Mobile application penetration testing – Everything about it

As companies depend more on mobile apps for their fundamental activities, safeguarding these applications from possible risks and weaknesses is crucial. Therefore, conducting penetration testing on mobile applications is vital for any entity developing mobile apps for Android and iOS.

At Blaze Information Security, we conduct various mobile app penetration testing assessments every year. Many of our first-time clients have numerous inquiries about the process – including how to prepare, what information the penetration testers need for an effective test, the tools used, testing strategies, typical security issues identified in mobile apps, expected durations, and more.

In response to these common queries, we have created an informative guide designed to help organizations more effectively engage in and prepare for a mobile application penetration testing process.

What is mobile application penetration testing?

Mobile application penetration testing assesses a mobile app’s security by conducting simulated attacks. The primary goal is to enhance the mobile app’s resistance to attacks, ensuring it is secure against cyber threats.

This type of security assessment examines various components, such as security issues in the mobile app’s backend APIs, authentication and authorization mechanisms, permissions on the filesystem, interprocess communication, and insecure data storage on the cloud and device. Mobile application penetration testing applies regardless of the platform, be it Android or iOS, and even for less popular platforms such as BlackBerry and Windows Phone – with an important caveat that most pentesting tools no longer support them.

The primary goals and tangible benefits of mobile app penetration testing include:

1. Identifying security weaknesses: Discovering vulnerabilities in the mobile application’s design and implementation, from simple misconfigurations to complex logical flaws.
2. Evaluating security controls: Assessing the effectiveness of security measures implemented within the mobile app, including its resistance to attacks and protection of sensitive data.
3. Providing recommendations for improvements: Offering detailed findings and actionable recommendations, enabling organizations to mitigate and fix all identified vulnerabilities effectively.
4. Integrating security into the development lifecycle: Playing a vital role in incorporating security practices into the software development lifecycle of mobile applications.
5. Maintaining customer trust and brand integrity: Demonstrating a commitment to security helps maintain customer trust and protect the brand’s reputation.
6. Ensuring compliance: Help ensure the mobile app adheres to industry frameworks and regulations, such as GDPR, HIPAA, SOC 2, and ISO 27001, which are crucial for maintaining trust and compliance requirements.
7. Proactive risk management: Proactively identifying and resolving security weaknesses makes it a cost-effective risk management strategy in mobile app security.
8. Enhancing security posture: Strengthening the overall security posture through regular testing and continual improvements, making mobile applications resilient against cyber threats.

Preparing for a mobile application penetration test

Preparation for mobile app penetration testing is vital to ensure the assessment is thorough, aligned with the application’s threat model profile and comprehensively addresses the mobile application’s attack surface. Here are essential steps to be ready for the evaluation:

1. Sign NDAs: Establish a Non-Disclosure Agreement to protect sensitive information shared during testing, including details about the mobile app’s security mechanisms and internal workings.
2. Define the pentest scope: Specify which components of the mobile application will be tested, including their functionalities, data flows, and the test’s goals and objectives. Clearly state what is not included in the scope, such as specific areas or functionalities.
3. Provide documentation and access details: If available, give testers detailed documentation and access credentials for Android and iOS versions. This includes information on user interfaces, server-side functions, authentication mechanisms, and any specific technologies or unique interaction patterns used in mobile apps. Share at least two sets of user credentials for each application role to enable comprehensive testing from various user perspectives. Also, sometimes apps aren’t yet on app stores, so sharing the APK or IPA or sending it to the pentester via platforms such as TestFlight might be necessary.
4. Ensure test environment readiness: If testing in a non-production environment, confirm that it closely resembles the production setup regarding data structures, authentication mechanisms, and functionality.
5. Share technology-specific information: Provide any special guidance or tools necessary for technologies or frameworks unique to the mobile application.
6. Highlight known limitations and sensitive areas: Inform testers about any sensitive parts of the application or known limitations that require special attention, such as areas handling sensitive data or insecure data storage.
7. Establish communication channels: Set up clear communication pathways during testing. At Blaze, we always set up a Slack channel with the customer throughout the assessment for faster communication and closer collaboration.
8. Conduct at minimum grey-box testing: In grey-box testing, give testers partial system knowledge, such as user accounts and admin panels, to enable more realistic attack simulations and uncover vulnerabilities that black-box testing might miss in mobile apps. If possible, go white-box with a source-code-assisted pentest.

For a more in-depth assessment, organizations might opt for a full white-box test for their mobile apps. In this scenario, the penetration testing team is given access to the mobile application’s source code (not simply a decompiled version).

This is particularly effective for mobile app security testing, as it provides insights into Android and iOS apps’ unique vulnerabilities and security mechanisms.

