Mobile Pen Testing Vendor Selection: Essential Factors to Assess PTaaS Partners

Mobile penetration testing helps businesses defend against cyberattacks, safeguard data privacy and preserve brand reputation. Best practices call for continuous automated mobile application security testing throughout the software developement lifecycle to gain speed and efficiency. However, organizations should augment automation with manual mobile penetration testing for certain high-risk mobile apps to achieve the greatest coverage. 

In today’s digital landscape, security analysts and developers understand the imperative of ensuring the security and privacy of mobile applications. While organizations can find and fix vulnerabilities faster by taking advantage of automated mobile application security testing tools, it’s not possible to fully automate penetration testing, threat modeling or compliance certification. Mobile penetration testing as a service (PTaaS) can fill the gap. 

Take care to find a qualified PTaaS provider you can trust by evaluating them in three key areas: 

• Tailored & Targeted Testing
• Experience & Expertise
• Consultative Communication & Collaboration

Probing vendors about their PTaaS offerings and how they deliver those services makes it possible to pick the provider that best meets your app portfolio risk profile, budget and testing depth needs.

What Apps Need Mobile Pen Testing?

Automation offers a powerful solution for accelerating the mobile DevSecOps release cycle. But as mentioned above, it cannot test for every scenario. Manually testing certain types of mobile apps provides additional assurance and sometimes regulations require third-party mobile pen testing to maintain compliance. 

Some examples of mobile apps that organizations should manually test include:

• Initial release or major update
• Financial or banking apps
• Healthcare or mHealth apps
• E-commerce apps
• Enterprise apps
• Apps with complex interactions or workflows
• Apps subject to industry regulations
• Apps that require defense in depth and reverse engineering resiliency
• Apps that connect to external devices via Bluetooth Low Energy or USB
• Apps that run on a non-standard platform such as automotive or entertainment systems
• Apps that require advanced scoping

Recurring expert mobile pen testing remains crucial for validating complex user interactions, sensitive data handling and critical functionalities. 

Tailored & Targeted Mobile Pen Testing

One critical question security analysts and developers should ask of their potential mobile PTaaS partner is how they tailor the pen test based on their clients’ needs. All mobile pen tests should follow consistent methodology and repeatable processes based on industry standards such as the OWASP Mobile Application Security Verification Standard (MASVS) and the Common Vulnerability Scoring System (CVSS). What’s more, a mobile pen test must examine the entire mobile attack surface, including code, network, APIs and back end.

But just as mobile apps differ somewhat, so do risk profiles, attack scenarios and the business impact of a breach. One size does not fit all. Look for a vendor that offers a comprehensive choice of mobile pen test services delivered in a PTaaS model.

NowSecure offers several varieties of mobile pen testing services and frequencies. For maximum depth and coverage, choose our full-scope pen test. The fully manual test covers the entire mobile app, including APIs.

For complex mobile apps, NowSecure offers an advanced scope pen test. This provides the same depth and detail as a full-scope test for more nuanced types of applications. For example, the app may have requirements around cellular, Internet of Things (IoT) devices or Bluetooth Low Energy. And for the fastest turnaround, NowSecure Services mobile security experts can conduct a fully manual targeted scope pen test that solely focuses on specific features. The team can even conduct pen tests of open-source or commercial mobile software development kits so developers can be confident the SDKs they build their apps with are safe and secure.

PTaaS providers should also be able to perform specialized testing to demonstrate compliance with certain standards, regulations or initiatives. For example, the NowSecure Services team conducts OWASP MASVS pen testing to assure mobile apps meet the highest security standard in the industry.

NowSecure Platform gives us confidence that the developers practice secure coding and NowSecure Mobile PTaaS gives us the required manual testing for compliance reporting and even more confidence in complete coverage. – Frank Klimczak, Information Security Manager, Genisys Credit Union

And NowSecure offers App Defense Alliance (ADA) Mobile Application Security Assessment validation. NowSecure performs the ADA MASA independent security review and Android apps that pass can showcase an independent  security review badge in the Google Play Data safety section.

Mobile PTaaS Experience & Expertise

Some PTaaS providers crowdsource the work to independent hackers and freelancers, which means customers can never be certain about what they’re going to get. In a crowdsourced model, a pen test company has limited control over the people doing the work. That can lead to inconsistent testing and quality, varied levels of expertise, regulatory considerations and confidentiality and data protection risks if the large pool of testers isn’t thoroughly vetted.

Look to do business with a company that employs a deep bench of mobile experts on staff. Given the importance of mobile AppSec and privacy, you want to work with a knowledgeable, trustworthy team that has decades of collective experience. 

Ask about the track record and experience of the provider in conducting manual mobile application security assessments. Find out how mobile security analysts keep their knowledge current and if they hold advanced degrees, certifications or accreditations. And request client references who can support successful engagements and outcomes. 

As a company dedicated exclusively to mobile application security testing, the NowSecure Services team boasts unmatched expertise and depth of knowledge along with decades of combined experience in the field. The company has conducted more than 11,000 mobile pen tests and over 400 standards-based verifications and certifications to warrant confidence and assurance. 

Consultative Communication & Collaboration

Don’t underestimate the importance of collaboration and communication between you and your PTaaS provider. You should expect guidance and support throughout the entire engagement, beginning with the initial discussion all the way through the remediation process.

At the onset, the mobile pen testers should discuss the scope and methodology as well as how the results will help your organization improve its overall security posture. Rather than take a cookie cutter approach, you want the mobile pen testing expert to perform threat modeling and truly understand your app architecture, sensitive data, confidential intellectual property and how attackers might attempt to exploit your mobile app. 

Look for someone who will consult with your dev and security team and keep you apprised of progress once the test is underway. Accessibility and responsiveness are key qualities that can differentiate one vendor from another. A good partner will communicate any major security or privacy issues encountered in the mobile app as they go. 

Also consider evaluating providers based on the clarity and quality of the PTaaS report provided in the SaaS portal. The report should outline the results with a clear executive summary, offer context around severity and business impact and include visuals to support findings. 

And most important, seek a mobile PTaaS vendor that provides strong post-testing support that includes actionable advice and remediation coaching. Not only should the pen test deliver detailed remediation resources and guidance, but the best partners will offer consulting and coaching to help you through the process and be readily available to field questions. NowSecure Services even conducts retesting at no additional charge after remediation to verify the fixes solve the problem.

Pair Mobile Pen Testing with Automation

As you explore mobile PTaaS services, ask providers probing questions to learn about the targeted and tailored testing options available, the team’s experience and expertise and what type of consultative communication and collaboration they offer.

Conveniently, NowSecure offers a full mobile application security and privacy solution and our experts offer unmatched insights and guidance. Customers combine NowSecure Platform best-in-class automated testing and NowSecure mobile PTaaS expert manual testing from NowSecure Services to consolidate mobile testing and drive efficiencies with an all-in-one solution.

“NowSecure Platform gives us confidence that the developers practice secure coding and NowSecure Mobile PTaaS gives us the required manual testing for compliance reporting and even more confidence in complete coverage,” says Frank Klimczak, information security manager for Genisys Credit Union.
Discover more about NowSecure Services’ PTaaS offerings and reach out to schedule a consultation with NowSecure mobile pen testing experts.