Mobile application penetration testing is a security testing method used by IT security professionals to evaluate security from inside of a mobile environment.
By conducting a mobile pen test, app developers can identify vulnerabilities in a mobile application, bottlenecks, loopholes, and vectors of an attack before delivering the app to users.
A good mobile app pen test will provide a slew of important insights.
The test will allow companies to realize how to modify the design, code, and fundamental architecture. This ensures the app is stable and reliable before it’s released, as well as throughout the application’s use and deployment in the market.
Unfortunately, while developers are producing more and more innovative apps every day, the state of app security today is, simply put, abysmal.
In one recent study, an astounding 63% of the 3,335 applications analyzed contained known security vulnerabilities, with an average of 39 vulnerabilities per app.
The good news though is that the vast majority of these issues – over ninety percent of them – have known fixes.
This is why investing in a proper pen test is a very basic cost of doing business.
The resources in time and money required to fix issues detected during a mobile pen test are typically orders of magnitude lower than the costs of having to fix them after already launching the product.
And that’s in addition to any liabilities creators might have for their malfunctioning products or the security issues their apps may trigger. Remember, any vulnerability you don’t detect will likely be detected by hackers. For all these reasons mobile application penetration testing needs to be a core element of security testing for every solid application developer.
- The Benefits of Regular Penetration Testing
- Tools Used
- Android vs iOS Penetration Testing
- Industry Standards for Mobile Penetration Testing
- The App Penetration Testing Process
- Important Vendor Certifications and Qualifications
- How Much Does a Mobile App Pen Test Cost?
- How Often?
- Is Pen Testing All You Need for Mobile App Security?
The Benefits of Regular Penetration Testing
Let’s unpack this a bit more.
There are many good reasons to subject your mobile app to pen testing, ranging from security to optimization.
1. Prevent future attacks by anticipating the tactics of potential attackers
At the most fundamental level, penetration testing is simulating the tactics and strategies of real-world hackers. The best way to determine the security strength of your app is to run it through a simulated attack. With an expert-level pen test, you can anticipate possible future scenarios and mitigate risks, uncover flaws in the code and remediate them before hackers exploit them.
As your service grows, which will mean a wider range of the application’s use and updates to the app itself, penetration testing will prove even more important as these developments will open new (and in some cases more severe) vulnerabilities and user risks. Contracting regular mobile pen tests will help maintain the safety and durability of your app over time.
2. Exposing the app to a real-world environment before going live
Before the deployment of a new mobile application, any mobile app must go through a series of technical and user acceptance testings to ensure it will meet technical and business requirements. Basically, will the app do what it’s supposed to do? These tests are the only way to ensure a mobile app satisfies the end-user and can be supported by IT teams.
But security and functionality are closely connected.
The safety and usability elements of any program often have a trade-off relationship. While more features and ease of use do not necessarily damage security, the more things an app can do and the more access it has to your devices and systems, almost by definition the more potential for vulnerabilities.
A well-orchestrated pen test can offer critical insight into the operational requirements necessary to build an app environment that runs both smoothly and securely. This bringing-together of safety and optimization can really only be done efficiently at the development stage. Trying to fundamentally alter an application after launch in order to accommodate security is doomed to fail. Today, any experienced software engineer understands this. This security-by-design is attained through integrating penetration testing with the technical and functional evaluations of an app.
By gaining knowledge of flaws in the source code, attack vectors, bottlenecks, and security holes before rolling out the mobile app, you’ll have the opportunity to alter the architecture, the design, and the code of the application. As we’ve already highlighted, fixing issues at this stage is cheaper and more effective than addressing them later on–like when a breach or another major failure happens.
3. Test the responsiveness of your enterprise IT team
Launching an app with long-term aspirations means being able to support your customers.
And this means having an IT team that can respond to bugs, the need for upgrades, and user complaints.
How do you know your IT people are up to this task?
By adopting mobile app security testing as part of a mobile app development process and a mobile project, you can test the skills of your enterprise security team.
A mobile pen test will be able to replicate the full gamut of application technical concerns. This is not just limited to the technicalities of the app’s structure–ie, does the app work and is it vulnerable to attack–but also simulates the scenarios your team will have to react to:
- How is their response time?
- What is the quality of the solutions they can offer customers in an ongoing scenario?
- How accurately can they detect the source and nature of the problem?
To put it lightly, these are important questions to have answered.
A mobile pen test is an excellent method to train your technical team before the app is deployed, and also the best way to keep them sharp and ready to serve your customer base after the app has been launched.
Simply put, if your security and technical experts can’t properly react, there is something wrong with your process. The exercise of going through a pen test will show you where those weaknesses are and what you need to do to fix them.
