Security Innovation - Web Security

Mobile Penetration Testing

Businesses today are using mobile apps in new and profound ways, from banking to healthcare. Managing the security risk is growing and challenging on these platforms, along with newly reported vulnerabilities reported daily.

We help to provide a comprehensive risk assessment to your mobile application. With security engineers in both IOS and Android, we provide thorough testing with local device security issues, endpoint web services, and the API’s which inter-connect them.

Title: Mobile Pentest Methodology

Solid Rock Innovations utilizes a detailed and repeatable methodology. We ensure this process is used during each engagement to ensure our assessment is reliable and reproducible. To get these results, we utilize the following steps listed below:

1. Scope

Before a mobile assessment can take place, a clear scope is defined with the client. Communication is encouraged with Solid Rock and the client organization during this stage to establish a firm foundation in which to assess from.

• Identify platform
• Make note of any exclusions from the assessment (IP address and/or services)
• Decide on the official testing window

2. Discovery

Collect as much information as possible on the target, leveraging OSINT (Open Source Intelligence) tools and techniques. The information gathered will help Solid Rock to understand the operations of the organization, which allows risk to be accurately assessed through the engagement process. Some of the intelligence may include:

• Understanding the platform (IOS & Android)
• Information leaked through search engines and third-party libraries
• Type of application (native, hybrid, or web) to understand client vs. server side scenario’s

3. Assessment / Analysis

Automated scripts and tools are used during this stage, along with more advanced information gathering techniques. Solid Rock will further examine any potential attack vectors. The information gathered here will be the basis for exploitation in the next phase.

• Local file analysis
• Proxy network and web traffic
• Inter-process communication endpoint analysis
• Archive analysis of the application installation packages

4. Exploitation

We begin to attack the vulnerabilities discovered from the mobile application This is done with care and caution to protect the mobile device and its data, while still working to verify the existence of attack vectors. The following attacks, and others, will be performed during this stage:

• Leverage known public vulnerabilities of the systems software/firmware
• Gain credentials and attempt to escalate privileges

5. Reporting

Reporting is the final phase of the assessment. All of the information gathered is combined and used to provide the client with a comprehensive detailing of the findings. The report contains a breakdown of the overall risk, highlighting strengths and weaknesses with the mobile application. Recommendations are included to help the business to make informed decisions regarding the mobile application. Each vulnerability is further broken down into technical details, along with remediation steps for the technical team to follow. An executive summary is also included to help provide information for strategic planning.

6. Remediation Testing (Optional)

Upon the request of the client, a retest can be performed after the client has addressed vulnerabilities identified in the assessment. We validate to see if the vulnerability still exists to ensure the changes were implemented properly. The prior assessment will be updated to reflect the results of the retest.