Mobile Application Security

How long does a Mobile APP penetration test typically take? 

The duration of a Mobile APP penetration test can range from one week to three weeks, but on average, it takes around 2 weeks. However, the exact timeframe depends on the complexity of the work. Feel free to reach out to us, and we will provide a more accurate estimation based on your specific requirements. 

What factors have the most impact on the price of a Mobile APP penetration test? 

The final cost of a mobile application penetration test can vary depending on its complexity and the amount of work required for a thorough testing. Here are some examples of how different complexity factors can impact the price of a penetration test:

Size and functionality. If the mobile application has a large number of screens, features, and complex interactions, it may require more time and effort to conduct the testing.

Technological aspects. If your mobile application uses advanced technologies such as machine learning, artificial intelligence, or integration with complex systems, it may require specialized expertise and additional efforts for testing.

Access level. If the mobile application requires a high level of authorization and authentication, for example, a banking app or a medical application with access to sensitive data, it may require deeper security analysis and testing.

Integration with external systems. If your mobile application interacts with other external systems or APIs, it may require additional time and effort to ensure the security of these interactions.

Support for multiple platforms. If your mobile application is developed for multiple platforms, such as iOS and Android, each platform may have its own peculiarities and security requirements, which can affect the scope of work and the cost of the penetration test.

To provide you with an accurate quote, we take into account the specific characteristics and requirements of your mobile application. Our pricing is designed to be fair and transparent, ensuring that you receive a tailored and cost-effective solution that matches your unique needs.

Which methodology do we use? 

• OWASP Mobile Security Testing Guide (https://mas.owasp.org/MASTG/) – Utilized for comprehensive penetration testing of mobile applications 
• OWASP Mobile Application Security Verification Standard (MASVS) (https://mas.owasp.org/MASVS/) – Utilized for a full-fledged auditing of backend of mobile application.
• OWASP Application Security Verification Standard (https://owasp.org/www-project-application-security-verification-standard/) – Utilized for a full-fledged auditing of backend of mobile application.
• Mobile Top 10 (https://owasp.org/www-project-mobile-top-10/) – Utilized for brief penetration testing of mobile applications 

What are the stages of the project? 

• Sign the contract & NDA
• Approve the test plan and methodology.
• Start – information gathering and documentation study.
• Identification of vulnerabilities (automated scanning and manual assessment).
• Verification of each vulnerability.
• Risk assessment, threat profiling, report writing.
• Report presentation.
• Re-verification after mitigating vulnerabilities.

How secure is the testing procedure for our environment? 

Our goal isn’t to give your systems a bad day with a Denial of Service, but it’s important to understand that we actively attempt to push the systems beyond their usual functioning boundaries.

Now, if we’re venturing into the realm of production environments and dealing with critical systems, fear not! We have a bag of tricks to keep things in check:

• Risky business like vulnerability scanning and exploitation will only happen aftermutually agreeingwith you on the perfect timing. You can choose a maintenance window, for example, during weekends or nighttime, to minimize the risk for your customers.
• Manual checks will be handled with the grace of a tightrope walker, and our scanners willbe configured totiptoe around your systems like a ninja. 
• We will establish an incident escalation procedure in coordination with you, ensuring that you are prepared to respond promptly if any incidents occur.It’s rare, but let’s face it, life is full of surprises. 
• And don’t forget your system backups, always better to have them on standby.

Another option is testing in an environment identical to the production environment.

What tools do we use? 

We utilize both paid and free tools for vulnerability scanning, research, and analysis. Additionally, we employ manual testing, search in public exploit and vulnerability databases.

• Mobile scanner: ImmuniWeb
• Web scanners: BurpSuite & Acunetix.
• Network scanners: Nexpose & Nessus.
• All tools included in the Kali Linux distribution.
• Android & IOS emulators as well as real hardware rooted devices. 
• Exploits found in internet databases such as ExploitDatabase, CVE Details, 0day.today, as well as on GitHub.
• Mannually created tools and exploits.

Do you perform automated testing or manual testing? 

Penetration testing is not just vulnerability scanning; a significant portion of the work is done manually. Vulnerability scanning provides input for manual checks, and the scanner is just one of the tools we use.

We also offer a separate service for vulnerability scanning, which is much simpler. 

To reduce False-negatives during automated vulnerability assessment phase we double-check result with second scanner.