This type of penetration testing is very similar to security testing during initial software development or during a software development life cycle. You can find more details by having a look at our Application Security page.
As mentioned above, mobile app security testing can be viewed in two contexts. The first is the traditional security test conducted towards the end of the development cycle. In this scenario, we will evaluate a nearly finished or production-ready version of the app, detect security vulnerabilities, and produce a comprehensive report. The second context involves the implementation of security requirements and automated testing from the beginning of the software development life cycle. Although the same fundamental requirements and test cases apply to both contexts, the testing methodology and level of client involvement differ.
Whenever performing such a test, we strongly advise that we have access to source code so that testing time can be used as efficiently as possible. Code access obviously doesn’t simulate an external attack, but it simplifies the identification of vulnerabilities by allowing us to verify every identified anomaly or suspicious behavior at the code level. A white-box test is the way to go if the app hasn’t been tested before.
There are two primary methods for analyzing mobile apps for security vulnerabilities: static analysis and dynamic analysis. As described above, Static Application Security Testing (SAST) involves reviewing the source code of the app to identify potential security issues related to the implementation of security controls. Typically, a combination of automated and manual testing is used to maximize coverage. Automated scans are useful for identifying common vulnerabilities, while our expert testers can use specific usage scenarios to explore the code base more deeply.
Dynamic Application Security Testing (DAST) aims to test and evaluate mobile apps in real-time during their execution. The main goal is to identify security vulnerabilities or weaknesses in a program while it’s running. This method of testing is performed on both the mobile platform layer and the backend services and APIs. By analyzing the mobile app’s request and response patterns, security weaknesses can be identified and remediated.
DAST is commonly used to verify if security mechanisms are providing adequate protection against the most common types of attacks, such as data disclosure during transit, authentication and authorization issues, and server configuration errors.
By applying best practices, we follow the traditional method which entails comprehensive security testing of the mobile app’s final or almost final build, such as the build that is accessible at the end of the development phase. Our testing process also employs the OWASP MASVS (Mobile Application Security Verification Standard) being the industry standard for mobile app security.