Mobile application testing

Mobile application penetration testing: What’s involved?

October 13th, 2021 Posted in Information Security

A mobile application penetration test is a security assessment carried out on a native mobile application. A native mobile application is a smartphone-specific application. It is coded in a specific programming language for its respective operating system: typically, Swift for iOS and Java, BASIC or Kotlin for Android.   

As with all software and systems, security vulnerabilities in mobile applications can be exploited by threat actors to gain access to sensitive data, real-time communications and potentially even to the underlying device. Mobile app tests imitate the actions of a real-world threat actor so that you can gain a better understanding of security vulnerabilities within your application and then remediate them. 

Why is mobile app security important?

Mobile app pen testing is concerned with the security of iOS and Android applications. Given the proliferation of these apps, both within the consumer arena and from a B2B perspective, it’s imperative that they are properly secured. This is especially true of applications that process sensitive, personal data such as health data, medical information or live geo-tracking data.  

While modern mobile devices and tablets offer many security features for apps – such as Apple’s Secure Enclave, sandboxing, app signing, encryption, data isolation, authentication and privacy features – these are entirely optional, meaning a poorly designed app could fail to properly incorporate secure functionality – as was the case with Under Armour and WhatsApp.  

In the case of Under Armour, its app – My Fitness Pal – was breached, resulting in 150 million customers’ usernames, email addresses, and passwords being leaked on the dark web. Whilst this was likely to be an API or server infrastructure vulnerability, these issues are often introduced when making specific services or functionalities available to mobile applications. Meanwhile, a spyware vulnerability in Whatsapp enabled perpetrators to listen in on people’s calls, simply by calling their phone. Both of these security incidents reinforce the importance of securing mobile applications.  

What are the most common vulnerabilities in mobile applications?

The Open Web Application Security Project or OWASP is a non-profit foundation that works to improve the security of software, with a focus on web and mobile applications. OWASP runs many projects including the OWASP Mobile Top 10 project, the purpose of which is to highlight the most common mobile app vulnerabilities and the steps that should be taken to address them.  

The current version of the OWASP Mobile Top 10 dates back to 2016 and lists the top ten risks as being: 

  1. Improper Platform Usage: This occurs when an app fails to correctly use a platform’s features or permissions. For example –if an application fails to correctly and securely store Apple iOS fingerprint ID data, it could be stolen and exploited.   
  2. Insecure Data Storage: Many app developers make the mistake of assuming that data is safe if it’s stored on a client’s device. However, if a device is stolen or manipulated, then all the data on it is at risk.  Similarly, simple errors like not encrypting data or failing to securely store password keys can lead to data theft.  
  3. Insecure Communication: Many mobile applications transmit sensitive, personal data. Without robust encryption in place, this could lead to data being stolen. 
  4. Insecure Authentication: Mobile apps tend to have weaker authentication practices, as the devices often restrict PINs to 4 or 5 digits. They are also not continuously online, which prevents ongoing authentication. This means that mobile authentication is often more vulnerable to exploitation.  
  5. Insufficient Cryptography: If cryptography is not as secure as it could be, or is not implemented correctly, then a malicious actor may be able to access or manipulate sensitive data about the app’s user.  
  6. Insecure Authorization: Authorisation follows authentication and verifies the user’s permissions. If authorisation is flawed, then a threat actor could gain unwarranted access, enabling them to take data and execute actions they should not be able to.   
  7. Poor Code Quality: Code that is littered with bugs can lead to malfunctions in the application’s performance, as well as make the application more susceptible to a breach. 
  8. Code Tampering: Perpetrators can manipulate an app’s code to create fraudulent versions of the app and place it in third-party app stores. From there, they can deceive users into downloading the app, leading to them sharing sensitive data and password information.  
  9. Reverse Engineering: A threat actor can download an app, just like a normal user would, and then attempt to manipulate its source code to steal sensitive data.   
  10. Extraneous Functionality: Most apps have extra, inessential functionality that is not part of the direct user interface. While benign in itself, this functionality can be exploited by threat actors – particularly if it exposes information about back-end test, demo or staging environments.  

How mobile app penetration can help

To protect against these vulnerabilities, specialist penetration testers can assess your mobile applications for the issues listed above on both Android and iOS devices. These tests are an important way to determine the overall resilience of your applications and an essential way to identify and manage exploitable vulnerabilities. For an overview of different types of penetration tests, read our guide to penetration testing 

At the end of the test, the tester should provide you with a list of the vulnerabilities discovered, along with guidance on how to remediate them. This is usually in the form of a report. The test report should be followed by a ‘wash-up’ call, during which the report findings, vulnerabilities and recommendations are discussed.  

A typical penetration test is structured as follows: 

  • Preparation – Firstly, the testing provider and you will agree on the scope of the test, which will include identifying your testing goals, going over the rules of engagement and confirming the project’s scope and timeline.  
  • Intelligence gathering and reconnaissance – Once confirmed, the testers will begin gathering context about the application environment and architecture, including the in-scope application binaries, details required to access the mobile app, authentication credentials and a note of any off-limits parts of the application that shouldn’t be tested. Once confirmed, the testers will start open-source intelligence gathering, mining publicly available resources to identify data that could support testing. This could include information like usernames, software-related information and user manuals.  
  • Mapping – Armed with the intelligence gathered, the testers will use a combination of automated vulnerability scanning tools and manual techniques to explore the application and understand its architecture. This is how the testers will discover vulnerabilities, sensitive data and potential entry points. As they go, the tester will note which vulnerabilities present the most risk, and prioritise their testing based on these findings.  
  • Exploitation – Next, it’s time for the testers to test the vulnerabilities they have already identified to confirm they are exploitable. They will determine which vulnerabilities truly pose the most risk and document their findings. This phase is necessary for determining whether vulnerabilities are real and true positives, which may lead to the discovery of further vulnerabilities that are only visible post-exploitation. The tester should adhere to industry mobile standards such as OWASP, MASVS and CVSS. 
  • Reporting – Once this is complete, it’s time to report the findings to the client. This will take the form of a detailed report, often along with the option to have a debrief meeting to talk through the findings and answer any questions. The testers will advise which vulnerabilities to prioritise fixing, based on their risk factor.   

When should I get a mobile application penetration test?

In the best-case scenario, you should conduct a mobile application penetration test before your mobile application launches – and then at least annually thereafter. In cases where major changes are made to the mobile app, you should also conduct a penetration test then. If you’re unable to organise a penetration test prior to the application’s deployment, then we advise getting one as soon as possible.  

In terms of how long the test lasts, this depends on both the complexity of the mobile application and the depth of assurance you’re seeking. The more in-depth the test, the longer it will take. Typically, these tests take anywhere from three days to a couple of weeks.  

Need Help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings. Contact us for a friendly chat.  

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).