post Exploitation

On successful completion of the testing and exploitation phase, any changes to the application will be restored to the state prior to the commencement of the penetration test. This will provide a known security baseline for your organisation.

Our methodologies are planned and scheduled to be non-disruptive and we work around ensuring uptime throughout our testing.

Reporting

After completion of the testing phase, Shearwater will issue a thorough report which lists the vulnerabilities and exploits categorised according to risk level. Alongside this will be recommendations for mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

SEH can also conduct debriefing sessions targeting two separate audiences: a technical debriefing aimed at system administrators and engineers, and an executive debriefing tailored for the technology management group.

The management session provides the information needed to determine the appropriate risk management strategy. The technical briefing is intended for knowledge transfer – of the lessons learned during the penetration test – to the technical personnel.

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Penetration_Testing_Comprehensive_Reporting

Comprehensive Reporting
Shearwater offers in-depth executive level reporting which serves as a risk minimisation tool for management, and a technical document – listing vulnerabilities prioritised according to risk level – for the internal security team. The report also provides access to mitigation strategies based on Shearwater’s key insights into the cyber-threat landscape.

Penetration_Testing_Post_Engagement_Followup

Post Engagement Follow Up
Our post engagement follow-up is an additional benefit that allows clients to engage us with questions, or seek guidance on issues referred to in our report.

Testing Standards
The Open Web Application Security Project (OWASP)
The National Institute of Standards and Technology (NIST)
Source Security Testing Methodology Manual (OSSTMM)
Penetration Testing and Execution Standard (PTES)
Penetration Testing Framework
Australian Government Security Policies and Guidelines

Customer Centricity
We listen to our clients to understand their goals. Our team also alerts security staff – in real time – to critical vulnerabilities and threats discovered.

Our Certifications

Request a FREE Consultation

Call us on 1300 228 872 or submit the form below

Mobile Application Penetration Testing

What is a mobile application Penetration Test?

Shearwater’s Mobile Application Penetration Testing Methodology

Shearwater: The Gold Standard in Penetration Testing

Here is how we raise the bar:

Our Certifications

Consulting & Compliance

Penetration Testing

Managed Services

Training & Education

Subscribe to Our Security Updates