Organizations should conduct mobile app penetration tests to find and remediate vulnerabilities which compromise the security of the mobile app itself, the data that it handles, or the API that it interacts with. Penetration testing should be conducted in a dedicated testing environment, at the beginning of the deploy phase of a software development lifecycle. Once penetration testing is complete and vulnerabilities have been remediated, the app and its web services can be deployed to production.
Areas of Focus:
- Comprehensive assessments that adhere to the OWASP Mobile App Testing Framework.
- Assess both the app itself and the supporting infrastructure behind it; session management, cryptography, input sanitization and more.
- Dynamic analysis and manipulation of web API calls.
- Manual and semi-automated static code analysis.
- Comprehensive security findings report, detailing tools and methods used during testing.
- Executive briefing to discuss business impact scenarios.
- Technical briefing for root cause analysis and remediation of exploitable vulnerabilities.
- Testing artifacts to allow for validation of remediation efforts.