Mobile Application Penetration Testing Services
Discover and Remediate Vulnerabilities Against iOS and Android Applications
Artifice Security offers professional, manually performed mobile application tests by one of the best penetration testing companies in the industry. Our security engineers specialize in Android and iOS mobile applications, providing comprehensive security testing for any mobile application you have. We go beyond basic API and OWASP top 10 testing by performing in-depth dynamic and static analysis while searching for vulnerabilities that other companies can miss.
How Do We Approach Mobile Application Penetration Testing?
We approach each mobile application pentest using standard iOS and Android devices to show typical vulnerabilities, and we also use jailbroken iOS and rooted Android devices to show complex vulnerabilities.
Artifice Security also performs a deep-dive in the following areas for Android and iOS:
Tampering and Reverse Engineering
- Static Analysis
- Dynamic Analysis
- Tampering and Runtime Instrumentation
- Customizing Android/iOS for Reverse Engineering
- Test Local Storage for Sensitive Data
- Test Local Storage for Input Validation
- Test Logs for Sensitive Data
- Determine Whether Sensitive Data is Share with Third Parties
- Determine Whether the Keyboard Cache is Disabled for Text Input Fields
- Check for Sensitive Data Disclosure Through the User Interface
- Test Backups for Sensitive Data
- Find Sensitive Information in Auto-Generated Screenshots
- Check Memory for Sensitive Data
- Test the Device-Access-Security Policy
- Test Symmetric Cryptography
- Test the Configuration of Cryptographic Standard Algorithms
- Test the Purposes of Keys
- Test Key Management
- Test Random Number Generation
- Test Confirm Credentials
- Test Biometric Authentication
- Test Endpoint Identify Verification
- Test Custom Certificate Stores and Certificate Pinning
- Test the Network Security Configuration Settings
- Test the Security Provider
- Test App Permissions
- Test for Injection Flaws
- Test for Fragment Injection
- Test for URL Loading in WebViews
- Test Custom URL Schemes
- Test for Insecure Configuration of Instant Apps
- Test for Sensitive Functionality Exposure Through IPC
- Test WebView Protocol Handlers
- Test Object Persistence
- Test for Overlay Attacks
- Test Enforced Updating
Code Quality and Build Settings
- Test the App is Properly Signed
- Test Whether the App is Debuggable
- Test for Debugging Symbols
- Test for Debugging Code and Verbose Error Logging
- Check for Weaknesses in Third-Party Libraries
- Test Exception Handling
- Test for Memory Corruption Bugs
- Ensure Free Security Features are Activated
- Test Root Detection
- Test Anti-Debugging Detection
- Test File Integrity Checks
- Test Reverse Engineering Tools Detection
- Test Emulator Detection
- Test Runtime Detection
- Test Obfuscation
- Test Device Binding
Mobile Application Penetration Test Methodology
After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:
Define the Scope
- Determine mobile applications and types for testing
- Evaluate which third party resources, if any, are excluded from testing
- Determine penetration testing performed in production or test/QA environment
- Obtain a copy of the .ipa and .apk file for analysis
- Determine testing dates and times for the penetration test
- Exchange key personnel and emergency contact information for any critical findings found.
Information Gathering / Recon Phase
- Searches for documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain exposed sensitive or customer information without your knowledge
- Searches on the Internet and Darkweb for leaked credentials that contained in password breach databases
- Searches in repositories such as Github and other developer forums that may contain sensitive data related to your mobile application or organization
- Checks to find similar domain names as yours to determine your risk to phishing (risks to domain spoofing)
Enumeration and Preparation Phase
- Setup proxying tools and networks to capture mobile application information
- Perform static analysis
- Perform dynamic analysis
- Perform reverse engineering
- Perform tampering and runtime instrumentation
Attack and Exploitation Phase
- Data Storage Testing
- Cryptographic API Testing
- Local Authentication Testing
- Network API Testing
- Platform API Testing
- Code Quality and Build Settings Testing
- Anti-Reversing Defenses Testing
Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk about your mobile application and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your mobile application after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your mobile application.
Frequently Asked Questions
Do you need the .apk (Android) and .ipa (iOS) application files for testing?
What are the most common vulnerabilities you find for mobile applications?
For mobile applications, we see the most common vulnerabilities with the following:
- Improper Platform Usage includes security controls such as the Keychain, misuse of TouchID, and platform permissions that allow exploitation of services, API calls, and more.
- Insecure Data Storage vulnerabilities allow a malicious actor to access stored personally identifiable information (PII) or other sensitive information on the device if the malicious actor has access to the device.
- Insecure Communication vulnerabilities allow a malicious actor to intercept unencrypted traffic when it should be encrypted. This unencrypted traffic can lead to a malicious actor sniffing the traffic and to Man-in-the-Middle (MitM) attacks.
- Insecure Authentication allows a malicious actor to bypass the authentication schema easily. Bypassing the authentication schema is typically performed by exploiting the offline authentication used by the mobile application.
- Insufficient Cryptography allows a malicious actor to unencrypt weak encryption algorithms to read the data in cleartext. We also find that some mobile applications will use simple encoding, such as base64, instead of strong encryption.
- Insecure Authorization allows a malicious actor to force-browse vulnerable endpoints and execute functions meant for another use or an administrator account.