4. Meet industry security standards and comply with regulations
Today’s compliance-heavy IT world is something that all developers need to contend with.
Verifying your app’s security standing is essential for gaining business access to all major industries. ISO 27001, HIPAA, FIPS 140-2, OWASP certification, all of these require some form of concrete substantiation that your app is safe.
In many other cases, security verification is mandated by cyber security law. With the advent of major IT regulations, the likes of GDPR, and California’s CPA, more and more companies are learning about the legal consequences of lacking security credentials. These include everything from civil liabilities to being barred from lucrative markets.
Today, with the speed at which enterprises are going mobile, applying pen testing to applications has become all the more necessary from a compliance point of view.
When developing a penetration testing regimen for your app, it’s important to first be familiar with the types of tools needed for an effective test.
Even if you completely outsource your mobile pen test, it’s necessary for managers and creators to at least be generally familiar with what’s out there.
One of the most basic types of programs designed to test mobile apps is called reverse engineering tools. Simply put, these programs break down the app’s source code to nearly original form in order to assess any potential bugs or glitches. After the app’s infrastructure is disassembled, the program rebuilds the app with tweaks and modifications.
This is a very thorough way to guarantee optimization at the very foundational layer of your app. Note that the language of “disassembling” and “reconstructing” shouldn’t be taken literally. No one is going to break apart your carefully crafted app. This process takes place at the informational level only. Reverse engineering tools assess the code of the app without affecting the functionality of the app in the real world. But we will discuss how pen tests may affect your operations in a moment.
Then there are more classic pen-testing tools designed to simulate actual attacks by cybercriminals. Typically, these pen-testing programs will funnel web traffic directed at your app via a specialized browser. Often the developers of these attack simulation tools will have their own in-house built browser for this purpose but there will also be an option to configure the browser of your choice to be compatible with the program’s functions.
As the user activity is flowing through the program, it can assess possible attack vectors that a hacker, might use to gain control of the app or access the data of other users on the platform.
It’s worth noting that in this way, mobile penetration testing isn’t that much different than the regular web kind. A good pen-tester will run many standard hacking drills on your app to see how it holds up. These will include the common SQL injection that allows a user to circumvent authentication protocols. Assessing the strength of inbuilt security features is also a standard. This is especially true if the app itself performs a security-related function (such as a mobile firewall for example).
Protocol analyzers are programs that capture and assess the signals and traffic transmitted over a digital communications channel. Protocol analyzers can come in in either software or hardware form. But for purposes of mobile penetration testing, you’re looking for the software version.
These tools focus on the technical methods by which digital data is moved between different nodes of the network. In the case of mobile applications, this could mean the communications between different users of the app, as well as messages from users directly to the app’s server. A good quality protocol analyzer will let you see what’s occurring on your network at a highly detailed level. Any impediments to smooth user experience or blocks on the app’s communication protocols can be identified and remediated.
Skills test administrators can also use some more outside-the-box methods to try and test the security of your app. One attack form in particular is the now well-known social engineering hack. This broad category includes tactics such as phishing or other manipulative methods meant to fool system admins, gain privileged access, or wrest control of system functions.
Including social engineering drills in your mobile pen test will give you important insight into loopholes in the app’s operational flow and reveal any potential ways the platform can be fooled.
Android vs iOS Penetration Testing
Since we’re already on the topic of tools, let’s address a commonly asked question in the mobile app space: What are the differences between Android and iOS when it comes to pen-testing?
To answer this question, we need to understand some important facts that distinguish Apple from Android apps and the platforms they’re built for.
The Android operating system is based on the Linux coding language, while the iPhone’s iOS is coded in Objective-C, a more, shall we say, ‘sophisticated’ code language.
This key difference gives iOS and Android distinct advantages and disadvantages respectively. The primary disadvantage of the Android OS that’s relevant for this conversation is that the added complexity of the app’s commands leads to excessive usage of the processing power and memory. This in turn leads to performance issues and low benchmarks for performance in general.
In the case of iOS, it has the advantage of leveraging the high processing power and memory it possesses. But this produces a downside: iOS is a closed operating system, making it highly vulnerable to a security breach. As one would imagine, this means security features are strongly scrutinized for iOS apps.
In terms of the actual process of testing, no app can get on the Apple store without undergoing a thorough vetting process by a specially dedicated team at Apple. But for developers who want to run their creation through some test runs, it requires a bit of a go-around. First off, the computing environment testing the app must run on Mac OS. this makes sense considering the unique operating environment of Apple-geared programs in general.
