Updated on August 23, 2022 by Ian Terry
The number of people using a smartphone is higher than ever, directly resulting in the increased number of people using mobile apps. In 2021, the total number of mobile apps downloaded was as high as 230 billion. With increased mobile app usage, securing them against cyber threats becomes critical. Penetration testing (or pen testing) is an effective way of testing the defenses of a mobile app and ensuring that it is secure.
What is mobile app pen testing?
Mobile app pen testing is a method to assess the vulnerabilities in the app by simulating an attack by professional security testers. Pen testing is a way to continuously enhance the security of a mobile app by identifying misconfigurations or inherent vulnerabilities that can result in security concerns.
Security concerns can include unwanted data exposure, unauthorized access, privilege escalation, data theft, etc. With the mobile app threats evolving with the rising number of mobile apps, pen testing provides a way to test just how well a mobile app is guarded against both internal threats and external threats.
Mobile App Pen Testing Methods
Mobile app penetration testing is performed using methodologies that can be broadly classified into 3 types:
- Black box testing
- White box testing
- Grey box testing
The type of testing to be used depends on several factors such as the mobile app being tested, security goals and standards that need to be adhered to, business objectives, other methods of testing carried out on the mobile application, etc.
Black Box Testing
In black box testing, a controlled attack is simulated on the mobile app without any prior information about the app. It mirrors an external attack by a hacker who does not have information about the mobile app. Testers are not provided with the application architecture, the source code, or app configurations. Only publicly available information about the app is available to the testers.
This is a type of dynamic testing that tries to launch an attack on a fully functioning mobile app. The tester usually uses automated scanning tools to detect vulnerabilities. Black box testing is as close as possible to an actual attack since a majority of hackers won’t have any prior knowledge about the app.
| Pros of Black Box Testing | Cons of Black Box Testing |
|---|---|
| Fast turnaround | Often expensive |
| Closest to a real attack | Low coverage |
| Helps identify a wide range of vulnerabilities | Does not test the internal system |
| High accuracy when combined with manual and automated vulnerability scans | The efficacy depends on the competency of the testers |
White Box Testing
In white box testing, the attack is carried out based on the information about the app such as its source code, application architecture, documentation, etc. This attack mirrors an internal threat where someone from the inside tries to cause damage through the mobile app. White box testing is also known as ‘open box testing’, ‘clear box testing’, and ‘logic-driven testing’.
Testers use both static and dynamic analysis to assess the vulnerabilities in the mobile app during white box testing. Both internal and external vulnerabilities can be revealed through white box testing. It is a more comprehensive method of testing since it covers almost all the elements of the mobile app.
| Pros of White Box Testing | Cons of White Box Testing |
|---|---|
| Comprehensive testing | Slow turnaround |
| Identifies both internal and external vulnerabilities | Identifying the test cases might take time due to the large amount of available information |
| Finds vulnerabilities at the source code level, too | Needs advanced tools for effective testing |
| Less expensive compared to black box testing |
Related article: What type of Penetration Testing is Better: Black Box vs. White Box
Gray Box Testing
Gray box testing is conducted with partial information about the mobile app. For example, the login credentials could be known but not the source code. This type of testing lies in the middle of the spectrum from black box testing to white box testing. Testers have some level of access or sometimes elevated access to the application source code and architecture to launch a simulated attack on the application.
Since testers have some level of information and access to the application, gray box testing can focus on the most critical threats and vulnerabilities right from the beginning of the testing.
| Pros of Gray Box Testing | Cons of Gray Box Testing |
|---|---|
| Efficient testing | Slow turnaround compared to black box testing |
| Good accuracy in identifying vulnerabilities |
How to Conduct Mobile App Pen Testing?
The mobile app pen testing methodology can be thought of as having 4 major stages as given below.
Discovery and planning
In the discovery stage, the testers will gather information about the app and the objectives of the testing to create threat models. The type of app (native or hybrid), its network interfaces, user data stored by the app, etc. need to be considered in this stage. It is an important stage for deciding on the testing roadmap.
Assessment
The first step is to look for basic vulnerabilities in the mobile app such as insecure communication, encryption vulnerabilities, platform misuse, etc. The mobile app is analyzed before and after installation using assessment techniques such as:
- Static analysis
- Dynamic analysis
- Local file analysis
- Endpoint analysis
- API analysis
- Web server analysis
- Web traffic analysis
Exploitation
In this stage, mobile app penetration is attempted. Depending on the methodology being used, in this stage, the testers will use manual and automated testing tools to reveal the vulnerabilities in the mobile app.
There are several pen testing tools available in the market. Security teams can help you pick the right tool. Here are some commonly used tools for pen testing.
| For Android | For iOS |
|---|---|
| Burp Suite | Cydia |
| Zed Attack Proxy (ZAP) | Otool |
| Apktool | Clutch |
| Frida | Hopper |
| MobSF | MobSF |
Reporting
The findings of the penetration testing need to be documented for further actions for vulnerability treatment. The final technical report should contain the list of vulnerabilities, the risk of these vulnerabilities being exploited, and the likelihood and consequences of the vulnerabilities being exploited.
Do note that the vulnerabilities that are fixed might also need another round of pen testing to determine whether they have been completely eliminated or mitigated.
Benefits of mobile app pen testing
Below are the benefits of using penetration testing for mobile applications.
- It helps reveal critical vulnerabilities. – Often, it is difficult to imagine that the mobile app you have developed has many vulnerabilities. Hence, the results of penetration testing can be surprising. It can reveal unknown vulnerabilities that when fixed in time will help make the mobile application more secure.
- It helps in preventing future attacks. – When vulnerabilities are uncovered, mobile app developers can release security patches to treat the vulnerabilities, thus preventing future attacks. Since cyber-attacks are becoming more vicious, preventing them can help you save data, money, and brand reputation.
- It helps to test the incident response plan. – When an attack is simulated in a controlled manner, it also helps to test whether the security incident response plan created by the company is enough to withstand an actual attack.
- The mobile app can be launched with more confidence. – When you know that all known vulnerabilities have been identified, fixed, and mitigated, you can launch the app with more confidence knowing that it is not susceptible to any severe threats.
Final thoughts
Mobile application penetration testing is a very effective method to identify the vulnerabilities in a mobile app. It is a holistic and flexible approach that helps in securing your mobile apps. Choosing the right type of penetration testing methodology is not about deciding which one is better, it is more about determining which methodology will give you the best coverage and efficiency with respect to your security goals.
