David Stewart
- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.
Penetration testing (Pentesting) is a well understood process for validating network security. The requirements and desired outcomes have been developed over time and are generally clear. However the existence of a mobile channel changes the picture. In this article we tap into our experiences (good and bad) of working with pentesters to validate and verify the efficacy of our customers’ mobile business protection.
This article outlines the phases and procedures involved in pentesting that we recommend to our customers. Over the last several years we have had a few situations where pentesters have not clearly understood how mobile apps change their work.
One way in which problems can occur is where pentesters are constrained by silo-based thinking. We’ve seen situations where much effort has been put into reverse engineering mobile apps, resulting in the extraction of secrets stored in those apps, such as API keys. The issue which must be borne in mind is not whether such secrets can be removed from the mobile apps, but whether the secrets can be used to gain access to backend resources. If a simple script can present the secret and pass through the network security checks then there is indeed a problem; equally, if the defenses work and block the script then the fact that the secret could be extracted from the app is irrelevant.
Another common situation we see is what might be called “pentesting by numbers”, namely following a prescriptive approach based on industry lists of commonly found issues. The OWASP API Security Top 10 is a good example of this. To be clear, the OWASP project is excellent; the point is that if a pentester showed that none of the Top 10 issues applied to your platform, that does not mean you are immune to successful attack and potential fraud and/or data breaches. It is vital to consider all the ways that bad actors game the systems and not just think about checking for common vulnerabilities.
We hope that the rest of this article will help you to test and identify mobile application weaknesses in the way that hackers would. After all, your adversaries consider your mobile app as a toolbox of goodies to construct attacks against your business.
Pentesting Mobile Apps and APIs Guidance by Phase
The table below provides some guidance for each pentesting stage. This guide will help you define your pentesting procedures and the tools required.
The first section covers the preparation phase and is extremely important. Don’t skim over or skip entirely this phase because it’s vital that both parties understand what the scope and goals of the testing are.
| Testing Phase | Purpose | Specific Guidance |
| Pre-engagement planning | To define the scope of testing. This is best done in collaboration with a pentesting company. Due to their vast experience, the pentesting company should be able to highlight all logistics and legal requirements for a successful pentest. |
|
| Intelligence Gathering | The purpose is for the pentester to collect information from the client organization to facilitate the pentesting process. |
The critical information required during this stage is:
|
| Threat modeling | To identify areas that need protection and identify remedy strategies for system security. | Threat modeling evaluates risk levels on exposed assets such as user credentials, level of exploitation on APIs, and countermeasures required for valuable assets. |
Next we move into the important technical work of searching for holes in the security arrangements and verifying if they can be exploited. As covered early, it is vital that exploitation be considered in its broadest sense, i.e. not constrained to testing specific vulnerabilities but rather considering exploitation through scripted impersonation of genuine mobile app traffic.
| Testing Phase | Purpose | Specific Guidance |
| Vulnerability Analysis and Assessment | This assessment aims at identifying security risks caused by vulnerabilities and flaws in an organization's systems. |
|
| Exploitation | This phase establishes main entry points to an organization's systems and identifies high-value targets. |
|
Finally, we look at how the pentest results are best collated for consideration by the commissioning entity, and how that entity should assess and action those results.
| Testing Phase | Purpose | Specific Guidance |
|
Final Analysis and Review |
|
|
|
Apply test results |
|
Summarize final results from pentesting, security exposure, and measures to be applied to minimize potential threats. |
Wrap Up
Anyone can download your mobile apps and study them and reverse engineer them for as long as they want. Anyone can probe your APIs and study their protocols and responses. Moreover, API vulnerabilities are not the only way to abuse your APIs and negatively impact your business.
It is vital that pentesters think like bad guys, appreciate how they perceive mobile first enterprises and consider all the different ways APIs that service mobile apps can be exploited. Only then will enterprises get the value they want and expect from 3rd party pentesting efforts.
