• +44 (0)1273 454525
  • Call us
  • info@firstbase.co.uk
  • Email

Mobile Application Penetration Testing & Security Reviews

Why Mobile Application Penetration Testing?

The application will be tested using a layered approach:

  • Application functionality
  • Interaction with the device operating system
  • Interaction with remote services, such as web services and social media

We will manually verify all identified vulnerabilities to remove false positives and potential vulnerabilities are exploited to demonstrate the real risks and impact of an attacks.

Where appropriate, we will address application specific questions directly to the developers.

Our technical approach focuses on the following key areas:

Information GatheringDetermine application functionality and workflow, analyse network traffic, secure protocols checks, interaction with other applications or services or data, other APIs in use, crawl exposed web resources
Application AnalysisApplication permissions and resources, errors in configuration files, examine libraries (both platform and third party) for security weaknesses, checks for rooted and jail broken devices, check for dynamically loaded files and libraries, hard coded secrets, entry points for untrusted data and access controls, validation and sanitisation
AuthenticationUser impersonation via parameter tampering, replay attacks and brute force attacks, alternative means of authentication (visual swipe or touch passwords), single sign-on functionality, use of SMS and push notifications
Session ManagementSession time-outs (locally and server-side), sensitive information flushed from memory on session expiration
AuthorisationPermissions for files created at runtime, privilege escalation, role-specific functionality, flags or values from any untrusted sources, path traversal , licensing security
Data StorageEncryption security, storage external to sandboxed locations, writing sensitive information to the file system, sensitive information written via platform exposed APIs (e.g. contacts)
Transport Layer ProtectionCertificate pinning, certificate validation, encryption transiting each interface
Information DisclosureLogging of sensitive information to shared logs, sensitive data leakage in crash logs, third party libraries and APIs disclosing sensitive data, permissions required
Client-Side InjectionPotential data injection attack vectors

Contact us for more information

Call us on +44 (0)1273 454525 or use our enquiry form