The penetration test of a mobile application starts with the set-up of the target application in Provensec labs. The test will typically cover security aspects like:
Data Protection checks, Authentication Session management, Input Validation, Output Encoding/Escaping, Cryptography Error Handling and Logging. Etc.
A mobile penetration test has three phases:
Client side attack:
In this phase, we test the client software on the mobile device. We examine where and how the application manages sensitive information, whether the application is properly utilizing native APIs for features like key stores and sensitive client information is insecurely stored.
In this phase, we test the communication between mobile client and server to see whether any flaws in the process can be used to compromise the confidentiality, integrity or availability of client data. Man in the middle attack and parameter tampering are some of the examples.
Server side attacks:
During this phase, the vulnerabilities in mobile application client and communication between client and server will be used to test whether these vulnerabilities can be used to compromise server side of the application.