Mobile penetration testing is a critical component in any comprehensive security plan. It is a process by which application software developed for handheld mobile devices is tested for its functionality, usability and consistency.
DarkSkope provides security testing and reverse engineering for iOS and Android mobile security with the following content:
- Mobile platform internals
- Security testing in the mobile app development lifecycle
- Basic static and dynamic security testing
- Mobile app reverse engineering and tampering
- Assessing software protections
- Detailed test cases that map to the requirements in the MASVS.
What is Mobile Application Penetration Testing?
Mobile application penetration testing methodology focuses on client-side security, file system, hardware, and network security. DarkSkope mobile application penetration testing attempts to exploit the mobile application code vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
Process
Mobile Application Penetration Testing is divided into four stages:
1. Discovery
is the collection information that is essential in understanding events that could result in the successful exploitation of your mobile application/s.
2. Assessment
or analysis of your mobile application source code and identifying potential entry points and weaknesses that can be exploited.
3. Exploitation
involves leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the programmer.
4. Reporting
involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack.
Outputs
Following our human-centric testing methodology, a code vulnerability report will be produced, with the goal of providing recommendations for improvements. The reports are clear and easy to understand as they are written by humans, for humans.
Our testers will ensure that applications are meeting or surpassing industry standards including MASVS L1 and L2.
What is MASVS? (Mobile Application Security Verification Standard). The overall goal of the MASVS is to offer a baseline for mobile application security (MASVSL1), while also allowing for the inclusion of defense-in-depth measures (MASVS-L2) and protections against client-side threats (MASVS-R).
What does MASVS achieve?
- Provide requirements for software architects and developers seeking to develop secure mobile applications;
- Offer an industry standard that can be tested against in mobile app security reviews;
- Provide specific recommendations as to what level of security is recommended for different use-cases.
What levels of MASVS are available?
MASVS-L1 for all mobile apps
MASVS-L1 lists security best practices that can be followed with a reasonable impact on development cost and user experience. Apply the requirements in MASVS-L1 for any app that don't qualify for one of the higher levels
MASVS-L2 for Health-Care Industry mobile apps
Mobile apps that store personally identifiable information that can be used for identity theft, fraudulent payments, or a variety of fraud schemes.
For the US healthcare sector, compliance considerations include:
- The Health Insurance Portability and Accountability Act (HIPAA)
- Privacy, Security, Breach Notification Rules
- Patient Safety Rule.
- Financial Industry:
- Apps that enable access to highly sensitive information like credit card numbers, personal information, or allow the user to move funds.
- These apps warrant additional security controls to prevent fraud. Financial apps need to ensure compliance to the Payment Card Industry Data Security Standard (PCI DSS), Gramm Leech Bliley Act and Sarbanes-Oxley Act (SOX).
MASVS L1+R for mobile apps where IP protection is a business goal
The resiliency controls listed in MASVS-R can be used to increase the effort needed to obtain the original source code and to impede tampering / cracking.
MASVS-R for mobile games
Games with an essential need to prevent modding and cheating, such as competitive online games. Cheating is an important issue in online games, as a large amount of cheaters leads to a disgruntled the player base and can ultimately cause a game to fail. MASVS-R provides basic anti-tampering controls to help increase the effort for cheaters.
MASVS L2+R for financial industry mobile apps
Online banking apps that allow the user to move funds, where techniques code injection and instrumentation on compromised devices pose a risk. In this case, controls from MASVS-R can be used to impede tampering, raising the bar for malware authors. All mobile apps that, by design, need to store sensitive data on the mobile device, and at the same time must support a wide range of devices and operating system versions. In this case, resiliency controls can be used as a defense-in-depth measure to increase the effort for attackers aiming to extract the sensitive data. While the MASVS is still in beta release, it is a guideline for security for mobile applications and its implementation is strongly encouraged.
The text in the MASVS section is extracted and adapted from the OWASP website
Regulatory Compliance
Many regulatory and security frameworks require penetration testing. DarkSkope penetration testing can help achieve compliance with PCI DSS, HIPAA and NERC CIP regulations, as well as OWASP Top 10 and SANS Top 25 frameworks. DarkSkope can also test mobile, desktop, backend and IoT applications and provide experienced consultants who can help development teams better understand the vulnerabilities discovered by penetration testing.