Mobile application pen testing

NFIR offers comprehensive pen testing services for mobile applications, in accordance with OWASP guidelines and by experienced ethical hackers, to test the cyber resilience of organizations.
NFIR beeldmerk kleur
NFIR beeldmerk kleur

Mobile application pen testing

NFIR offers comprehensive pen testing services for mobile applications, in accordance with OWASP guidelines and by experienced ethical hackers, to test the cyber resilience of organizations.

A mobile application pen test is a part of functional security testing within a SDLC (Software Development Life Cycle). The purpose of a mobile application pen test is to run several test cases on a system’s API. An API is used by a mobile application to extract information from other applications or systems. Often a mobile application pen test is performed together with an API pen test, because mobile applications often use these interfaces to retrieve or receive information.

Scope examples

During a mobile application pen test, the mobile application (for both iOS and Android) can be tested from different perspectives: Black Box, Grey Box and White Box. Often a mobile application pen test is performed together with an API pen test, because mobile applications often use these interfaces to retrieve or receive information. Examples of this information are user sessions, text, video and photo material and other multimedia.

Do you want to gain insight into your mobile application security? Please contact us.

What attack scenarios are possible for mobile application pen testing?

The most common attack scenario for a mobile application pen test is a combination of a Black and Grey Box. An illustrative example is provided below for both attack scenarios. During an intake, your needs will be identified in order to choose an appropriate scenario.

Black box pen testing hacker organization applications security information

Black Box of the mobile application

With minimal information, a picture will be formed of vulnerabilities in the mobile application. Often there is also integration with an API. Through open source research (OSINT), as much information as possible will be collected, in order to discover possible vulnerabilities.

Grey box pen testing risk hackers automated network penetration test the netherlands

Grey Box from the mobile application

Testing the mobile application from an authorized perspective is at least as important as from an unauthorized environment. This scenario simulates what a malicious hacker might do when gaining access to a phone with the mobile application installed. Questions this can answer include: what vulnerabilities are present and is it possible to request more information than intended or steal sensitive information from the app (such as authentication tokens and personal data)?

white box pentesting ethical hardware vulnerability pentester security audit computer systems

White Box of the mobile application

The testing of the mobile application is performed from a perspective where the source code is also provided by the client. This method helps to map a mobile application even more efficiently.

NFIR and International Standards.

NFIR uses the OWASP Mobile Application Security Testing Guide (MASTG) for testing mobile applications. This standard gives you the guarantee that the pen test is carried out according to the correct standards and completely.

We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks have been carried out, which could not be carried out and which, if any, were not applicable.

From pen testing to clear reporting!

Step 1: intake

During the intake, we discuss the scope components and attack scenarios of the pen test. An ethical hacker from NFIR is also present during the intake.
The intake is an important starting point because we would like to test all components within the scope of the pen test and identify all vulnerabilities. Based on the intake, we provide an hourly estimate and proposal.

Step 2: Proposal and agreements

After you receive the hour estimate and proposal, we will be happy to discuss your questions.
In consultation, we will find a suitable time to perform the pen test.

Step 3. implementation

During the pen test, we keep you informed about progress and vulnerabilities.
Critical vulnerabilities are reported immediately so that they can be resolved as soon as possible.

Step 4: Results

The vulnerabilities are documented in a clear and complete pen testing report. A standard part of our pentest services is to explain the findings following the delivered pentest report.
This explanation is greatly appreciated by our clients.

Step 5: Perfecting

Thanks to the clear insights, you are going to mitigate the vulnerabilities.
If required, we can arrange for a retest after the vulnerabilities have been mitigated. Based on this retest, you will receive a new pen test report and have confirmation that the vulnerabilities have actually been fixed

Let us assess your risks!

Find out how safe you really are and contact us today.

What makes NFIR unique?

pentest performed

Certified pentesters

The team consists of certified and experienced Technical Leads and pentesters. Specializing in various environments.

pentest performed

Professional approach

Committed Technical Leads and Project Coordinators ensure high-quality pen testing according to the CCV quality mark.

pentest performed

Extensive experience

Have a pen test performed by a team that performs hundreds of pen tests annually with an average customer satisfaction rating of 8.4

pentest performed

Clear and transparent

The pen test report is clear, complete and actionable. We always provide an explanation and are also available to you after the project.

Sample Report Mobile Application Pentesting

A sample report (NL/EN) of a grey box web application pen test is available.
In this report, a pen test was performed on a fictitious environment, whereby vulnerabilities were made transparent.

Pentest

Which systems can you have tested by NFIR's experts?

Which systems can you have tested by NFIR’s experts? Our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.

CyberSecurity Event Zwolle

NFIR uses reliable pentesting services, certified with the CCV Pentesting Seal of Approval. We are your Cybersecurity partner if you are looking for a down-to-earth Dutch Cybersecurity company that has years of experience in pentesting. Our certified ethical hackers identify vulnerabilities and provide concrete and actionable insights about the effectiveness of your security measures. Contact us today to put your cybersecurity under the microscope as well.

High quality pen testing

Certified and quality-oriented pentesters

Pentests are essential to test the technical resilience and effective operation of security. Our pentesters focus on identifying vulnerabilities in systems by deploying various attack techniques. Our skilled and professional pen testers have extensive experience, creativity and up-to-date professional knowledge. The pentesters have completed various relevant training courses and hold the following certifications, among others, OSCP, OSWP, OSWE, OSEP, CPTS, CBBH, and eWPT.

Pentesting and the CCV seal of approval:

  • This quality mark, based on NEN-EN-ISO/IEC standards 17021 and 17065, gives customers the guarantee that the execution of a pen testing assignment by NFIR is carried out in a professional and high-quality manner.
  • NFIR possesses since 07-01-2022 the CCV quality mark for Pentesting. logo ccv nl, Center for Crime Prevention and Security, pentest seals of approval.

I want to pentest my environment(s)!

Once you fill out this form, we will contact you immediately to inform you of the possibilities. We schedule a no-obligation intake with a Technical Lead to coordinate scope components and attack scenarios.

Do you have any questions in the interim? If so, please contact us by phone at the general NFIR phone number: 088 313 0205

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage.
In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?