Mobile App Penetration Testing
The Apple App Store™ and Google Play™ host nearly than 6 million mobile apps combined. Organizations need proven mobile security testing across all app components. Successful mobile app pen testing begins with decades of skills, exemplary customer service, flexible scheduling and lightning fast turnaround time. These critical elements facilitate a threat-based approach, thoroughly testing with multiple analysis types, and assistance to remediate and validate any issues discovered.
When a Pen Test Is Needed
There are a number of factors that make penetration tests necessary for mobile apps. Compliance
requirements are the most obvious. Certain features, functionalities, or authentication measures
also require a penetration test to ensure the safety of customer data, PII, and company IP.
- Initial release
- Major update
- Store or handle sensitive data
- Subject to industry regulations
- Require advanced scoping
- Support USB connectivity to external devices
- Use Bluetooth Low Energy
- Use CAPTCHA
- Use multi-factor authentication
- Run on a non-standard platform
- Require defense-in-depth and reverse engineering resiliency
The NowSecure Mobile Advantage
Threat modeling
Taking a threat-based approach, NowSecure uses proven repeatable threat model process by analyzing various organization and technical requirements of the mobile app and dependent infrastructure, identifying sensitive data and critical IP in the mobile app, pinpointing the potential threats, and documenting the overall threat profile. This threat model drives a more effective assessment of each mobile app’s specific threat landscape.
Remediation guidance and assistance
Developers and security teams need to understand the vulnerabilities found in a mobile pen test and how to fix them. NowSecure partners with development and security teams to fully explain issues identified during mobile pen testing and recommend code changes for proper remediation, coaching the team to understand the attacker approach and exploitability.
Remediation verification and re-testing
Verifying threat isolation and successful remediation of vulnerabilities is critical to success. Through a targeted retest, NowSecure’s security analysts confirm proper remediation for confidence the mobile app is safe and ready for production.
Tiered model for level of depth and scrutiny
Because each mobile app has a different risk profile and threat model, NowSecure helps organizations build tiered risk model for their mobile app portfolio. Lower risk apps may require only periodic testing while higher risk apps may require more in depth testing for every release into production. In this way organizations can balance their spend and effort with risk.
Meet Standards And Regulations Requiring Penetration Tests
ADA MASA
Google announced that Play developers must publish disclosures in their Play store listings how their apps collect, share, and secure user data. Now, developers can independently assess their applications, with NowSecure, using the highest standard of mobile security and privacy, established by the App Defense Alliance (ADA) using the Mobile Application Security Assessment (MASA). Developers who receive an Independent Security Review can then utilize the Google Play Data safety section to inform users that their application meets this heightened standard. NowSecure is an authorized lab to perform these independent security reviews.
OWASP MASVS Compliance
Open Web Application Security Project® (OWASP) is a nonprofit foundation improving the security of software. NowSecure OWASP Pen Testing program uses the three core components of OWASP mobile project
- OWASP Mobile Application Security Verification Standard (MASVS)
establishes a baseline of security requirements for mobile apps - OWASP Mobile Security Testing Guide (MSTG) outlines how to test the MASVS requirements
- OWASP Mobile App Security Checklist tracks security assessment tasks
IoXT
More than 38 billion internet of things (IoT) connected devices worldwide exist today growing to 75 billion by 2025. To instill every user’s confidence in IoT apps, the ioXt Alliance has created a certification to ensure a secured interface for buyers, end-users, and channel partners. The goal here is to rapidly certify IoT-connected mobile apps and mobile VPNs for the ioXt Mobile Application Profile. NowSecure, as an ioXt Authorized Lab, provides fast turnaround, high-quality results and collaborative assistance.
NIAP
Mobile apps are critical to enabling the U.S. federal agencies to meet their mission. Core to that mission is ensuring a high security testing bar for the mobile apps they build and use. The National Information Assurance Partnership (NIAP) manages a national program for developing Protection Profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements. For mobile apps, NIAP has created the Mobile App Vetting Protection Profile for Application Software v1.3 and NowSecure is the only vendor to support this initiative with an automated solution.
Rest Assured With NowSecure Deep Mobile App Pen Testing Experience
NowSecure boasts more than a decade of mobile app pen-testing with experience testing more than 11,000 mobile apps and the industry’s broadest collection of the most skilled pen testers
Our experts have helped hundreds of organizations establish successful mobile app pen testing programs
Trusted by many of the world’s most demanding organizations across banking, insurance, high tech, retail, healthcare, government, IoT and others
CASE STUDY
Collaborations with security researchers and analysts play a key role in how we keep the Peloton community secure.”
Director of Global Security Incident Response & Threat Intelligence, Peloton
Not All Mobile Pen Tests Are Created Equal
NowSecure offers customers more than a decade of building advanced tools, delivering expert pen testing security services and actively supporting open-source and industry standards projects.This includes delivering the industry’s first full mobile app security solution suite with the launch of an online self-service training, certification program, and substantial enhancements to its existing solution portfolio.
Combine Manual and Automated for Depth at Speed
NowSecure Platform Guided Testing combines the best of automated and manual assessments. In a Guided Test, an automated battery of 600 tests is completed and the assessment utilizes the real physical devices used in every NowSecure Platform assessment. The mobile app is interrogated in four passes in order to test the different network conditions an attacker may utilize to compromise the application, and Guided Testing also provides the critical capability of leveraging the expertise of a NowSecure Analyst. This NowSecure Analyst interacts with the mobile application in order to provide coverage beyond anti-automation features like 2FA, MFA, CAPTCHA, and more, and tests the complex user navigation of the application. NowSecure Platform Guided Testing provides depth of coverage at the speed of DevSecOps.
Full scope pen tests require sophistication and depth
A consultative approach to full scope penetration tests is key. Partnering with an expert to understand the threat landscape, attack vectors, and key information that can be extracted from a mobile application tailors the test for relevant, thorough testing. Full scope pen tests from NowSecure can be used for independent, third-party verification for compliance or to augment common staffing shortages. NowSecure bolsters security teams with an assessment leveraging industry mobile standards such as the OWASP MASVS and CVSS backed by decades of experience and tens of thousands of mobile app penetration tests.
Focused pen tests for specific workflows
Partner with our pen testing experts to identify and test specific app code in your mobile app, such as crypto / storage or network / backend API or test specific workflows such as account origination or shopping cart transactions. Ensure you are protecting critical app components to prevent customer data leakage, IP theft, credential interception, or worse.
Granular differentiation for unique nature of mobile and web pen testing
Traditional web application security testing fails to fully assess the security risks present for mobile apps. Mobile is a far larger attack surface vs web app code running on a server or any other network infrastructure controlled behind firewalls. 100% of mobile app code lives in the operating system and is subject to a highly malicious quality of reversing tools today. Because 100% of mobile app code lives in the wild in the mobile operating system, it can easily be reverse engineered by any attacker or developer or security analyst.
Assemble and customize your toolkit, here’s a checklist too
NowSecure continues to extend proven industry leadership in the rapid and secure development of top software for the reverse engineering (Radare) and the dynamic analysis (Frida) of mobile applications. Radare discovers internal functions in low-level detail. Frida subsequently analyzes behaviors in real time. NowSecure Workstation is a fully developed mobile penetration testing kit that includes both Frida and Radare which security analysts of any expertise level can use to quickly and thoroughly pen test mobile apps.