Leveraging OWASP methodologies in mobile app penetration testing

The Open Worldwide Application Security Project (OWASP) also plays a crucial role in shaping methodologies in mobile application security. Though initially web-centric, OWASP’s resources provide invaluable frameworks and guidelines for mobile app pen testing.

Central to this approach is the OWASP Mobile Top 10, analogous to the OWASP Top 10 for web applications, which outlines the ten most critical security risks for mobile applications. This list is regularly updated every few years to reflect emerging threats in the mobile landscape and serves as a roadmap for identifying and prioritizing common vulnerabilities in mobile apps.

The OWASP Mobile Application Security Testing Guide (MASTG) is the mobile counterpart to the OWASP Testing Guide for web apps, providing detailed methodologies and checklists for security testing. This guide includes a variety of test cases, techniques, and best practices aimed at thoroughly evaluating every aspect of a mobile app, from initial discovery and data collection to exploiting vulnerabilities and analyzing them post-exploitation.

Additionally, the OWASP Mobile Application Security Verification Standard (MASVS) offers a framework of security controls and criteria for mobile apps, which is crucial for conducting security testing in line with industry standards and ensuring a mobile app’s security features are comprehensive.

OWASP’s Mobile Application Security Cheat Sheet is another valuable tool, offering quick, actionable advice on various mobile security topics. These guides are indispensable for referencing best practices and security strategies for mobile applications.

Leveraging these OWASP resources enhances the effectiveness of our mobile app testing and brings compliance with international security best practices.

Other frameworks that involve mobile app penetration testing

Other known security frameworks establish their requirements around mobile application penetration testing, such as NIAP, ioXt Alliance and App Defense Alliance’s MASA.

NIAP

NIAP details functional and security assurance requirements for vetting mobile applications, categorizing requirements into Security Functional Requirements, Selection-based Security Functional Requirements, Objective Security Functional Requirements, Optional Security Functional Requirements, and Security Assurance Requirements. It aims to guide the vetting of mobile apps in government and industry, addressing concerns like random bit generation, cryptographic key generation, storage of credentials, access to platform resources, encryption of sensitive application data and more.

ioXt alliance

The ioXt Alliance was created as an industry-wide alliance to set baseline requirements for product security for IoT, and in 2020 and 2021 it expanded its certification program to include mobile apps and VPNs, with a mobile profile for Android security criteria.

MASA

The Mobile Application Security Assessment (MASA) is an initiative by the App Defense Alliance to bolster mobile app security on Google Play, ensuring the safety of billions of users. MASA leverages the OWASP Mobile Application Security Verification Standard (MASVS), providing baseline security criteria and a testing guide (MASTG) for developers. Developers can initiate assessments with Google Authorized Lab partners, aiming for a certification that showcases their commitment to security on their Google Play Data safety section.

Common vulnerabilities in mobile applications

Like web applications, mobile apps have unique potential vulnerabilities that attackers can exploit. The OWASP Mobile Top 10 2024 provides an essential resource for understanding these threats:

The OWASP Top 10 Mobile Risks for 2024, as per the final release, includes the following key areas:

• M1: Improper Credential Usage – Mismanagement or misuse of credentials leading to unauthorized access.
• M2: Inadequate Supply Chain Security – Security weaknesses in the supply chain that could impact the mobile app.
• M3: Insecure Authentication/Authorization – Flaws in authentication or authorization mechanisms that could allow attackers to bypass security measures.
• M4: Insufficient Input/Output Validation – Failure to properly validate input and output leads to various attacks, such as injection or data leaks.
• M5: Insecure Communication – Lack of secure communication channels, leading to potential interception or alteration of data in transit.
• M6: Inadequate Privacy Controls – Insufficient measures to protect user privacy, leading to potential exposure of personal information.
• M7: Insufficient Binary Protections – Lack of protections against binary exploitation, such as code tampering or reverse engineering.
• M8: Security Misconfiguration – Insecure default configurations or misconfigurations that expose the mobile app to attacks.
• M9: Insecure Data Storage – Inappropriate storage of sensitive data within the mobile app, leading to potential data breaches.
• M10: Insufficient Cryptography – Weak cryptographic practices that fail to secure data effectively.

Below is a comparison between OWASP Mobile Top 10 2016 and the latest version released in 2024.

