Mobile Application Penetration Testing Services

Discover and Remediate Vulnerabilities Against iOS and Android Applications

Organizations tend to focus on usability and functionality more than security when delivering new mobile applications to the market. On these platforms, managing security risk is becoming increasingly challenging as malicious actors discover new vulnerabilities daily. Is your mobile application safe?

Artifice Security offers professional, manually performed mobile application tests by one of the best penetration testing companies in the industry. Our security engineers specialize in Android and iOS mobile applications, providing comprehensive security testing for any mobile application you have. We go beyond basic API and OWASP top 10 testing by performing in-depth dynamic and static analysis while searching for vulnerabilities that other companies can miss.


How Do We Approach Mobile Application Penetration Testing?

Artifice Security performs a full comprehensive review of your mobile application using static and dynamic analysis. Our consultants test your mobile application’s data at rest and during runtime to detect and exploit all vulnerabilities.

We approach each mobile application pentest using standard iOS and Android devices to show typical vulnerabilities, and we also use jailbroken iOS and rooted Android devices to show complex vulnerabilities.

Artifice Security also performs a deep-dive in the following areas for Android and iOS:

Tampering and Reverse Engineering
  • Static Analysis
  • Dynamic Analysis
  • Tampering and Runtime Instrumentation
  • Customizing Android/iOS for Reverse Engineering
Data Storage
  • Test Local Storage for Sensitive Data
  • Test Local Storage for Input Validation
  • Test Logs for Sensitive Data
  • Determine Whether Sensitive Data is Share with Third Parties
  • Determine Whether the Keyboard Cache is Disabled for Text Input Fields
  • Check for Sensitive Data Disclosure Through the User Interface
  • Test Backups for Sensitive Data
  • Find Sensitive Information in Auto-Generated Screenshots
  • Check Memory for Sensitive Data
  • Test the Device-Access-Security Policy
Cryptographic APIs
  • Test Symmetric Cryptography
  • Test the Configuration of Cryptographic Standard Algorithms
  • Test the Purposes of Keys
  • Test Key Management
  • Test Random Number Generation
Local Authentication
  • Test Confirm Credentials
  • Test Biometric Authentication
Network APIs
  • Test Endpoint Identify Verification
  • Test Custom Certificate Stores and Certificate Pinning
  • Test the Network Security Configuration Settings
  • Test the Security Provider
Platform APIs
  • Test App Permissions
  • Test for Injection Flaws
  • Test for Fragment Injection
  • Test for URL Loading in WebViews
  • Test Custom URL Schemes
  • Test for Insecure Configuration of Instant Apps
  • Test for Sensitive Functionality Exposure Through IPC
  • Test for JavaScript Execution in WebViews
  • Test WebView Protocol Handlers
  • Test Object Persistence
  • Test for Overlay Attacks
  • Test Enforced Updating
Code Quality and Build Settings
  • Test the App is Properly Signed
  • Test Whether the App is Debuggable
  • Test for Debugging Symbols
  • Test for Debugging Code and Verbose Error Logging
  • Check for Weaknesses in Third-Party Libraries
  • Test Exception Handling
  • Test for Memory Corruption Bugs
  • Ensure Free Security Features are Activated
Anti-Reversing Defenses
  • Test Root Detection
  • Test Anti-Debugging Detection
  • Test File Integrity Checks
  • Test Reverse Engineering Tools Detection
  • Test Emulator Detection
  • Test Runtime Detection
  • Test Obfuscation
  • Test Device Binding


Mobile Application Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:


Define the Scope

Before the start of the penetration test, Artifice Security will collaborate with your team to determine the exact scope of your mobile application, APIs, and third-party resources. We will work with your team to assess your application’s size, complexity, framework, and how it is supposed to function normally.
  • Determine mobile applications and types for testing
  • Evaluate which third party resources, if any, are excluded from testing
  • Determine penetration testing performed in production or test/QA environment
  • Obtain a copy of the .ipa and .apk file for analysis
  • Determine testing dates and times for the penetration test
  • Exchange key personnel and emergency contact information for any critical findings found.

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your organization and show you what information is out there on the Internet. This targeted intelligence includes the following checks:
  • Searches for documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain exposed sensitive or customer information without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials contained in password breach databases
  • Searches in repositories such as Github and other developer forums that may contain sensitive data related to your mobile application or organization
  • Checks to find similar domain names as yours to determine your risk against phishing (risks to domain spoofing)

Enumeration and Preparation Phase

Artifice Security will use active information-gathering tools and techniques to determine all possible attack vectors during the enumeration phase. We will assemble data from this phase and the information gathering phase as the foundation for our attack and exploitation phase.
  • Setup proxying tools and networks to capture mobile application information
  • Perform static analysis
  • Perform dynamic analysis
  • Perform reverse engineering
  • Perform tampering and runtime instrumentation

Attack and Exploitation Phase

During the attack and exploitation phase, Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your mobile application. We perform these attacks using professional tools and techniques while being cautious about protecting your data and not interrupting normal business functions. At this phase, we will perform the following test phases against your mobile application:
  • Data Storage Testing
  • Cryptographic API Testing
  • Local Authentication Testing
  • Network API Testing
  • Platform API Testing
  • Code Quality and Build Settings Testing
  • Anti-Reversing Defenses Testing

Reporting Phase

Artifice Security will put together all the information about your organization and vulnerabilities discovered for your mobile application during the reporting phase. We guarantee that each discovered vulnerability will be present with no false positives in the report as we use manual penetration testing.

Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk about your mobile application and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.

In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.


Remediation Testing

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your mobile application after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your mobile application.


Frequently Asked Questions

Do you need the .apk (Android) and .ipa (iOS) application files for testing?

We prefer to have the appropriate mobile application files (.apk or .ipa files) as we perform static and dynamic analyses. Performing this analysis allows us to find deeper flaws within the application and how the application interacts with the hardware device.

What are the most common vulnerabilities you find for mobile applications?

For mobile applications, we see the most common vulnerabilities with the following:

  • Improper Platform Usage includes security controls such as the Keychain, misuse of TouchID, and platform permissions that allow exploitation of services, API calls, and more.
  • Insecure Data Storage vulnerabilities allow a malicious actor to access stored personally identifiable information (PII) or other sensitive information on the device if the malicious actor has access to the device.
  • Insecure Communication vulnerabilities allow a malicious actor to intercept unencrypted traffic when it should be encrypted. This unencrypted traffic can lead to a malicious actor sniffing the traffic and to Man-in-the-Middle (MitM) attacks.
  • Insecure Authentication allows a malicious actor to bypass the authentication schema easily. Bypassing the authentication schema is typically performed by exploiting the offline authentication used by the mobile application.
  • Insufficient Cryptography allows a malicious actor to unencrypt weak encryption algorithms to read the data in cleartext. We also find that some mobile applications will use simple encoding, such as base64, instead of strong encryption.
  • Insecure Authorization allows a malicious actor to force-browse vulnerable endpoints and execute functions meant for another use or an administrator account.

Can you test mobile applications that are made for a specific operating system?

Artifice Security can test mobile applications meant for a specific device type, including older and newer iOS and Android phones. This flexibility for specific device testing allows us to test the application for vulnerabilities that might only be exposed to particular hardware.

Do you offer an attestation letter after completing the mobile application test?

We will provide an attenstation letter for your mobile application penetration test if requested. This document will give confidence and express to your customer the reliability of your application by asserting a professional penetration testing company tested it.

Leading-Edge Cybersecurity