You are here:
  1. Home
  2. Cyber Security
  3. Services
  4. Penetration Tests
  5. Mobile applications

Mobile applications

Analysis of mobile applications
(Android and iOS apps)

The analysis of mobile applications includes the examination of Android or iOS apps for vulnerabilities that jeopardize the classic protection goals of IT security (confidentiality, integrity, availability).

The analysis includes both the client application (Android and iOS app) and the server-side application parts, such as the web API. In addition, a static analysis of the binary file or at source code level is carried out, as well as a dynamic analysis at application runtime in a test or production environment.

When carrying out penetration tests of mobile applications, we follow recognized IT security standards such as the OWASP Mobile Application Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS).

Why analyze mobile applications?

By analyzing mobile applications, vulnerabilities within an application system can be identified in order to determine existing security risks for an application and the data it processes. By recommending specific measures to eliminate identified vulnerabilities, the software quality in the area of IT security can be increased and adequate protection against attackers can be guaranteed.

In general, security tests can be used to check the following protection goals according to BSI [1]:
Confidentiality
“Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permitted manner.”
Integrity
“Integrity means ensuring the correctness (integrity) of data and the correct functioning of systems.”
Availability
The availability of services, functions of an IT system, IT applications or IT networks or even information is ensured if these can always be used by users as intended.

Goal

The aim of the investigation of a mobile application is …
the identification of existing weak points
and misconfigurations in the app or its backend systems
the recommendation of appropriate measures
for remediation in order to increase software quality in the area of IT security
a determination of the security level
at application level at the time of test execution based on the test results.

In addition to the scope of the test, the specific test objectives and their prioritization are determined individually in advance in consultation with the client and the investigation is adapted accordingly.

General test methodology

The testing focus of the client-side and server-side components of mobile applications is based on the procedure of the OWASP Mobile Application Security Testing Guide (MASTG) [2] and OWASP Mobile Application Security Verification Standard (MASVS) [3].

The depth of testing generally depends on the available test time and is agreed with the client during the consultation. This should be adapted to the protection requirements of the application. With this in mind, test points are divided into the following levels:

L1: Standard security
L2: Safety in depth (defense-in-depth)
R: Resistance to reverse engineering and manipulation attempts

Next Steps

Further analysis
Expansion of previous activities
to other applications or application parts
A repeated analysis
can check the effectiveness of the identified weaknesses once they have been eliminated.
Evolving applications
can be regularly examined for existing vulnerabilities. The analysis can cover the entire software system or only newly added functionalities.

Security consulting

General or application-specific topics in the area of IT security, best practices or know-how for raising awareness or for solution approaches can be communicated on the basis of knowledge gained and identified vulnerabilities.

Developer training

If various attack scenarios or recommended measures are unknown from the developer’s point of view, targeted training content can be used to impart basic knowledge for secure application programming.

Sources

[1] Federal Office for Information Security, IT-Grundschutz-Kompendium (Edition 2022)

[2] The OWASP® Foundation, MASTG

[3] The OWASP® Foundation, MASVS