Mobile Application Testing

As mobile applications continue to gain relevance, it is increasingly important to security test them to identify and address security vulnerabilities and weaknesses before they can be exploited by attackers, potentially leading to data breaches, loss of sensitive information, financial loss, and reputational damage.

Finding flaws in mobile applications can result in attackers compromising devices, sensitive and confidential customer or third-party information, and even use the devices as gateways to accessing sensitive internal corporate resources. It is increasingly important to ensure that any applications used by the company are well-coded and do not ship with vulnerabilities.

A mobile penetration test can help to uncover vulnerabilities such as insecure data storage, weak authentication and  authorisation mechanisms, insecure communications, and other security issues that could be exploited by attackers. By identifying and fixing these vulnerabilities, mobile applications can be made more secure and better able to protect users’ sensitive information.

Our testing approach 

Our mobile application testing methodology is in line with the OWASP Mobile Application Security project which provides guidelines for mobile application assessments via the OWASP Mobile Application Security Verification Standard (MASVS) and OWASP Mobile Application Security Testing Guide (MASTG).

The areas of mobile application testing should include:

• Authentication and session management
• Network communications
• Code inspection
• WebView implementation
• Tampering and reverse engineering
• Cryptography implementation
• Application configuration
• Data storage analysis

Common vulnerabilities can include:

• Biometric authentication bypass
• Sensitive information in application bundles
• Insecure data storage
• Improper user session handling
• Access control bypass
• Hardcoded cryptographic keys
• Weak authentication mechanism
• Insecure exported activity
• Sensitive information written to device logs

Reporting 

All the vulnerabilities found during testing are explained in detail in a report document, which contains risk ratings for every issue discovered. Recommendations for resolving or mitigating the identified issues are provided and suggestions are made to harden the overall application’s security. The report contains a business risk summary to ensure that the most significant issues are conveyed to relevant parties.

Example attacks from previous engagements

To provide examples of potential attacks, some vulnerabilities exploited in previous tests are described below:

A mobile application had hardcoded details of a cloud service which provided identity and access management. These details included identification keys, which were uncovered by decompiling the application binary. Once acquired, these keys were used to generate temporary access keys which allowed access to part of the client’s cloud infrastructure, including databases and storage buckets. This was also made possible due to misconfigurations on their cloud infrastructure, which allowed the creation of temporary access keys.

Poor implementation of biometric verification can often lead to the bypassing of an application’s local authentication. With access to the device, it was possible to circumvent the biometric login of the application and access sensitive user’s data. 

Similar to web applications, mobile applications also communicate with the application server and its backend via the HTTP protocol or cutting-edge technologies like QUIC. Vulnerabilities are often found in these interactions with the server’s API. An example of this was a mobile payment system that was tricked into accepting a payment of a certain value and crediting the user’s account with more money than it was paid. This attack used interception techniques to tamper with communication by changing the request’s parameters.