But in addition to that, applications in their development phase that haven’t received Apple’s certification cannot be directly run on normal Apple devices, hence authentic testing can’t really be done. In order to get an in-development app running, they require a special work environment achieved by jailbreaking any iOS device–the legality of which is still a bit unclear in some countries. Once the device has been jailbroken, there are several open-source iOS toolkits available to test the security of the app.
Android apps in contrast do not have to deal with these boundaries. Android apps can be downloaded directly from a website or even your friend’s memory card. There is no inherently limiting aspect of an Android geared app that will prevent you from testing it.
While testing Android applications may be a simpler process to get started with, there’s an important risk factor to keep in mind as far as the actual testing goes. Android is by far the more popular operating system globally, accounting for nearly three-quarters of the international market. Considering these numbers, it shouldn’t be surprising that some 98% of all mobile malware targets Android devices. It’s simple economics really. Hackers that develop malicious tools want to get the most bang for their buck–Android-oriented malware will have exponentially more targets to choose from.
So while it may be simpler to execute an Android mobile pen test, there are many more issues to be on the lookout for and the risk of zero-day threats–vulnerabilities that are discovered first by hackers before developers have a chance to patch them–is also significantly higher.
Industry Standards for Mobile Penetration Testing
Not all ‘issues’ with a mobile app are equal.
When testing an application, any skilled developer will use standards to determine a) what is the actual level of security risk for any problems identified, and b) how high is the need to mitigate that risk.
Here, there are a few terms you should be familiar with:
The OWASP Mobile Top 10 has been around for a while and is used by literally millions in the IT industry. The OWASP acts as a baseline when it comes to mobile application security and assists security and development teams to find and mitigate vulnerabilities earlier on in the development process. It also helps improve the quality of the app’s code and minimize security flaws before pushing the app to deployment and production.
Common Vulnerability Scoring Systems or CVSS is one of the most widely recognized standards in the mobile app world. What it rates specifically is the severity of an application’s vulnerabilities and helps determine the urgency of fixing those flaws. As you may have guessed, that severity is influenced strongly by the type of app being assessed. A banking application is going to receive a higher severity rating for any given flaw than a photo editing app.
The Common Weakness Enumeration is sponsored and managed by the United States Department of Homeland Security’s US-CERT program. It is essentially a list, updated from time to time, of the most common application security vulnerabilities. It is a great tool for pen-testers as it sets a workable benchmark for an app’s overall security strength.
The National Information Assurance Partnerships is an IT security program developed by the US government. The NIAP contains specific security standards for a mobile application to abide by. This standard is especially important if a developer is looking to break into the government market.
The App Penetration Testing Process
Broadly speaking, mobile application penetration testing methodologies stages include the following stages:
The discovery process involved gathering information that will further form the basis of the penetration testing phases. It consists mainly of identifying the relevant threats to an app. To achieve this, pen-testers will research vulnerabilities on open sources and often the Dark Web where hacking methods are proliferated. Becoming familiar with the architecture of the app is also part of this process. With some exceptions due to complexity or specialty apps, this is a relatively short stage which should take no longer than a few days for skilled pen-testers.
2) Assessment and analysis
The process of analysis and assessment is the most unique step since it requires the pen-tester to analyze the application before and after installation. It is during this stage that any reverse engineering discussed above will take place on the app’s code. Assessment will also involve what’s referred to as “dynamic analysis.” This means forensic analysis of the file systems of the app and monitoring the traffic between the application and the app’s server.
From a security standpoint, exploitation is the most important step of a pen test and is usually the longest. Here testers will throw different attacks at the app to see how it stands up. It is here when the mobile test standards really come in handy. Depending on how extensive you’d like the test to be, the administrator can subject the app to a wide range of exploits. Keep in mind, that a more exploitation-focused test will also have the Discovery stage geared toward discovering more attack-related risks. Depending on the situation, the exploitation process.
The final stage of mobile app penetration testing is reporting the findings via technical reports and an executive-deliverable paper. It’s important to have both of these: executive summaries will give a bottom-line report to company high-ups in understandable terms. The technical report will be the basis for any remediation you perform on the app but will also be important for compliance purposes. The technical report will allow regulators to see in detailed form the viability of your app’s structure and functionality.
Important Vendor Certifications and Qualifications
When hiring a penetration testing firm or individual to execute a mobile pen test, you’ll want to make sure the developer in charge actually knows what they’re doing.
Here are the top certifications recognized throughout the industry. Make sure that whoever is taken on for your mobile penetration testing has at least one of these certificates with his or her name on it.
First, let’s list some of the more well-known certifications:
Certified Ethical Hacker
The Certified Ethical Hacker (CEH) issued by the EC-Council is really the most basic qualification for anyone doing hacking-related work. It is often required by most major private and public organizations including the United States Department of Defense.
