iOS- & Android App Penetration Testing
We provide penetration testing of iOS and Android apps in accordance with the OWASP Mobile Security Testing Guide (MSTG). When testing apps, we use both static and dynamic testing methods.
As part of the static analysis, we review the app binaries and reverse engineer the apps to check configuration files and source code for vulnerabilities.
In dynamic analysis, we use both devices in the default configuration and devices with root or jailbreak, respectively, to examine apps during runtime. Here, we use network traffic analyses, analyses of the runtime environment, and manipulation of the app packages with the help of pentesting frameworks and toolsets on the test devices.
Static and Dynamic Analysis (iOS & Android)
The testing of the client-side application functionalities is carried out as part of a dynamic as well as a static analysis and without insider knowledge (black box testing). The iOS and Android app is extracted and reverse engineering is performed as part of the static tests. During the dynamic tests, "hooking" is used to intervene in the processes and manipulate the system calls in order to uncover further vulnerabilities. Depending on the effectiveness of the obfuscation (obfuscation of the source code), further deeper analysis can be performed.
The tests are based on best practices such as the "OWASP Mobile Security Testing Guide" and include the following test aspects:
- Anti Reverse Engineering
- Runtime security (hooking, anti-debugging, tampering detection)
- Binary analysis (binary protections, encryption, decompilation)
- Authentication & Authorization
- Session-Management
- Key- & Password-Management
- Secure use of web content
- Function and application logic (client and server side)
- Storage and transmission of sensitive data (encryption)
- Client-side injection attacks
- Web vulnerabilities (e.g. SQL injection, information disclosure)
- Multitenancy
- Caching
- Input validation
- Error handling
OWASP Mobile Application Security Verification Standard
The OWASP MASVS (Mobile Application Security Verfication Standard) or OWASP MSTG (Mobile Security Testing Guide) is an international standard and specifies security best practices and hardening measures for an iOS and Android app as well as for the backend API. This contains level 1 security controls for basic requirements and level 2 security controls for applications with increased protection requirements. We generally recommend performing the security assessment for Level 1 and Level 2 and weighing up any implementation of the missing Level 2 security controls separately in each case according to the risk. As part of a penetration test, we check your apps for compliance with a total of 156 security controls from the MASVS.
