top of page
lemons.jpg
lemons.jpg

Mobile Application Penetration Testing

Applying deep technical expertise in iOS and Android security to fortify your mobile applications.

Applying Wilbourne's bespoke mobile application penetration testing methodology to identify security vulnerabilities in your solutions.

Wilbourne's methodology is enriched by OWASP's Mobile Security Project, our proprietary research, and in-house mobile security testing tooling.

Similar to a web application penetration test, we will intercept traffic from the application and hunt for weaknesses which cover both technical implementation and business logic.

​​

Wilbourne's mobile application penetration testers will apply critical thinking to manoeuvre the application logic in a manner which automated scanning tools are limited. The intricacies of these more developed test cases will be reflective of attacks more sophisticated threat actors will target your mobile application with.    

Nuances of Testing Mobile Applications Compared to Web Applications 

Most modern mobile applications are the front-end for the underlying API. The API is typically responsible for the majority of the business logic of the application, and often have a web application counterpart. For this reason, many organisations will commission a web application penetration test which covers the API but discounts the mobile application.

We will enrich the penetration test with mobile-specific activities, examples of which are listed below. 

PACKAGE REVIEW

A diligent review of your application source-code and packages to identify components which may expose verbose information or introduce an attack vector.

MEMORY ANALYSIS

By reviewing the memory of your mobile application, sensitive data may be discovered which is unintentionally exposed.

CRYPTOGRAPHIC KEY REVIEW

Insecure handling, management and exposure of encryption keys could lead to a compromise of your users' data.

BIOMETRICS REVIEW

If your application leverages biometric authentication, malicious techniques could be performed on the mobile device to bypass the authentication flow and sign in to user's account.

LOCAL COMPONENTS REVIEW

Any underlying components of your mobile application, such as a database, supporting files or shared preferences, could expose sensitive information regarding your users or infrastructure.

ELEVATED COVERAGE

In a scenario in which comprehensive API documentation has not been provided, mobile-specific API endpoints, which may contain vulnerabilities, could be missed from a generic penetration test.

Do you have a highly sensitive mobile application?

Wilbourne has experience partnering with clients to deliver iterative penetration testing and source-code reviews for highly sensitive applications. 

 

The scope of these tests are typically narrow and focus on specific functionality, such as validating hardened packages, client-side controls and jailbreaking detection capabilities. 

bottom of page