GIAC Certified Penetration Tester
The GPEN is a license issued by digital-information protection firm GIAC. GPEN focuses on password hacks, digital programs intrusion, and extensive pentest prep. For the past twenty years, it has been a standard for pen-testers around the world especially when it comes to security-focused tests.
Offensive Security Certified Professional
OSCP trains participants on penetration testing operations using Kali Linux executive program and the relevant tools that would be required. The OSCP is regarded in many sectors as the optimum pen-testing license. This is because it is known as an extremely demanding exam. The OSCP test is strictly practical and lasts for 24 hours with regular simulations of hacking and penetration scenarios.
EC-Council Licensed Penetration Tester Master
Another certification issued by the EC-Council, the LPTM is a high competence-level license meant for advanced pen-testing jobs. A holder of the LPT license is usually acknowledged as a sufficiently-experienced pro.
The element that gives the LPTM a level-up is the dynamic aspect of the holder’s training. A typical pen-tester will be well versed in common threats and how to secure an app from those threats. LPTM certified individuals on the other hand are capable of creating new solutions to complex cyber-attacks. If your app is one that may present a high-value target (anything to do with finance or banking for example) it may be worth seeking this high level of certification. Having an LPTM certified tester will also likely give you a leg up as far as compliance is concerned.
Some other common certifications include:
- Offensive Security Certified Professional
- Certified Penetration Tester (CPT)
- Offensive Security Certified Expert (OSCE)
- CompTIA PenTest+
Any of these certificates are a decent indication of a pen tester’s competence.
One final note on qualifications:
Pen testing is a general term that applies to all types of IT systems. But not all types of tests are identical. For example, many people are familiar with penetration testing as it relates to a company’s digital system, ie the devices, nodes, and programs that make up an organization’s network. While there are many overlaps with network penetration testing, mobile app testing is a very distinct procedure that requires in-depth knowledge of the mobile attack surface and understanding of a wide variety of vulnerabilities unique to mobile apps.
When hiring a tester, make sure it is a firm with experience in the mobile domain.
How Much Does a Mobile App Pen Test Cost?
The cost of proper mobile penetration testing can fluctuate significantly depending on the particular app.
As a baseline, many experts will throw out the $4,000 mark. But some pen tests can cost only half of that sum. In other cases though, a complete mobile pen test can run you as much as $20,000.
The most important factors determining the exact number are (A) the size of the organization deploying the app as well as the number of users, and (B) the app’s complexity.
An application that has multiple roles to test and a significant number of unique pages/forms will take longer for an engineer to adequately test. Furthermore, if you have an interest in exploring beyond the standard threats facing mobile apps and testing more complex attacks, this will increase the price significantly.
Pen tests are like doctor check-ups.
Unfortunately, there tends to be a gap between what the professionals recommend and what is practically feasible.
Many IT experts recommend penetration testing your applications twice a year.
This recommendation is based on the typical frequency of threat developments and emerging technologies and trends. In other words, if you want to be on top of what the latest dangers are in the cyber realm, it’s worth testing your application once every six months.
However, this simply isn’t workable for many companies.
With costs easily reaching $10,000 and turnaround times of up to three weeks, most firms can only afford to go through this process once a year.
This is simply the reality at this point–at least until technology makes it easier and cheaper to execute these tests.
A good recommendation would be this: if you are limited in the number of pen tests you can take on, make sure that the ones you do execute are top-notch. A single test that does a thorough exploration of your app’s code and simulates a range of complex attacks will be immeasurably more effective than three or four mediocre tests–it will also come out cheaper on the whole.
Is Pen Testing All You Need for Mobile App Security?
In addition to the technicalities of penetration testing, it’s important for companies to have the right attitude regarding the process of pen tests.
To be sure, pen tests are the single most effective way of ensuring IT security on the network or application level. However, pen tests are not a set-and-forget type of thing. The whole point of the test is to find out what needs remediation.
On mobile apps, there are a wide range of issues that need addressing to ensure safety and functionality: calibrating the number of application permissions, certificate pinning, password policies, forced logout protocols, these are but a few of the very impactful components of any mobile app.
A good pen test can shine a light on what needs to be changed. But changing it will be up to you.
Before going into a pen test regimen, make sure you have a tentative plan for the follow-up. Keep in mind, many testing firms will offer remediation services as well, which may make it easier to go ahead with the required fixes. In other cases, the company’s in-house IT team should be capable of solving the problem. This is usually the case when the company receiving the test is also the app’s developer. Having a follow-through plan will in the end ensure you get the most out of your mobile pen-testing investment.