Mobile Apps Pentesting

The usage of mobile applications instead of web applications introduces extra risk factors when it comes to IT security.

What are mobile applications?

Mobile applications are often developed in such a way that they are easy to use, authentication is painless and data is stored locally so that no permanent internet connection is required. As a result, sensitive data such as login details and personal data are often stored on the device. Mobile devices, more than computers, are prone to theft. The combination of these factors creates a different risk picture than traditional web applications.

How do we test?

In this phase, Secura investigates which vulnerabilities can be identified within the application, first without logging in, then with authorized user rights. Many manual tests are performed for this, but various tools are also used, including tools developed by Secura itself. Secura manually checks all results from the tools (if applicable) to remove false positives.

What can we find?

For example, with a vulnerability assessment we identify the following risks:

• Insecure use of security measures offered by the operating system, such as biometric authentication.
• Unencrypted storage of sensitive data on the device.
• Administration/management functionality that should not be accessible to normal users.
• Inadequate protection against reverse engineering.
• Client-side implementation of security measures.
• Insecure configuration of standard software, such as web, VPN, database and application servers.
• Information leakage (e.g., via "service banners").
• Vulnerable implementation of cryptographic functions such as setting up and using the TLS connection and encrypting local files.

OWASP Mobile Top 10

The application(s) will be studied thoroughly and tested for all kinds of design, configuration and programming errors, of course with maximum attention for security weaknesses from the OWASP Mobile Top 10 (version 2021).

Translated to concrete security issues, this yields the following tests:

• Testing the registration process and login process for possibilities of taking over someone else’s account.
• Testing whether the session mechanism has been adequately and securely structured.
• Checking whether users have unauthorised access to other user’s data (horizontal authorisation checks).
• Checking whether users can request functionality and data of users with elevated privileges (vertical authorisation checks).
• Testing what data is stored on the device, and if it is stored in a secure fashion.
• Testing whether local authentication such as PIN codes or biometrics can be bypassed.
• Testing to what extent the mobile application is sensitive to injection attacks such as ‘Cross Site Scripting’ and ‘SQL injection’.
• Bypassing and abusing the business logic within the application.
• Testing the strength of the TLS connection.
• Checking whether cryptographic functions are implemented in a secure way.

In practice, this list usually is expanded during testing since it also depends on the actual functionality of the application.