Mobile application penetration testing is one of the more complicated and skill-intensive penetration testing services offered by companies at this time. Unlike other, more traditional services, mobile application penetration testing is nearly a cat and mouse game for penetration testers. Once knowledge is built for an OS version, a new version is released that requires more time and energy to understand how mobile applications may be attacked, taken advantage of, or over-provisioned.
Mobile application penetration testing combines many testing disciplines. In most cases, the mobile application penetration tester needs to be proficient in API penetration testing, web application penetration testing, and the many wireless protocols (Bluetooth, Zigbee, NFC, WiFi) that might be used to interact with the application and ancillary IoT devices. This creates a complex and expansive attack surface that must be tested as part of the mobile penetration test to ensure some level of security.
Any organization developing and deploying a mobile application should engage a consultancy company to do a mobile app pen test. Many organizations will assume that a mobile application is not attacked or targeted, but this is not true as evidenced by the 2021 mobile application security issues. There are many ways to have your organization end up on this list. Weak permissions or configuration on the device itself lends your application to sideload application attacks (where a third-party application targets your application data), weak API endpoint configuration leaks data, or insecure communication with IoT devices that could be exploited.
This article looks at the costs of mobile app penetration testing with a 3rd party provider. We discuss how costs are calculated, how much you can expect to pay depending on the scope of the test, and how costs can be reduced with proper planning.
(IMPORTANT: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)
- Scope for Mobile App Penetration Testing
- Cost Benchmarking
- How Much do Costs Vary from One Vendor to The Next?
- How Much do Mobile App Pentest Costs Vary from One Industry to the Next?
- How Can Mobile App Penetration Testing Costs Be Reduced?
- Costs of Mobile App Pen Testing Vs Benefits
Scope for Mobile App Penetration Testing
As mentioned previously, a mobile application penetration test can entail many aspects of pen-testing. This is one of the more complicated penetration testing services but not because the overall scope is not much different from other pen tests. A typical engagement will involve spending time with the organization to understand the mobile application use cases, external interactions, and end goals for the organization. After this is established, all required hardware and store-ready application packages will be attained by the consultancy company.
Where there are external interactions, beyond API endpoints, the consultancy will request those devices and configuration information to properly configure for the test.
The consultancy will work with the organization to validate that the mobile application, phone, and device are properly configured for the intended use case.
At this point, testing will begin across the device, API endpoints, web applications, and other supporting services. This entails actively trying to identify vulnerabilities, poor configurations, or known weaknesses in the OS that can be exploited to compromise the application. The point of this phase is to identify and exploit the vulnerabilities to provide a detailed narrative of what could happen and what that impact would be on the organization or end-user.
A key deliverable for every mobile app pen test is a report. Some consultants prefer to build the report as they test, documenting as vulnerabilities are confirmed, while other consultants may wait until the end to write the formal report.
No matter how the consultant and consultancy prefer to perform the final reporting, an organization can ask for critical or high confirmed vulnerabilities to be reported as they are found. It is recommended that an organization ask for this, as it will provide additional time to start remediation efforts.
With or without the ad-hoc reporting of vulnerabilities, every organization can expect to receive a detailed report at the end of the testing engagement that will provide a listing of vulnerabilities and exploits. As part of this report, detailed steps and instructions on how the vulnerabilities were exploited should be expected, as this will help with identifying the root cause and expediting the remediation.
Many factors can play into the cost of a mobile application penetration test. Some of the factors are very much dependent on the use cases of the mobile application and certain use cases can add significant cost. One of the more expensive penetration testing services available, mobile app penetration testing costs can range from $15,000 to over $100,000.
It is truly dependent on the complexity and external dependencies for the application to function and provide value to users. The penetration test cost will be more than other penetration tests due to the lack of automated penetration testing tools and the heavy reliance on manual security testing.
The main factors affecting the cost of mobile app pen tests are as follows:
Cost Factor #1: API End Points
This factor is listed first, as nearly all mobile applications work through a set of API endpoints behind the scenes, and this factor will play one of the largest roles in the overall cost. While it may hold that the number of API endpoints utilized by the application will increase the cost, the reality is that this will operate as a penetration test within a penetration test. Nearly all consultancy vendors will scope and price the API within the mobile but will utilize the same cost factors as a stand-alone API penetration test.
Cost Factor #2: App Platforms
Currently, this is unique to mobile applications. The testing methods, tools, and hardware needed for an Apple, Android, or other mobile application platform are not all the same. If the mobile application is built to be compatible with iPhones, iPads, and Android mobile phones, it is guaranteed that at least an iPhone and Android phone will need to be utilized to perform the testing. While this is the minimum, many companies will also use an iPad, along with an iPhone and multiple Android phones.
