Mobile Application Penetration Testing Methodology

RedTeam Security's Mobile Application Penetration Testing Methodology

Let's face it, securing mobile applications, whether on the iOS or Android platform, is hard. Applications on iPhone or Android devices face additional threats beyond what the typical website does due to the environment they run in. For example, within the Android operating system, data can be written to a mobile device's SIM card. Other android applications may then have the privileges to read, write and delete in the background, something that web applications generally do not need to worry about. In combination with the ability to access the internet, which virtually every mobile application requires, you could then have the exfiltration of any sensitive data that had been saved to the mobile device. iOS applications are not immune to security risks either. An application that does not have secure API endpoints could expose every user's data. All of this is before considering the threat to a corporate environment's cybersecurity posture that mobile malware poses. Simultaneously, mobile applications are a web-based technology and face many of the same threats that a web application would.

Threat Modeling

Working with each client, we begin by discussing the application's use cases, including the privileges associated with each level of account access, and discussing the technology stack involved. This basic threat modeling allows our team to zero in on sensitive functionality and what is most important to protect.

The Role of Vulnerability Analysis in Mobile App Security Penetration Testing

The vulnerability analysis step involves an initial automated scan that gives an idea of the functionality and permissions associated with the application. Where available, code analysis is performed. This information is the launching point for the manual processes to come, indicating worthwhile areas to investigate further through reverse engineering, dynamic analysis, and taking a hard look at the mobile app's network traffic at runtime.

Manual Application Security Testing and Exploitation 

Using dynamic and static analysis, our mobile security testing examines how the application transports and stores data, what components and privileges are in use, and how the backend handles tampered traffic. Server-side handling of session management, including authentication and authorization, is also a fundamental part of a security assessment. Once we uncover the application's logic, we begin looking for security vulnerabilities by attempting to bypass and exploit security controls to determine their actual real-world security risk. If a security issue is uncovered at any point during testing, we immediately notify the client. Considering the threat modeling from earlier, we consider the likely routes an attacker would take, identifying and attempting potential attack vectors.

Throughout this step, our cybersecurity testing includes: 

• Configuration Management Testing 
• Authentication Testing
• Authorization Testing 
• Session Management Testing 
• Data Storage Analysis 
• Data Validation Testing 

RedTeam Security tests for security controls in the four most essential areas: 

• File System
• Memory
• Network Communications
• GUI

Our team will attempt to demonstrate the positional exploitability of each finding to achieve the two primary objectives of the assessment:

• Obtain Unauthorized Access
• Retrieve Sensitive Information

We use a combination of commercial, open-source, and in-house developed tools. RedTeam Security implements a structured testing methodology to make the mobile application assessment as efficient as possible.

Reporting

Our findings are all documented in easy-to-read reports, intended to communicate our findings along with our recommendations on how to prioritize remediation efforts, with rankings by severity. Clients receive a clear and actionable report, complete with evidence to the project stakeholders. At RedTeam Security, we consider this phase to be the most important, and we take great care to ensure we've communicated the value of our service and findings thoroughly. The report will provide an analysis of the current state of the assessed security controls.