Pentest: Mobile applications
Protect your apps
What are entry points for attackers?
The importance and popularity of mobile applications, or apps for short, such as the iOS and Android operating systems, has increased steadily over the past few years. Though providing an app is often indispensable, it also bears some risks and potential vulnerabilities. Sensitive information, such as passwords or sensitive data, is often not stored properly on the device and is thus not properly protected from access by third parties. This poses a high risk to the confidentiality of these user data. Attackers can compromise user data through vulnerabilities in the implementation of these interfaces. In the worst case scenario, these interfaces serve as an entry point into the system and thus into the company’s internal network.
During our mobile application pentest, our security analysts comprehensively analyze your app and identify possible entry points for attackers.
Common vulnerabilities include:
- Unsecure communication with the backend system
- Lack of or weak encryption
- Unsecure data storage
- Unauthorized execution of database commands (SQL injection)
What is our approach?
Our pentests are conducted according to a standardized approach, which is enhanced by specific aspects for mobile application pentests:
Mobile applications are often embedded in an environment with backend interfaces (webservices/API), which may communicate with databases. Apps should therefore be analyzed in their overall context rather than in isolation. During our mobile application pentest, we therefore offer to additionally examine the web service along with the underlying web server.
We analyze your app based on the OWASP Mobile Security Testing Guide (MSTG) and the OWASP Mobile Application Security Verification Standard (MASVS) and test for the most common security vulnerabilities according to OWASP. We check the security of your app at various levels. For example, we analyze server-side communication, session management and client-side protection measures.
What checks are included?
The following checks are included in mobile application pentests:
- Mapping of the application and information collection
- Analysis of cryptographic functions
- Checking the local authentication
- Inspecting the web server at the application level
- Analyzing the network communication
- Local storage of data
- Analyzing logs and system output for confidential information and reviewing the use of centralized logging
- Review of defense mechanisms against anti-reverse engineering
Are your apps protected against attackers?
We are happy to discuss your options for analyzing your mobile application by our security analysts. Feel free to contact us.