How to do mobile app pen testing

App pen testing is an essential part of the mobile app development process. Checking for bugs, potential crashes, security vulnerabilities and user experience issues is key if you want your mobile app to succeed. As we’ve seen in previous articles, there are tests available for each aspect of the development process and entire strategies that revolve around testing. In this article, we’ll focus on testing your app’s security and cover the basics of pen or penetration testing.

What is app pen testing?

app pen testing

Pen testing is a simulated attack on your app that is used to check your mobile app’s defenses and detect any security weakness. Its aim is to exploit any vulnerabilities your app may have in order to check, within a safe environment, if it is possible to gain unauthorized access or carry out malicious activity within the app.

Types of pen testing

There are three possibilities when it comes to mobile app pen testing: black-box testing, white-box testing and grey-box testing. Let’s take a look at each one:

In black-box testing, the person testing your app has no knowledge of the internal design, structure or implementation of the app. Here, the tester would behave like a real-life potential attacker to see what damage can be done with only publicly-available information.

White-box testing is pretty much the opposite. Here, the tester has access to credentials, the code’s structure and the product’s documentation. This type of testing is used to protect the mobile app against internal attacks.

Finally, grey-box testing is somewhere in the middle. The tester receives limited information; for example, login credentials. This would be a middle-ground between an internal and an external attack and is often seen as a good balance between authenticity (as an attacker will probably have done a bit of research and have some information on your product) and efficiency (as having some information means a smaller time investment).

app pen testing 2

How is app pen testing done?

Regardless of whether you use white, grey or black-box testing, there are several things to keep in mind when carrying out mobile app pen testing. Here are the basic steps and practices you should follow:

Create a testing plan: the first step for any successful mobile app pen test is to prepare a detailed plan. If you need a place to start, the Open Web Application Security Project® (OWASP) has a security testing guide that offers some guidance. You should consider an appropriate technique for each major attack surface (application mapping, client, network and server).

Choose the right tools: picking the pen testing tools most suited for the task is just as important as choosing the appropriate techniques or methodology. There is a wide variety of tools available, both free and at a cost. The choice will largely depend on the environment you are using. Some of the tools available are ApktoolDrozer and dex2jar for Android and Hopper, Cydia and Frida for iOS.

Prepare the testing environment: once you have defined your plan and the tools to carry it out, you will need to prepare the pen testing environment. For iOS—given Apple’s tight security—it will be necessary to jailbreak the device. You can use evasi0n to help you do this. For Android, you can simply install One Click Root to root the device.

Launch your attacks: as mentioned above, each major attack surface should be covered by pen testing. When it comes to the server, testing should include authentication mechanisms, file uploads, cross-origin resource sharing and open redirects. During network attacks, you should test authentication, authorization and session management mechanisms as well as encryption protocols.

Carry out binary and file analysis: when it comes to client attacks, you should run both binary and file-level analysis. In this case, testing should include buffer overflows and checking for potential SQL injection-based attacks. IDA Pro and Hopper are some of the tools available to help you with this particular task.

Document your work and keep testing: you should keep up to date with security vulnerabilities and continuously improve your skills for future pen tests. If you are in need of some assistance, DVIA and Mobisec are some of the websites that offer tools to help you keep working on your pen-testing skills.


Final thoughts

As cyber-attacks continue to grow, mobile app security has become a priority. Pen testing is an excellent tool when it comes to covering your bases and, when wisely planned, it will ensure you prevent unauthorized access or malicious activity. We hope this article has given you a place to get started.