Mobile App Security Assessments

Identify vulnerabilities in mobile applications and prioritize remediation with a security evaluation driven by our advanced and proven mobile testing methodologies.

Mobile App Penetration Testing Services

Due to the increased sophistication of mobile platforms and the proliferation of mobile applications, an organization's mobile infrastructure represents yet another attack surface on an enterprise network. Recognizing the increased risk organizations face, mobile software vendors and business consumers alike are seeking assistance in evaluating the security of their mobile applications.

Because mobile security is a relatively new field, only a handful of security service providers are currently providing comprehensive mobile application security assessments. Praetorian distinguishes itself in this space through its active research in mobile security. Through research initiatives, Praetorian has created a thorough mobile testing methodology.

Methodologies for Mobile Penetration Testing

Through research initiatives, Praetorian has created a thorough mobile testing methodology. Using a combination of manual and dynamic analysis along with custom automated fuzzing, Praetorian's Mobile Security Testing covers areas such as storage protection, transport protection, authentication, authorization, session management, data validation, and error and exception handling. For open mobile platforms such as Android, mobile applications are also decompiled to maximize understanding and testing coverage. For closed platforms such as BlackBerry OS and iOS, source code is often requested to accompany the engagement or binaries can be reversed at runtime.

Praetorian begins the assessment by evaluating data protection controls on the client device. In particular, Praetorian will examine where and how the application manages sensitive information, whether the application is properly utilizing native APIs for features like key stores, and whether dangerous client artifacts such as user credentials, personal information, and/or any other sensitive application data are unintentionally or insecurely stored on the client device. As part of this analysis, consultants will also examine memory to ensure sensitive data is properly erased by the application. Additionally, Praetorian will review the communication between the mobile application and any remote systems/services. Traffic analysis will focus on uncovering vulnerabilities related to information disclosure, tampering, and spoofing.

Once the analysis of transport- and storage-level data protection controls has concluded, Praetorian will transition to authentication and authorization testing. During this phase of testing, activities include, but are not limited to, an examination of implemented authentication protocols, certificate validation, password policy enforcement, and account lockout mechanisms. In addition to assessing how the application performs authentication, Praetorian also evaluates how the application segregates functional roles and implements authorization concepts such as principle of least privilege. Authorization testing will also assess how data access controls are applied and whether or not authorization corner cases such as confused deputy attacks are present. During this testing phase, Praetorian will attempt to access hidden functionality in both the client and the server in addition to attempting to escalate their privileges. As an example, Praetorian may determine how data is retrieved from the server for the different users and use this information to replay or manipulate the request to gain access to another user's data.

In cases where the application communicates with a remote system/service, Praetorian's testing will evaluate how session management is performed. In some cases the application simply maintains a persistent connection (e.g., socket). If the application uses a persistent socket, Praetorian will check to see what happens when the connection is severed, either because the application does not support both data and voice or multi-tasking. In some cases, the application may implement a session identifier to uniquely identify the user for the duration of the session. For such cases, Praetorian will examine the entropy, length, timeout, and rotation to determine the applications susceptibility to preset identifiers, brute force, session fixation, and other related vulnerabilities.

Data validation is another important aspect of our testing. Praetorian will identify any open ports, interfaces, IPC channels, or other input modes that can be leveraged by an attacker or malicious application. Fuzz testing will be performed on those interfaces that are exposed and examine how the application handles erroneous input. The objective of this process is to determine the extent the application is performing filtering, sanitation, and validation. Vulnerability categories in scope include, but are not limited to, cross-site scripting, SQL injection, command injection, mishandled exceptions, and memory corruption vulnerabilities that can lead to remote code execution or denial of service condition.

As vulnerabilities are discovered, Praetorian will attempt to demonstrate the positional exploitability of each finding to achieve the two primary objectives of the assessment: 1) obtain unauthorized access and 2) retrieve sensitive information. Using commercial, open source, and proprietary tools, Praetorian implements a structured testing methodology to make the mobile application assessment as efficient as possible.

What You Get

Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.

The report deliverable will include the following high level sections in a format suitable for management:

  1. Purpose of the engagement including project's scope and approach
  2. Positive security controls that were identified
  3. Tactical resolutions to immediately reduce risk in the environment
  4. Strategic recommendations for preventing similar issues from recurring
  5. An industry comparison based on consultancy experience and results from similar previous engagements

The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:

  1. A technical description and classification of each vulnerability
  2. Anatomy of exploitation including steps taken and proof in the form of screenshots
  3. Business or technical risk inherent in the vulnerability
  4. Vulnerability classification that describes the risk level as a function of vulnerability impact and ease of exploitation
  5. Technical description of how to mitigate the vulnerability

Success Story: Mobile iOS Application Security Assessment

A leading provider of investment management software, financial services, and outsourcing services contracted Praetorian to assess the security of its cloud-based platform and mobile application for iPhone and iPad. Our mobile application assessment team evaluated the client's system and found that it was composed of a mobile application, with a simple user-interface, and a backend server that routed real time financial data to its users. Empowered by extensive experience in mobile security research, Praetorian's assessment team knew that traditional application assessment methodologies would have failed because the client used a secure and persistent communication between the server and the client.

Praetorian's assessment team reverse engineered the iOS mobile application in order to better understand the interactions between the application layer and server. Vulnerabilities within the application layer were identified and used by our team to bypass current security controls. After circumventing the current mobile security, the team developed a considerable understanding of the application's inner-workings. The mobile assessment team then demonstrated how a malicious user could modify the mobile iOS application and use it as an attack platform against the backend server. The testing yielded several key security vulnerabilities on the server, including one that would have resulted in a denial of service for users attempting to authenticate with the application.

Explore more Praetorian success stories →

Frequently Asked Questions

  1. How much does a mobile application penetration test cost? The cost is dependent on the size and complexity of the application and the level of rigor in which testing is to be performed. This is determined through pre-sale client discussions and scoping questionnaires. The price of an engagement will be delivered as a fixed bid quote.

  2. How is size and complexity determined? Size and complexity are determined through a number of standard metrics such as number of lines of code of the mobile application itself, the number of remote web service APIs that the mobile app communicates with, and/or the number of user roles. In addition, the complexity of the underlying technologies is also examined to determine level of effort.

  3. What mobile platforms do you currently offer security testing services for? Our expertise and focus is on Android and iOS. We currently have no plans to offer security testing services for BlackBerry OS or Windows Mobile/Phone.

View sample report
Close