A mobile application pen test is a part of functional security testing within a SDLC (Software Development Life Cycle). The purpose of a mobile application pen test is to run several test cases on a system’s API. An API is used by a mobile application to extract information from other applications or systems. Often a mobile application pen test is performed together with an API pen test, because mobile applications often use these interfaces to retrieve or receive information.
During a mobile application pen test, the mobile application (for both iOS and Android) can be tested from different perspectives: Black Box, Grey Box and White Box. Often a mobile application pen test is performed together with an API pen test, because mobile applications often use these interfaces to retrieve or receive information. Examples of this information are user sessions, text, video and photo material and other multimedia.
Do you want to gain insight into your mobile application security? Please contact us.
What attack scenarios are possible for mobile application pen testing?
The most common attack scenario for a mobile application pen test is a combination of a Black and Grey Box. An illustrative example is provided below for both attack scenarios. During an intake, the wishes will be mapped out in order to choose a suitable scenario.
Black Box of the mobile application
With minimal information, a picture will be formed of vulnerabilities in the mobile application. Often there is also integration with an API. Through open source research (OSINT), as much information as possible will be collected, in order to discover possible vulnerabilities.
Grey Box from the mobile application
Testing the mobile application from an authorized perspective is at least as important as from an unauthorized environment. This scenario simulates what a malicious hacker might do when gaining access to a phone with the mobile application installed. Questions this can answer include: what vulnerabilities are present and is it possible to request more information than intended or steal sensitive information from the app (such as authentication tokens and personal data)?
White Box of the mobile application
The testing of the mobile application is performed from a perspective where the source code is also provided by the client. This method helps to map a mobile application even more efficiently.
NFIR uses the OWASP Mobile Application Security Testing Guide (MASTG) for testing mobile applications. This standard gives you the guarantee that the pen test is carried out according to the correct standards and completely.
We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks have been carried out, which could not be carried out and which, if any, were not applicable.
Sample Report Mobile Application Pentesting
A sample report (NL/EN) of an internal black box pen test is available. In this report, a pen test was performed on a fictitious environment, whereby vulnerabilities were made transparent.
Which systems can you have tested by NFIR's experts?
Which systems can you have tested by NFIR’s experts? Our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.