Typically focusing on bespoke mobile apps developed by or for the client, this type of penetration testing is concerned with using the app to compromise the mobile device running it, any online web services or application programmable interfaces (APIs) that the app interacts with, or any data held or processed by the app.
The specific approach taken will depend on the app and the client’s specific requirements, but will generally be based on the OWASP Mobile Security Testing Guide and will include the following:
- Design Review – Identification and understanding of all app components, and prioritisation of potential targets.
- Decompilation or Source Review – Where appropriate, review of decompiled or provided source code for potential vulnerabilities.
- Data Storage Assessment – Identification and exploitation of flaws in data storage and processing.
- Encryption and Privacy Assessment – Investigation of any use of encryption and the security of communications with local and remote services.
- Authentication and Session Management – Understanding and attempts to exploit any local authentication processes, such as PINs.
- Platform Interaction – Assessment of permissions, and use of operating system provided security controls.
- Offline Analysis – Obtaining and analysing any data obtained to understand the potential impact of compromise to the client.
- Reporting – Ensuring that the client gets a full understanding of the findings of the engagement, and recommended solutions to address any issues identified.