Mobile Apps Penetration Test

We find security weaknesses that impact the confidentiality, integrity, and availability of your mobile applications and recommend ways to remediate them in order of priority.

Mobile Apps Penetration Test

What we do

  • For Android applications, we start by using the black box methodology, in which we don't have any information about the application. We aim to get a realistic view of the security level of the application and to identify all implementation errors and functional vulnerabilities.
  • For iOS applications, we use the grey box methodology, in which we have access to a limited amount of information including the binary code and general information about the application. This allows us to be more time efficient as iOS apps take time to decrypt.
Penetration testing - What We Do

When to perform a Mobile App Penetration Test

If you want to:

  • Validate the security of your iOS mobile application.
  • Validate the security of your Android mobile application.

Put your defenses to the test

Let our ethical hackers analyze, identify and close the gaps in your mobile apps.
 

How we work

We lay bare any vulnerabilities or security misconfigurations that could have a detrimental impact on your systems' confidentiality, integrity, or availability.

Penetration testing - What We Look For
Penetration Testing Process Security Positive Thinking Company - Needs-1

1. Your needs

In the scoping meeting, our pentesters determine with your teams which assets you want to be tested as well as the budget, requirements, and planning. We then put together a project proposal and agree on a schedule for conducting the penetration test.

Penetration Testing Process Security Positive Thinking Company - Kick-off

2. Kick off

Through this kick-off meeting, we ensure that the teams have a good understanding of the issues and objectives of the penetration test.
Penetration Testing Process Security Positive Thinking Company - Penetration Test-1

3.  Penetration Test

The penetration test starts following the market standards. We use a standard methodology customized to your context and using both market and in-house tools.
Penetration Testing Process Security Positive Thinking Company - Feedback Session-1

4. Feedback Session

Our experts present and explain their findings to your teams and validate them in your context. This allows us to position the risk rating of your asset(s) on a maturity scale developed in-house.
Penetration Testing Process Security Positive Thinking Company - Delivrables

5. Deliverables

We provide you with a managerial and a technical report. Each contains a detailed analysis of the vulnerabilities uncovered during the test, the weaknesses, the threat they pose, and recommended remediation steps.

What we look for

Our experts enumerate all vulnerabilities within iOS or Android mobile apps including improper sensitive data storage, injections, binary compile issues, and many others.

On iOS applications, we look for:

  • Issues in the IPA structure of the info. plist and the data paths
  • Issues in the data storage and management: plist, core data, YapDatabase, SQL, firebase, realm, cache, cookies, snapshot, keychain
  • Analysis of the application logs such as NSLog, NSAssert, NSCAssert
  • Analysis of cryptography

On Android applications, we look for:

  • URLs, API keys, tokens, and passwords gathering
  • Static analysis of the manifest.xml and the resources.arsc
  • Application permissions
  • Code analysis and its inherent issues
  • Shared library binary: NX, stack canary, RELRO, RPATH, run path, fortify, symbols stripped
  • Trustability check
  • Client-side injections

*Non-exhaustive lists. Full lists of tests available on-demand.

Penetration testing - How We Work
Penetration testing - What You Get

What you get

  • A managerial report which summarizes the findings and their criticality for the management team to take decisions and prioritize corrections.
  • A technical report which contains all the information about the findings, how to repeat the vulnerability, and recommendations on how to correct them.
  • A secure environment after applying our recommendations.

Other on-demand services to help you manage your cyber risks

Remediation Follow-up

Bug Bounty Program

Source Code Review

Ready to test?

 

Get in touch with our ethical hackers to get a penetration testing offer tailored to your needs.