Beyond the physical devices needed to test across platforms, the skills and methods will differ as well. The internal operating system that the application resides on is vastly different between an Android and Apple device. This creates a need to do a single type of test multiple times.
For instance, the way an application securely interacts with internal storage may be different between the two devices. Testing to make sure the application storage is initiated securely to prevent other applications from accessing the storage of the application and leaking its data is a test that will need to be done for each platform.
Cost Factor #3: Ancillary Connections
While there are plenty of mobile applications that do not engage with ancillary or external services or hardware (beyond API endpoints), there are many that do.
Keep in mind that any outside hardware, software, or service in which the application is meant to interact will typically be in scope for testing to ensure that the interaction is secure and safe. Some examples of this can be remote vehicle management, Bluetooth medical devices (very common in diabetic use cases), Zigbee or NFC interactions with remote charging stations, and many others.
All these interactions need to be secured end to end and in between, including the communication protocol from the mobile application to the device. Simply, this adds more time and requires additional coordination to attain the device to do the testing. Often, this might be coupled with a device or IoT device penetration testing, which is testing on the physical device itself.
Cost Factor #4: Web Application
While the focus of the testing is on the mobile application, the web application component cannot be forgotten. If input or management from the web application can be viewed, received, or manipulated by the mobile application, some level of web app penetration testing needs to take place. In most cases, this will not be a full web application penetration test but will focus on how the web application could impact the security of the mobile application.
This typically does not add a lot of extra costs, for most consultancies. However, it can easily move to a full web application penetration test, which would add significant cost and time.
How Much do Costs Vary from One Vendor to The Next?
Costs from one consultancy to another can vary greatly for services provided, and it is possible to find pentest companies that will come under the $15,000 low-end mobile penetration testing costs estimate. However, caution must be taken with those vendors and questions should be asked about testing methodology, technology, and skillsets. In most cases, the cost will vary based on brand recognition, technical skills, and reputation.
Typically, a highly technical boutique shop, specializing in mobile and IoT device testing, will charge more than a consultancy offering a wider range of services. This is due to the consultancy having an additional investment in tools and training to perform a deeper test against the mobile application. In this case, if the mobile application is highly complex and has additional ancillary devices, it interacts with the additional cost could be worth it.
Another factor for consultancies providing this service is the physical location of the testers. Some consultancies will utilize resources in India, Malaysia, or other markets that have an associated lower operational cost.
In these cases, it does not mean that the testers are incapable. Many times, the consultants are just as capable; it just means they live in a lower-cost region. If working across time zone is not an issue and no physical devices need to be shipped, take advantage of the lower cost.
There is no need to have a consultant come into the organization’s office for meetings or to do testing. Testing should be conducted from the consultancy lab or facilities, as the mobile devices and tools needed will already be set up. The only time it might be worth looking for a near office consultancy is if the external device being tested is overly large and expensive to ship.
How Much do Mobile App Pentest Costs Vary from One Industry to the Next?
Within this article, hints have been dropped about how the industry can alter the potential penetration testing cost. The biggest industry that will see an increase in overall testing costs is medical application and device manufacturers. This is simply because there will be external devices, API integration, and mobile application penetration testing associated with the engagement, all increasing overall cost.
Despite this causing the cost to go up, in general, the hourly rate for testing services should still be roughly the same. Beyond medical, other industries that may see the increased cost for effort would be financial, gambling, GovTech, and smart device manufacturers. These industries tend to be more regulated or produce more complex applications that interface with additional external services, like API endpoints.
How Can Mobile App Penetration Testing Costs Be Reduced?
One of the biggest ways to reduce the penetration testing cost is to design the application for the use case. Just because the application could do something does not mean it should do that action.
This means that not all web application or desktop application functions need to be ported over to the mobile application. Focus on what the user would need to do, and implement those features to shrink the attack surface for the mobile application. This will directly lower the complexity and cost of the mobile application penetration test.
Another way to lower the penetration testing cost is to reuse API methods, where applicable. Do not assume that those API methods will not be tested. It is assumed that the methods would be tested, as part of a web application penetration test. Since the method would be tested and vetted, it will not need to be tested as part of the mobile application pen test. If the organization is already reusing the API endpoints and has conducted a web application penetration test against the endpoints, then inform the consultancy and have the scope limited for testing mobile apps.
Costs of Mobile App Pen Testing Vs Benefits
It may seem like mobile application penetration testing is expensive, and it can be. This should not be a deterrent to conducting the test and is not a valid excuse if the mobile application that the organization has designed, built, and deployed is attacked as part of a data breach.
It is becoming more and more common to see mobile applications and supporting services exploited to gain access to information, data, and financial impact. All of this could lead to large fines, reputation loss, and revenue loss for the organization. All this needs to be weighed when deciding if mobile application penetration testing is worth the expense to the company.
(REMEMBER: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)