A Step by Step Guide on Pen Testing a Mobile Application (With Tools and Service Providers):
A decade ago, owing to the evolution of technology, we all started to understand about IT industry and that was the time, all of us got to know about how and what could be done using computer systems.
Slowly, it became possible to transfer money online using the internet instead of visiting the bank in person and waiting in queue to perform a transaction. Due to such demand, all the banks started to operate online.
But, did we all feel comfortable and secured using this feature right from the beginning, the answer that most of us would say is “NO”.
When it comes to money matters, we all think twice.
When something is newly launched we want to ensure that it is secured in all aspects, all the websites that we use nowadays go through several layers of security checks before they are exposed to the public. Now the trend is changing again and we want everything to happen at a click of a button which is only possible using Mobile Apps.
How do you ensure that all the mobile apps you download from the play store or iStore are safe to use? With any download comes the risk of malicious attacks. For the same reason & in order to ensure their app gets preferred over others, the app developers should ensure that their apps are successfully security tested before they actually publish it for download.
This article will brief you about the types of mobile apps, what should be expected from penetration testing of mobile apps, how can the testing be conducted, service providers who offer services for mobile app testing and a list of some tools which can be used for testing.
Table of Contents:
Mobile Apps and their Types
Before we move on deep about how to pen test a mobile app, it is very important to ensure that you have some background knowledge about Mobile Apps.
Let’s understand the different types of Mobile Apps.
#1) Native Mobile Application
Native App means the apps created for a particular platform like iOS or Android, specifically written in a particular programming language and they can be installed from the respective stores like Google’s play store or Apple’s app store. They offer the most user-friendly experience and can be operated simply by clicking on the icon.
Some good examples of Native apps are Facebook, Instagram, Angry Birds, etc.
The only problem is that these apps do not work with all types of devices like if an app is created for Android, it will not work on iOS and vice versa. Native Apps can also work without Internet connectivity.
#2) Mobile Browser-Based Application/Mobile Web Apps
Mobile Web apps are basically apps that run on a browser and they are device-independent.
The Same app can be run using an iOS device or an Android Smartphone. These apps are mostly written in HTML5. They are easy to be published because it doesn’t need any permission from Google or Apple to allow on their store.
Web apps can directly be downloaded using the download button available on their concerned websites. A typical example would be our shopping sites like Flipkart, Amazon, etc.
#3) Mobile Hybrid Application
These are the applications which are partly native and partly non-native. They can be downloaded from the stores as well as run in the browser.
The benefit of developing these type apps is, it supports the cross-platform development and hence reduces the overall development cost, which means it allows reusing the same code component on a different device. Also, these apps can be developed quickly.
In addition, hybrid mobile apps allow you to get the features of both native and web apps.
Mobile App Penetration Testing Service Providers
Our Recommendation
#1) Astra Pentest
Astra Pentest is a hacker style pentest platform for mobile app pen-testing. All a user needs to do is upload their Android or iOS app and the security experts at Astra run a mix of Pentest by security experts, DAST to analyze your app’s security posture.
The test is followed by a thorough pentest report with vulnerabilities categorized by severity, and step-by-step guidelines for fixing each one of them.
Headquarters: USA
Founded: 2018
Employees: 25-50
Revenue: $2M+
Core Services: Vulnerability scanning, Manual Penetration Testing, Vulnerability Management.
Features:
- 8000+ tests covering all CVEs listed in OWASP top 10, SANS 25 & more.
- Initial scan results within 24-48 hours
- Developer friendly dashboard and reporting to track your team’s progress and discuss issues.
- Seamlessly collaborate with security experts
- Zero false positives made sure by manual penetration testers.
- AI powered business logic test cases generation to ensure deep security testing coverage
- AI powered conversational chatbot to give engineers contextual insights on fixing vulnerabilities
See all the pricing and plans and get Astra’s zero false-positives vulnerability scan.
#2) Indusafce MAS
With Indusface, you get a mobile application scanning tool that can detect all sorts of vulnerabilities across iOS and Android devices. Indusface is perhaps the most effective when identifying OWASP 10 threats. The tool can easily identify threats like Weak Server Side Control, Broken Cryptography, and Insecure Data Storage.
Headquarters: California, USA
Founded: 2012
Employees: 51-100
Revenue: $8.7 Million
Core Services: Web Application Scanning, Mobile App Scanning, Penetration Testing, Remediation Guidance.
Features:
- Home to security experts that can perform in-depth testing of mobile applications.
- The company is excellent at offering manual penetration testing services.
- You are provided with in-depth remediation guidance. This entails step-by-step guide on how to address vulnerabilities.
- Get comprehensive view of app malware, vulnerabilities, and risks via an intuitive dashboard.
- Easily create and download custom reports from the dashboard.
- Get round-the-clock support on remediation, pen-testing, and attack demonstration.
Price: Contact for a custom quote.
#3) Cipher
Cipher is one of the best Mobile App Pen Testing Service Provider. It is known as a global security company that offers highly efficient SOC I and SOC II Type 2 certified managed security and consulting services.
