Mobile Application Penetration Testing Methodology

Lean Security performs a comprehensive mobile application penetration test to reduce the risk of the compromise and improve compliance. The methodology is aligned with the best practices from NIST and OWASP. The penetration test is performed by the senior security consultants with CISSP, CISA, CISM, GCIH, GPEN, GWAPT, GXPN certifications.

Main features and benefits:

• Comprehensive mobile application penetration tests help determine the well-known and “Zero day” security issues on the target application

• Thorough risk assessment helps prioritise the remediation actions

• Compliance assessment and customised report templates

• Penetration testing report will help to meet regulatory obligations, tender requirements, customer’s security policies and PCI DSS / ISO27001 requirements.

The testing includes the following test cases:

• Weak Server Side Controls

This mobile risk encompasses almost all that the bad things that a mobile app can do, although it doesn’t happen on the phone. However, because of the prevalence of weak servers that affect not just mobile phones but even computers, it has been listed one of the top ten mobile risks of 2014. What happens when you have weak server controls is that data on your mobile are easily exploitable and security weakness is almost common.

• Insecure Data Storage

Just like in M1, in M2, data on your mobile phone are easily exploitable and security weakness is common. When there is Insecure Data Storage, loss of data can happen for the worst scenario. Often, data that are lost include usernames, passwords, cookies, authentication cookies and other important data which can create vulnerabilities for businesses and result to identity fraud or theft.

• Insufficient Transport Layer Protection

This is a security weakness for mobile phones that are caused by applications that do not take proper precautions in protecting their network traffic. This happens because they often fail to use SSL/TLS which then in turn leaves the data exposed and easily exploited.  

• Unintended Data Leakage

Unintended data leakage often happens when developers accidentally put sensitive information in a location in the mobile app that is easily accessible. As such, information becomes exposed and places risks to data on the mobile device.

•  Poor Authorization and Authentication

Authorization and authentication is a very important part of data security. They are what protect your data from theft which can use them on various criminal activities. This means that having poor authorization and authentication for your data will put you in problems such as information theft, reputational damage and fraud.

• Broken Cryptography

This mobile app risk happens when your adversary is able to successfully return an encrypted data or code back to its original source which in the end forms flaws within the system. This will then weaken the system which results in code theft, intellectual property theft, reputational damage and many others.

• Client Side Injection

This risk results when a malicious code is executed within a mobile device through the use of mobile app. When that happens, the security of the data is weakened and they become easily exploitable. What the malicious code does is steal information which can affect businesses in the way of identity theft, fraud and other criminal activities.

• Security Decisions Via Untrusted Inputs

This mobile app vulnerability often results in loss of reputation. Moreover, it has a great impact on the integrity as well as confidentiality. This happens because of weak implementation of application functionalities which makes an improper behavior that grants easy access for attackers.

• Improper Session Handling

This mobile app risk, most of the time, results in an attacker impersonating another person and performing activities and functionalities in lieu of them without their knowledge. This could result in theft, fraud and interruption to business functions.

• Lack of Binary Protections

Due to this risk, the user and the application are exposed to outside threats. These threats can subsequently do some activities that interrupt business functions or they may engage in criminal activities using the information from you.

Reporting

Based on the results of the automated security scan and manual penetration tests, the security consultant will determine the business risks of the vulnerabilities. Several factors are taken into consideration: The type of data the tester could get access to, the easiness of exploitation and the likelihood of somebody finding the issue. Lean Security uses the comprehensive risks assessment methodology based on the industry's best practices to determine the business risk.

The findings are mapped to OWASP, PCI DSS or ISO27001 requirements. The reports can be also customised to meet any specific customer or tender requirements.

When the web application penetration test is completed, the results are published on Lean Security customers’ secure Cloud based dashboard. The customers can log in online and review the results of their security assessment. The dashboard allows the customers to export the results to CSV, PDF or HTML format for offline distribution.