We follow an industry-standard methodology primarily based on the OWASP Mobile Application Security Verification Standard (MASVS) and covers all known mobile application vulnerabilities.
Our methodology involves the following 4 key penetration testing stages:
To begin, the pen-testers mainly perform reconnaissance activities, such as understanding workflows and business logic, to map out the application’s attack surface.
note: The best support for pen-testers would be client-provided the .ipa (iOS) and .apk (Android) files on the asset or share them in the Slack channel.
During this phase, pen-testers cover the determined scope using manual techniques and a range of automated tools to ensure proper coverage. Testers analyze the application dynamically and perform archive and local file assessment.
Testers also focus on communication channels and traffic that the application exchanges with the external endpoints, same as the Inter-Process Communication (IPC). Additionally, pen-testers attempt to reverse-engineer the application to gain insight and try to get access to any sensitive data that the application uses.
The pentesters will use the API Methodology for any backend testing.
Pentesters attempt various exploitation techniques to try and exploit discovered vulnerabilities and impact client’s data confidentiality, integrity, or availability.
Using various privilege escalation methods, testers attempt to impersonate different users to impact the security posture of the application.
Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pen-testers through the preferred communication channel such as Slack. Clients have full visibility over discoveries in real time.
In the findings and final report, pen-testers provide detailed remediation steps and advice on further improvements of the security posture.
The client can perform remediation efforts on critical discoveries during and after the testing timeframe and pen-testers can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.
