Mobile Application Penetration Testing
Here, URM conducts a review of the mobile apps that are deployed to either Apple IOS or Android devices.
The purpose of the pen test is to understand what vulnerabilities exist within the application to determine what a malicious user could do to the application to prevent it operating as intended.
URM, typically, suggests conducting the test against the OWASP Mobile Application Security Verification Standard; this standard provides two-level for verification Medium Risk (Level 1) or High Risk (Level 2).
Each level aims to identify key security issues, such as data storage, privacy, authentication, network communications.
URM’s Approach to Mobile Application Penetration Testing
Mobile applications require testing within a number of distinct phases:
- Security testing on a standard device (e.g. iOS or Android) – by default an iOS or Android device includes restrictions that prevent users from accessing privileged accounts (e.g. iOS is a Unix-like operating system therefore root provides full access). This phase should identify issues that are present irrespective of the device the application is deployed on.
- Security testing on device with privilege escalation (e.g. ‘jailbreaking’ - where a vulnerability exists within the underlying iOS kernel) which enables the testing to be conducted with full root access to the device. The purpose of utilising this exploit is to uncover the true nature of data stored and processed on the device. Additional code can be inserted into the running application designed to interfere with the program’s usual control of processing.
- Reviewing source code to further understand exploitable vulnerabilities – whilst the source code should be kept secure and typically attackers will not have access, providing access to the full source code provides URM with the ability to review the code for potential vulnerabilities and look to exploit these within the application.
Typically, this is performed during testing of higher risk applications.
All of URM’s penetration testing engagement utilise the following methodology:
- Pre-Engagement Analysis: URM recommends a kick-off meeting is scheduled where information is sought on the design, architecture and systems (if a grey box test is being conducted).
- Publicly Available Intelligence Gathering: This phase of the engagement focuses on identifying (where possible) targets for the testing using passive means or public sources (DNS for example)
- Vulnerability Analysis: Understanding and enumerating the networks services that are available to determine vulnerabilities within the current versions of software or any misconfiguration
- Exploitation: Once services have been identified, performing a combination of manual and automated tests to further uncover security vulnerabilities.
- Post Exploitation: Analysing the gathered data and results of the various reviews. The analysis includes categorising the detected vulnerabilities and prioritising them against the business and technical context.
- Report documentation: This phase of the engagement will include compiling the results of the penetration testing and providing comprehensive risk-based findings for all issues found. As with all deliverables within URM, the report will be reviewed to ensure quality and accuracy
What People Say About Us:
“URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.”
“I was very impressed with how the process went on testing day and I can’t wait to take other clients through the process with URM.”
“Having never gone through the Cyber Essentials Plus process on behalf of a client I was very impressed with how the process went on testing day and I cant wait to take other clients through the process with URM.”
“This was a great exercise for the business to go through as some gaps were found and URM provided valuable information on remediation.”
Our office is open 08:00 – 17:30 Monday to Friday.