Headquarters: Miami, USA
Founded: 2000
Employees: 300
Revenue: $20- $50 M
Core Services: Penetration Testing & Ethical Hacking Services, Vulnerability Assessment, Risk and Assessment, PCI Assessment and Consulting, Software Security Assurance, Threat Monitoring, etc.
Features:
- It assists the system to defend against advanced threats while managing risks.
- Cipher offers efficient and innovative solutions to ensure system compliance.
- It provides proprietary and specialized security services to every organization associated.
- Appsec
- Procheckup
- Praetorian
- Cigital
- Wesecureapp
- Netspi
- CyberChops
- App ray
- Jumpsec
- Sciencesoft
Mobile App Penetration Testing Tools
- Core Impact Pro (Android, iOS, and Windows)
- zANTI (Android)
- Ianalyzer (iOS)
- DVIA (iOS)
Other Tools:
- Port Scanner (Android)
- Fing (Android & iOS)
- DroidSheep (Android)
- Intercepter-NG (Android)
- Nessus (Android)
- Droid SQLi (Android)
- Orweb (Android)
Few Popular Dummy Vulnerable Mobile Apps
In general, there are some well known vulnerable mobile applications that are created to give users an idea of Mobile Testing. These apps have vulnerabilities that are intentional to help the users/testers practice and enhance their pen test knowledge.
You can refer to iMAS, GoatDroid, DVIA, MobiSec:
What Should You Expect from your Test?
The reason behind testing is to find out as many issues as we can and to ensure that the issues are found before it actually impacts the end-users. The main reason for getting a mobile security issue is because developers want to create more useful apps than secured apps and there are chances for lack of security awareness while developing the apps.
In this section, I will take you through some vulnerabilities/Security Flaws that you should look out as part of the testing.
Common Security Flaws to look for:
1) Data Storage format: It all depends on the format in which the data is stored. Whether in plain text or other formats. For E.g., Android stores the username and password in plain text, which in turn makes it more vulnerable.
2) Stored Sensitive Data: Sometimes developers hard-code passwords or store sensitive information which can get compromised easily.
3) Bad Coding Methods: Usage of Open SSL library which is vulnerable to FREAK attack is one of the things to check for.
4) Data Encryption: It is important to ensure that the data transmission is done in a secure way, and the stored data are encrypted.
5) Weak Password Creation: Apps should have a mechanism to check for password strength. Weak passwords are always vulnerable to attacks.
6) Data Sync: Transmission of data or data sync should be done via a secure method. The way in which data is transmitted or synched with the cloud can lead to attacks and hence it causes data loss.
Testing a mobile app still remains a challenge when compared to web testing as mobile apps are being fairly new in the market and we do not have several scanners available as in the web and we are still creating cheat sheets or coming up with ways to scan and have more secure mobile apps created for the end-users.
Steps to Penetration Test Mobile Apps
There are certain steps involved in Pen Testing the Mobile Apps.
They are:
#1) Test Environment Setup
Test Environment setup is a process in itself and can be a separate topic for reading 🙂
I haven’t mentioned many details about setting up a test environment here because it will differ based on the testing. I have just included it here because I didn’t want to completely miss this step.
Some of the testings can be performed on a real device whereas some can be done on Emulators. Also, it differs based on which platform we plan to test, for Android applications we may need to install SDK’s and for iOS, we will require jailbreaking.
#2) Discover/Application Understanding
Each mobile application will work differently, so the very first step in your testing should be to discover or find out more information about the application under test. This should also involve identifying how the application connects to the OS and the back-end server.
It should include checking for libraries used, understanding the platform better, and finding out if the application is a native/web/hybrid type. This step can also be called as Information Gathering step.
#3) Application Analysis/Assessment
As a part of this step, install the application on the mobile device and take a snapshot of the file system and registry before and after installation.
Analyze the information available to identify the areas of weakness and which can be exploited, like understanding how sensitive information is stored, how data is transmitted, how interaction with the third party is taking place, etc.
#4) Reverse Engineering
This will be required if the tester doesn’t have the source code. Code reviews will be planned to understand how the application functions internally. The intention of doing this is to search for vulnerabilities.
#5) Traffic Interception
In this step, configure the device to route through a proxy, which in turn should help in intercepting traffic and finding out the flaws like injection or authorization issues.
#6) Exploitation
After the analysis and proxy setting is done, exploitation can be done where you behave like a hacker, simulate attacks and try to compromise the system.
Exploit the system and perform malicious activities.
#7) Reporting
The above step would form the main testing step, so the last step should be to compile a report mentioning about all the findings. A good report should consist of details of all the vulnerabilities found along with the business and technical risk assessment score.
Another important point which can be mentioned is the recommendation for the fix.
Conclusion
Hope you all enjoyed reading this article on mobile app pen-testing. In my opinion, mobility testing is still an area that hasn’t been explored completely.
However, we can consider this to have brought in a change and give us an opportunity to rethink our capabilities and start thinking out of the box and different from our traditional testing approach. Developers are putting their creativity and coming up with different variations of apps, so even we as testers have lots more to do!
Hope you would have got a great insight on Mobile App Penetration Testing tools and service providers!!