Many appdev and appsec teams face staffing shortages, lack the skills to conduct in-depth blackbox testing of mobile apps or want independent verification from a third party. As a result, they engage an outside partner to conduct a thorough threat-model-driven manual pen test of the entire mobile attack surface to ferret out vulnerabilities.
However, selecting the right mobile app penetration testing partner can be challenging. The level of expertise and quality of service varies dramatically. Making the wrong choice means mobile apps can go into production rife with security bugs for attackers to find or privacy/compliance risks that could get you fined by regulators. Here are some key factors to consider when selecting a trusted partner to carry out this critical task.
- Choose an experienced pen test provider dedicated to mobile.
Look for a company that hires experienced pen testers over novices and focuses exclusively on mobile application pen testing. Security analysts should have in-depth knowledge of the mobile attack surface and understand a wide variety of vulnerabilities. Ideally, the team will have a mix of security fundamentals, forensics and reverse engineering expertise. Previous mobile app dev and bug bounty backgrounds are pluses, too.
Look for a company that hires experienced pen testers over novices and focuses exclusively on mobile application pen testing.
• Find out what tools and techniques the mobile pen testing team uses.
No one tool suffices so expect the pen tester to use a mix of custom, commercial and open-source tools to execute manual testing of data at rest, network transmission, backend APIs and reverse engineering. NowSecure researchers developed the popular Frida and Radare tools found in most mobile appsec analyst’s toolkits. Other tools useful for mobile app pen testing include apktool, Burp Suite, Drozer, Ghidra, Hopper, IDA Pro, mitmproxy, OWASP Zed Attack Proxy (ZAP), and Wireshark, among others. NowSecure Workstation automates aspects of pen testing to help mobile security analysts maximize their productivity and achieve repeatable results.
- Ensure the team understands threat modeling.
Threat modeling is essential to a properly executed mobile app pen test. Instead of a cookie cutter approach, you want the pen tester to engage in conversation to truly understand your mobile app architecture, sensitive data, confidential intellectual property and how your app might be exploited. Only then can the partner tailor the test to your mobile app’s particular threat profile. Of course, the test should be based on industry mobile standards such as the OWASP Mobile Top 10, MASVS and CVSS.
- Look for reporting that includes context and visuals.
Not only do you want a team that can return pen testing results in a timely manner, but one that provides clear, actionable results. The report should provide detailed attack scenarios that indicate the severity and likelihood of security issues along with screenshots and visuals to support findings. High-quality mobile app pen tests should also include remediation instructions for developers to address.
- Choose a vendor that takes a consultative approach.
Make customer service a priority in the selection process. In addition to meeting with the testing team at the onset of the project to determine scope and approach, you want a mobile app pen testing team that meets with you to review the results. Perhaps you need coaching about how to convince developers which bugs to prioritize or advice about which results to share with the CIO. Finally, look for a pen testing expert that includes retesting to validate fixes remediate vulns.
To learn more about the art of iOS and Android mobile app pen testing, see these iOS and Android mobile application testing best practices from NowSecure Services experts and simplify the selection process by downloading this checklist for choosing a mobile app pen testing provider.