Logo Loading

Mobile Application Penetration Testing

Mobile devices have become an essential component of business and of general life in the 21st century. Almost all organisations publishing information through a web application extend this functionality to a mobile application. Exposing this information in an insecure manner can lead to a significant breach of sensitive information.

Triskele Labs conducts Penetration Testing of mobile applications to identify potential security issues that could be compromised to gain access to sensitive information presented by the mobile application. Our testing aligns with OWASP standards to ensure all areas are covered and nothing is left untouched.

Some of the fantastic clients we work with include:

What sets us apart from the others?

  • Re-testing is include in all of our engagements
  • We assign a dedicated Service Delivery Manager
  • Results are provided in real-time via our unique portal
  • Reports are guaranteed within 10 business days
  • Our team is fully CREST-registered
  • Daily start and end-of-day emails including a list of issues
  • You have access to our whole team throughout testing
  • Everyone in our team is Australia-based

What sets us apart from the others?

  • Re-testing is include in all of our engagements
  • We assign a dedicated Service Delivery Manager
  • Results are provided in real-time via our unique portal
  • Reports are guaranteed within 10 business days
  • Our team is fully CREST-registered
  • Daily start and end-of-day emails including a list of issues
  • You have access to our whole team throughout testing
  • Everyone in our team is Australia-based

Our Comprehensive Methodology

An architecture review of the mobile application will be conducted to understand its functionality and the communications methods that will be required. This will include identifying the requirements to test the application and communications back-end if present.

A threat model will be developed to understand the risks facing the mobile application. This will assist to understand the data that is present, if there is authentication and if an administrative backend is in place.

The Ethical Hacking Team will observe the application at the functional level and analyse its behaviour, including decrypting it if the application has been obfuscated. Extraction of what kind of frameworks have been used will further create the relevant test cases.

Reverse engineering of the application will be conducted on the relevant platforms (Android or iOS). This will consist of automated and manual inspection of code through decompiling techniques. This will be conducted utilising tools such as dex2jar, JD-GUI, tool and class-dump-z. Automatic and manual source code analysis will be conducted utilising tools such as Androwarn, Andrubis, ApkAnalyser, Flawfinder and Clang Static Analyzer.

Run-time analysis of the mobile application will be conducted through passive networking monitoring and analysis. Where possible active network capturing and manipulating (WiFi and cellular) will be conducted. File activity analysis will be conducted through analysis of file system changes during the run-time. This will identify issues such as un-encrypted sensitive data being sent, user authentication bypass or stored user credentials.

Utilising the results of testing, Triskele Labs will report on issues identified. False positives are reduced throughout the process. All of our reports are provided to our clients through our secure portal, MyFiles.

Our Testing Checklist Includes

  • Architecture Design
  • Data Storage & Privacy
  • Cryptography Verification
  • Authentication & Session Management
  • Network Communication
  • Platform Interaction
  • Code Quality & Build Settings
  • Resiliency Against Reverse Engineering

Request More Information