Mobile Application Scoping

Mobile application penetration testing is a crucial process to identify and address security vulnerabilities within mobile applications. The assessment aims to identify any vulnerabilities that can be exploited to attack the application, bypass controls, or extract sensitive data.

The consultants will use proven non-invasive testing techniques during the assessment to identify any weaknesses quickly. The application is viewed and manipulated from several perspectives, including with no credentials, user credentials, and privileged user credentials.

Cyber Alchemy’s mobile application testing methodology covers the OWASP Top Ten standard, representing a broad consensus about the most critical security risks to mobile applications. The OWASP Top Ten for 2023 is as follows:

• • M1: Improper Credential Usage
  • M2: Inadequate Supply Chain Security
  • M3: Insecure Authentication/Authorisation
  • M4: Insufficient Input/Output Validation
  • M5: Insecure Communication
  • M6: Inadequate Privacy Controls
  • M7: Insufficient Binary Protections
  • M8: Security Misconfiguration
  • M9: Insecure Data Storage
  • M10: Insufficient Cryptography

Methodology

The first step of the engagement is to set primary contacts on both sides, define the testing objectives and set the context. From this, a bespoke approach can be crafted to extract the maximum amount of value from the engagement. Once this has been done, Cyber Alchemy will begin the assessment, covering the following OWASP Mobile Application Security Guide categories. Examples of the type of testing and its objectives are given for each category. Specific testing will depend on the type of mobile application and the testing objectives.

Static Analysis:

• • Perform a static analysis of the application’s source code to identify vulnerabilities, insecure practices, and hardcoded secrets.

Dynamic Analysis:

• • Actively interact with the mobile application to identify runtime vulnerabilities.
  • Examine data flow between components and identify potential security weaknesses.

Authentication Testing:

• • Assess how the application manages user authentication and session tokens.
  • Evaluate the effectiveness of MFA, if implemented.

Authorisation Testing:

• • Test the application’s authorisation mechanisms to ensure proper access controls.
  • Check for vulnerabilities that could lead to unauthorised access.

Data Validation Testing:

• • Test input fields for proper validation to prevent injection attacks.
  • Verify the accuracy and integrity of data handled by the application.

Session Management Testing:

• • Evaluate the security of session management, including session fixation and session hijacking.
  • Assess the effectiveness of the logout process.

Network Communication Testing:

• • Examine how data is transmitted over networks, focusing on encryption protocols and secure channels.
  • Test for vulnerabilities that could lead to Adversary in the Middle (AitM) attacks.
  • Test for the lack of certificate pinning.

API Security Testing:

• • Test the security of APIs used by the mobile application.
  • Check for sensitive data exposure through APIs.

File System Testing:

• • Assess how sensitive data is stored on the device.
  • Check for vulnerabilities related to file access and manipulation.

Reverse Engineering:

• • Use reverse engineering techniques to analyse the application’s logic and uncover potential security flaws.
  • Test for the resilience of the application against tampering.

Device Security:

• • Test the application’s ability to detect rooted or jailbroken devices.
  • Assess how cryptographic keys and secrets are stored on the device.

Offline Testing:

• • Evaluate how the application handles sensitive data when offline.
  • Test the security of authentication mechanisms when the device is not connected to the internet.