Get in Touch

MOBILE PEN TEST

Verify Your Security With a Penetration Test

OVERVIEW

What is Mobile Penetration testing?

Mobile app pen testing is a simulated attack that is designed to uncover any security weaknesses in your business’ iOS or Android apps. A mobile pen test will help you to identify vulnerabilities which could be exploited by an attacker to:

Gain access to user accounts
Compromise application data
Compromise the back-end database used by the application, and all its data
Subvert the normal functionality of an application
Launch attacks against other application users
Install root kit software for future attacks

These attacks, if successful, could have a significant impact on the mobile app, your customers and your brand. Our testing is designed to ensure this doesn’t happen to you.

VULNERABILITIES

Mobile pen testing vulnerabilities

Some of the common vulnerabilities found in mobile application testing are:

  • Hardcoded api keys
  • Unsanitized / non-validated request data
  • Business logic flaws
  • Authorization bypasses
  • Sensitive data on the mobile device
  • Insecure Data Storage
  • Insecure Authorization
  • Improper Platform Usage
  • SQL injection
  • Cross-Site Scripting

METHODOLOGY

CSG’s Comprehensive Testing Methodology

CSG leverages industry standard methodologies to ensure thorough and comprehensive mobile penetration testing is conducted under safe and controlled conditions. Our approved mobile app pentests consist of a security assessment of both the application on the mobile device itself, and if requested an assessment of the back-end web services (API) that supports the application.

01. Reconnaissance
Conducting reconnaissance activities to locate information leakage, identify the technologies utilized, map application entry and functionality, and related tasks to guide testing.
02. Target Planning
Initial targets are selected based on perceived opportunity and prioritized for first stage attacks.
03. Configuration And Deploy Management Testing
Testing the configuration of underlying platform and infrastructure and identifying potential change control weaknesses such as the presence of orphaned code or code backup files for enterprise applications.
04. Identity Management Testing
Verification, where appropriate, for account provisioning considerations such as user registration processes or account enumeration.
05. Authentication Testing
Testing for authentication related weaknesses, such as insecure authentication, default credentials, or password weaknesses.
06. Authorization Testing
Testing to validate the security of authorization controls such as privilege escalation or bypassing authorization.
07. Session Management Testing
An evaluation of session-related vulnerabilities such as session fixation, exposed session variables, and cross-site request forgery.
08. Data Validation Testing
Data validation testing including cross-site scripting, parameter tampering, SQL injection, and command injection.
09. Testing For Error Handling
Testing error handling issues, as they relate to security, such as analysis of Error Codes and Stack Traces.
10. Testing For Weak Cryptography
Testing to evaluate the effectiveness of encryption related protections such as weak SSL ciphers.
11. Business Logic Testing
Testing to determine if the flow or architecture of the application can be manipulated to gain access to
sensitive information through flaws in business logic or application workflows.

DELIVERABLES

Deliverables For Completed Test

The complete penetration testing results are documented in our content rich report which includes the background, summary of findings, detailed findings, scope and methodology, and supplemental content for context and reference. Samples are available upon request.

An introduction of the general purpose, scope, methodology, and timing of the penetration test.

A brief but concise overview summarizing the results at a glance, such as key critical findings requiring priority attention, system or recurring issues, and other general results.

Comprehensive results of each vulnerability, including a description of the vulnerability observed, the impact, recommendations for remediation, evidence where the vulnerability was observed, step by step demonstrations of exploits performed.

A detailed recap of the specific scope of what was tested, the methodologies utilized, and related historical information necessary for audiences such as auditors to understand the specifics of the test approach.

Additional content and guidance, such as recommended post assessment activities, that provides added value to the audience of the report.

Why Choose CSG

  • A trusted partner with a personalized service

  • A company with a global reach

  • An extensive understanding of how threat actors operate

  • In-depth threat analysis and advice you can trust

  • Latest tools and technology

Request Information On Mobile Pen Testing