A slightly more detailed look at common vulnerabilities in mobile apps

Exploring key security vulnerabilities in mobile applications, focusing on the critical areas of data storage, platform usage, APIs, deep links, content providers, and intents:

• Insecure Data Storage: A common issue where sensitive information is improperly protected, potentially allowing unauthorized access to personal or financial data if an attacker gains access to the device.
• Insecure Platform Usage: Risks arise from not following best practices for platform features or security measures, possibly compromising user data or app integrity.
• Insecure APIs: External APIs, if integrated or used insecurely, can expose apps to attacks, including data interception or functionality manipulation due to weak authentication or lack of encryption.
• Deep Links vulnerabilities: Without secure implementation, deep links can be exploited to bypass app navigation, leading to unauthorized access or actions.
• Issues with Content Providers: Insecurely implemented content providers may expose sensitive data to other apps on the device, risking data leakage.
• Insecure Intents: Poorly managed intents can lead to information leakage or unauthorized app behavior manipulation, emphasizing the need for proper permission checks and validation.

Comprehensive security testing, static and dynamic analysis, and thorough code review are crucial in identifying and mitigating these risks in Android mobile apps, iOS apps. This proactive approach is vital in software development and for development teams to ensure the security and integrity of mobile applications.

Commonly used mobile application penetration testing tools

In mobile application penetration testing, various specialized tools are employed to ensure a thorough assessment. Here’s an updated overview of essential tools in this space:

Emulators and virtual devices

• Android Studio’s Emulator and Genymotion: These emulators are vital for replicating Android mobile app environments for testing purposes. They allow testers to simulate different devices and Android versions.
• Corellium: This tool offers a virtualized environment for iOS, providing a platform for testing iOS apps in various Apple devices and OS versions.

Dynamic and static analysis tools

• Burp Suite Professional: A cornerstone in application penetration testing for analyzing network traffic, automating attacks, and more. It’s commonly used in conjunction with mobile application traffic for in-depth analysis.
• Postman and Swagger UI: These remain critical for sending requests to mobile app endpoints, aiding in testing various functionalities within Android and iOS apps.
• MobSF (Mobile Security Framework): Useful for performing both static and dynamic analysis on mobile apps, identifying security low-hanging fruit vulnerabilities and insecure data storage practices.
• Oversecured: A paid alternative far superior to MobSF for automated static scanning of mobile apps.

Reverse engineering, decompilers and binary instrumentation tools

• Hopper and Ghidra: While Hopper has been a popular choice for reverse engineering, Ghidra is probably the most used among practitioners due to its open-source nature. Both tools are vital in reversing mobile apps and libraries to understand their structure and identify vulnerabilities.
• Frida and Objection: Frida is a dynamic instrumentation toolkit for modifying real-time app behavior. Objection, which runs on top of Frida, provides a runtime mobile exploration toolkit that simplifies the use of Frida.
• jadx: An open-source decompiler that translates Android apps back to Java code, simplifying reverse engineering for security analysis. Ideal for uncovering vulnerabilities in Android applications, jadx provides a user-friendly interface for efficient app review and research.
• JD-GUI: A standalone graphical utility that displays Java source codes of “.class” files, enabling easy decompilation and analysis of Java applications.

The combination of these tools provides a comprehensive toolkit for mobile penetration testing. They enable testers to perform various tasks, from emulating different environments, disabling common protections such as root/jailbreak detection and TLS/SSL pinning, and analyzing network traffic to conducting in-depth static and dynamic analysis and reverse engineering.

The right certifications for mobile application penetration testing

Certain training and certifications can significantly enhance the skill set of a pentester or an entire team in mobile application penetration testing. While numerous certifications are available in the market, those with a strong focus on mobile app pentesting are particularly valuable. When considering a penetration testing provider or looking to upskill your internal team in mobile app pentesting, the following certifications are worth noting:

• GIAC Mobile Device Security Analyst (GMOB): Similar to the GWAPT for web apps, the GMOB certification focuses on security and penetration testing for mobile devices, including Android and iOS apps. SANS also has a related training known as SEC575 for Android and iOS application security.
• eLearnSecurity Mobile Application Penetration Tester (eMAPT): This is the mobile-focused counterpart of eWPTX, emphasizing hands-on skills in penetration testing of mobile applications.
• Pentester Lab Pro: While not a certification per se, Pentester Lab Pro offers a handful of specialized labs for mobile application pentesting, providing practical experience in a wide range of mobile security scenarios.
• NowSecure Academy: NowSecure, a well-known vendor in the mobile application security space, offers several free and paid courses through their academy program, which focuses on teaching mobile app security and pentesting techniques for iOS and Android apps.
• Mobile Hacking Lab: This new training platform focuses mainly on low-level mobile OS hacking (fuzzing of userland apps) but has lessons that can be directly applied to mobile application pen testing.

