Definition
An app penetration test is concerned with evaluating the security of mobile applications for the operating systems
- Android and
- iOS.
DriveByte uses the proven and regularly updated OWASP Mobile Security Testing Guide to test mobile applications.
A pentester checks official, unofficial and self-developed mobile applications for vulnerabilities by systematically testing and examining accessible interfaces, user input and other components of these applications.
Requirements
To ensure that a penetration test can be carried out smoothly and successfully, some organizational and technical preparations must be made.
Scope
With the introduction of the hacker paragraph (§202c StGB), an “ethical hacker” is obliged to define the test scope with the client in advance.
Intensity
Penetration tests can be designed differently and more or less invasively depending on the situation. DriveByte offers three intensities for penetration tests defined by the BSI.
Location
The test location must be defined for individual test objects or for the project in general. In most cases it is possible to check all test objects via the Internet during penetration tests by using a “jump host”, so the physical presence of a pentester is not necessary.
Conditions
Various test conditions can be defined for all or individual test objects. The test conditions can be defined by the customer and bindingly recorded in the template.
Timeline
A regulated and pre-defined test period is a prerequisite for the efficient execution of a penetration test. Depending on the customer's wishes and the availability of the service provider, the customer sets a binding test period in the template.
Responsibilities
For a successful penetration test, the client and contractor must define who is responsible for the project to be carried out. A project manager and a technical contact person must be defined on the client's side.
Procedure
DriveByte recognizes the Penetration Testing Execution Standard PTES as a reference framework for the execution of penetration tests. The PTES consists of seven main sections:
startPre-Engagement
searchIntelligence Gathering
crisis_alertThreat Modelling
bug_reportVulnerability Analysis
dangerousExploitation
dynamic_feedPost-Exploitation
summarizeReporting
Documentation
The vulnerabilities found are grouped according to criticality and affected test objects and documented in detail. DriveByte uses the widely used Common Vulnerability Scoring System CVSS 4.0 to assess the vulnerabilities found.
descriptionDescription of Scope
listList of Test Conditions
shortcutExecutive Summary
startProcedure Description
terminalVulnerability Listing
flagRecommended Countermeasures
Do you know how secure your applications are?
Identify security gaps in your applications and avoid costly consequences. Arrange a free consultation now.
Frequently asked questions
We will answer the most important questions in advance so that you are well informed.
What does an app penetration test cost?
What are black, white and grey box penetration tests?
How long does an app penetration test take?
Will a penetration test affect business operations?
What are the prerequisites for a penetration test?
What happens if a security vulnerability is found?
Is a penetration test a one-off measure?
Is there a final report following the test?