Subscribe to the CyberThreatPOV Podcast

Episode 13: Offensive Security Testing Part 2 – Mobile Pentesting


Have you ever wondered why your mobile application isn’t allowed to be published in the app store? Has the mobile application undergone a penetration test? If not, that may be your problem! In this blog and the accompanying podcast, our team will discuss what a mobile penetration test is, how it works, and why it’s crucial. Welcome to the mobile pentesting deep dive. I’m Jordan Natter, your host 😛

Why you need a mobile app pentest

You may be thinking, “why is a mobile pentest important?” Here’s why. Mobile applications need to be secure before receiving permission to be added to the app store. App stores may be concerned about an application’s security since the mobile app will be installed on a user’s phone. If the application is insecure, it may put the user’s personal information at risk. If the user’s phone is compromised, the developers may be concerned about the security of their applications. Pentesting applications before publication mitigates the threat posed by compromised applications and phones. The user may have privacy issues if an application has misconfigured permissions. For example, let’s say your grandma downloads a new banking application from the app store. She realizes she always forgets her passwords and then downloads an insecure version of a password manager. The next time she logs into the application to use her banking credentials, they are silently passed on to the creator of the malicious app. Now she can no longer afford groceries due to her compromised bank account.

The value of a mobile app pentest

A comprehensive mobile penetration test is designed to look for fundamental flaws in the application and how to exploit them. It should be seen as the last step of validating a mobile application project. During the pentest, a tester will dive deep into the application and its components; this consists of config files, libraries, APIs, encryption keys, etc. The tester will use multiple tools for Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Manual testing will also be used throughout the pentest. A significant benefit of manual testing is that it leverages exploits an attacker would use in the wild. Automated testing fails to eliminate false positives and validate true positives; this is another reason manual testing is superior. The testing will dive deeper than just the OWASP Mobile Top 10.

How does a mobile pentest work?

Once a mobile penetration test is scheduled, a pentester on our team (me) will contact the application developers and ask for the zipped binary code. If the application is android, the file will end in the extension “APK,” and if it is IOS, it’ll end in “IPA” (yes, like the beer.) The files must be in this format to run correctly during testing. Although there is an API as the framework for any mobile application, we test the two as individuals for a more comprehensive approach. In some cases, the application is already uploaded to the app store; if so, make sure the pentester is aware of the correct name and version of the app. This will be helpful for further testing.

Once the client has passed the required information to the pentester, the work begins. SecurIT360 follows the OWASP Mobile Security Testing Guide as our primary methodology. The pentester will spend two days using various emulators and tools to run the application through many tests. The binary code will also be viewed manually for any URLs, secrets, firebases, or any browsable activities of interest. Once the pentester makes a list of points of interest, they will spend the rest of their time finding ways to exploit the application. After the two days are up, the pentester will write a report summarizing the findings with CVSS scores correlating to version 3.

What will you take away?

The result of a mobile penetration test is a report of all the application vulnerabilities with suggestions for fixing them. They’re typically inexpensive, especially for the value they provide. The more testing a developer’s work receives, the better the developer will be at creating secure applications in the future. If your company is looking to get a mobile pentest, I’m your girl. Contact me at Happy hacking, folks! 😉