Understanding Mobile Application Penetration Testing Methodologies

Mobile application penetration testing methodology analyzes security perimeters within a mobile environment. Derived from the traditional concept of application security methodology, it focuses on client-side security and broadly puts the end-user in control.

Conducting penetration testing beforehand can help companies gain insights into the source code’s vulnerabilities, bottlenecks, and attack vectors. Once all shortcomings are known, developers can implement fixes to plug these gaps and change the design to address the issues at hand.

What is mobile application penetration testing?

Mobile application penetration testing ensures an application is thoroughly tested to reduce its attack vulnerability. By analyzing the application's back-end components and security features, a mobile app penetration test helps find critical areas where security can be boosted.

In simple terms, penetration testing identifies security loopholes in applications or vulnerable routes in an app’s cybersecurity posture before an attacker does. As pen testing helps detect the security flaws in an application, it can be used to confirm security policies.

Types of penetration testing

Penetration Testing has become a valuable methodology for companies and organizations to generate useful insights into their software/hardware systems. Through these tests, software and hardware systems are subject to planned attacks to expose inherent security flaws, which can be addressed as a part of the development plans.

Here are some of the various types of penetration testing that are most commonly used by organizations these days:

1)   Web application penetration testing

As per Verizon’s “2020 Data Breach Investigations Report,” data breaches caused by web application vulnerabilities reached double digits (43%) in 2019. 

Web application penetration testing is used broadly to check for vulnerabilities or security gaps in web-based applications. Typically, it would include web-based applications such as browsers and their individual components like ActiveX, Silverlight, Plugins, Applets, and Scriptlets. Such tests are quite detailed and targeted toward specific components. 

2)   Network service/infrastructure penetration testing

Network penetration testing helps identify weaknesses within the network infrastructure, which can be on-premises or in the cloud. This is a crucial test to ensure the safety and security of business-critical data. Network service penetration testing often includes the following checks:

•       Insecure configurations
•       Encryption vulnerabilities
•       Missing security patches

The testing procedures are further divided into external and internal testing, which can be carried out depending on the need of the hour.

3)   Client-side penetration testing

As the name suggests, client-side penetration testing procedures are solely conducted to discover vulnerabilities in client-side applications. These applications include Putty, web browsers, email clients, and Macromedia Flash.

4)    Wireless penetration testing

Wireless penetration testing examines and tests the connections between different devices connected to the corporate Wi-Fi network. These devices can include laptops, smartphones, tablets, and Internet of Things devices. Such tests are performed onsite, as the pentester needs to be in the Wi-Fi signal range for testing purposes.

5)   Social engineering penetration testing

When a malicious hacker attempts to trick end users into revealing sensitive information, which includes usernames and passwords, amongst other sensitive information, it qualifies for Social engineering testing. Some common attacks include, but are not limited to, the following:

•       Phishing
•       Vishing
•       Smishing
•       Imposters
•       Pre-texting
  
  

6)  Physical penetration testing

During this testing type, by stimulating a real-world threat, organizations can attempt to pre-empt the physical barriers around a business’s infrastructure, system, employees, etc. If a hacker is able to gain physical access to a server room, it can adversely impact the business, customers, and other working relationships.

Mobile application pen testing methodologies stages

Broadly speaking, mobile application penetration testing methodologies stages include the following stages:

1)          Discovery
2)          Assessment and analysis
3)          Exploitation
4)          Reporting

1) Discovery

The discovery process includes gathering information, which will further form the basis of the penetration testing phases. The data collected is used as a base for checking for vulnerabilities, which can make or break the pentest.

The discovery process encompasses the following steps:

Open-source intelligence

Commonly known as OSINT, the pentester searches the Internet for information about the application. Such information can be found on search engines, social networking sites, source code repositories, developer forums, and even the Dark Web.

Understand the architecture

The pentester needs to understand the architecture and develop a threat model for the application/platform. In an ideal test, the tester should consider the company behind the application, its business case, and the stakeholders. These can be complemented by internal structures and processes.

Client-side vs. server-side scenarios

While testing the cases, the pentester needs to identify the type of app, which could be native, hybrid, or web. Other considerations include the app’s network interfaces, session management, jailbreaking, and user data.

2) Analysis/Assessment 

The analysis and assessment process is unique as the pentester needs to analyze the application before and after installation. Some assessment techniques included are as follows:

Static analysis

Static analysis is executed using the application's source code only. Depending on availability, it might also use the decompiled source code and accompanying files.  

Archive analysis

Android and iOS app installation packages are extracted and thoroughly examined to review configuration files.

Reverse engineering

Compilations are converted into readable code. The pentester further analyzes the decompiled code to understand and decipher the application functionalities and hunt for vulnerabilities.

Local file analysis

As soon as the app is installed, its directory is created within the filesystem. When the application is used, it reads and writes from this directory. Such files are analyzed during the testing phase.

Dynamic analysis

This analysis is performed while the application is still running. It includes forensic analysis of the file systems while monitoring the traffic between the application and server.

Network and web traffic

A test proxy controls the security tester, and certain configurations are made within the server connections to reflect the proxy connections. The network traffic, especially the transmission between the application and the server, is intercepted and analyzed.

Interprocess endpoint analysis

Android apps consist of the following IPC endpoints, which need to be analyzed:

3. Exploitation

The exploitation stage is probably the most crucial step during the penetration test. The pentester needs to find hidden cues that can successfully shed light on different vulnerabilities, which become a determining factor between a successful and unsuccessful test.

Here are some steps that can make the exploitation process a success:

• Open-source intelligence (OSINT)
  The first step refers to the process of reviewing publicly available information. A pentester must search for all possible information about the application, wherever possible. Essential pieces of information can be found on search engines, social networks, the dark web, and developer boards.
• Architecture understanding
  What makes a good threat model? Understanding the application architecture plays an important role in designing a foolproof threat model, which can predict any external threats to an application. The pentester would need to track the external stakeholders, users, and followers, to get an idea about the intended usage.
• Client and server-side situations
  A tester is well equipped to recognize the nature and type of application, which can range between native, hybrid, or web. An application network access includes network interfaces, methods of communication with third-party resources, user data, session management, and root detection.
  
  

4. Reporting

• Report preparations
  The final stage of mobile application penetration testing is reporting the findings via technical reports and even an executive-level paper. Whilst an executive-level paper contains a high-level summary of your findings, it is most appropriate for management review. Unlike its counterpart, the technical report covers a list of individually fixed vulnerabilities, along with specifications to recreate the vulnerabilities, their risks, and recommended remediation procedures.
• Presentation
  The final documents need to be presented to the end client. During this phase, any suggested recommendations, updates, and questions must be addressed. The documentation is revised accordingly, and the final version is presented to the client for review. Once this step is completed, the pentester can validate and approve the remediations for final review. Utilizing presentation templates can be highly beneficial to streamline the process and ensure clarity.
  
  

Conclusion

The mobile application penetration testing methodology is vendor-neutral, helping drive transparency and facilitate repeatability. It’s a holistic approach, providing flexibility regarding the security of mobile applications.

All the steps within the mobile application pen testing methodology use intelligence gathering, assessment, exploitation, and transparent reporting to enhance penetration testing.