These certifications and training programs ensure that penetration testers have the necessary skills and knowledge to identify and exploit vulnerabilities in mobile applications. They cover a broad spectrum of topics, from understanding the architecture of mobile apps to exploiting specific vulnerabilities unique to Android and iOS systems.

What’s the average duration of a mobile penetration test engagement?

The duration of a mobile application penetration test is influenced by various factors, including the complexity and specific functionalities of the app. General timeframes can be estimated as follows:

Basic mobile applications (1 week)

Simpler mobile apps with limited features, such as basic utility apps, straightforward gaming apps, or small-scale e-commerce mobile apps, typically require one to two weeks for thorough testing.

Moderately complex mobile applications (2-3 weeks)

Apps with more intricate features, like multiple user roles, advanced UI/UX elements, or integrations with external APIs and backend systems, generally need two to three weeks. This category can include sophisticated e-commerce platforms or mobile banking apps with standard security requirements.

Complex or large mobile applications (3+ weeks)

Apps in this category have large-scale or highly complex features and functionalities. These include enterprise-level applications with numerous features, custom functionalities, complex data handling, and extensive backend interactions. The duration for testing these applications can exceed four weeks, especially if they incorporate advanced security features like:

• Payment integrations: Apps facilitating payments, particularly those using advanced methods like NFC (Near Field Communication) or other payment technologies.
• Enhanced security measures: Applications that run exclusively on corporate devices with MDM or without jailbreak or root access usually require additional testing effort.
• Biometric bypassing: Apps incorporating biometric authentication (fingerprint scanning, facial recognition, etc.) necessitate specialized techniques to test the robustness of these security features.

The complexity and variety of these features significantly influence the testing duration. It is crucial to conduct comprehensive static and dynamic analysis, in-depth reverse engineering and thorough testing across different mobile devices and operating systems. This is particularly important for applications handling sensitive data or requiring high-security measures, such as mobile banking or health-related apps. Sufficient time and expertise are essential to identify and address potential vulnerabilities and ensure robust protection against security breaches.

Factors influencing the duration of mobile app pentest

1. Application size: The number of screens, features, API endpoints, and user roles in a mobile app directly impacts the testing duration. A higher number of elements necessitates more extensive coverage during the assessment.
2. Complexity: Advanced functionalities, intricate user interfaces, and complex back-end logic or integrations (such as payment processing systems, NFC capabilities, etc.) increase the testing time for mobile apps.
3. Security maturity: Mobile applications that have undergone previous security assessments and have patched vulnerabilities may require more time for testing. Pentesters must verify past fixes and ensure no new vulnerabilities have been introduced.
4. Integration with third-party services: Mobile apps with multiple integrations, such as external APIs, payment gateways, or cloud services, require additional time to assess the security of these interactions comprehensively.
5. Regulatory compliance needs: If the app must adhere to specific security standards and frameworks (e.g., PCI DSS for payment processing, HIPAA and DiGA for healthcare-related apps), more time may be needed to ensure it meets these requirements.
6. Client collaboration: The efficiency of client responses and the provision of required information can influence the assessment timeline.

What can I expect from a mobile penetration test assessment?

• Initial consultation and scope definition: The process begins with a discussion to define the scope, set expectations, and determine the best approach for the app’s security evaluation.
• Reconnaissance phase: Testers gather information about the app’s technology, structure, and functionalities, aiding in strategizing their testing approach.
• Automated scanning for vulnerabilities: Specialized tools automatically scan the mobile application for known vulnerabilities, helping identify potential security weaknesses.
• Manual testing and exploitation: Beyond automated tools, expect manual testing where experts attempt to exploit identified vulnerabilities, simulating real-world attack scenarios.
• Regular updates and communication: The testing team keeps in constant communication, providing updates and explanations in understandable terms.
• Comprehensive pentest report: A detailed report is provided post-assessment, listing identified vulnerabilities, their severity, and potential impacts on the mobile app.
• Remediation guidance: The report includes practical, prioritized recommendations for fixing the vulnerabilities.
• Post-pentest debriefing: A debriefing session is often conducted to review findings, answer questions, and discuss the next steps for app security.
• Fix validation: Optionally, a retest can be conducted post-remediation to ensure the effectiveness of the fixes in place.
  

Final remarks

Mobile application penetration testing is an indispensable process to ensure the robustness of your app’s security controls. It is crucial not only for identifying existing vulnerabilities but also for preparing against future threats and minimizing overall security risks.

If your organization wants to enhance its mobile application security posture, consider partnering with a company specializing in penetration testing services. Opt for providers focusing primarily on technical cybersecurity assessments to ensure a thorough and expert evaluation of your mobile apps.

FAQ