Mobile devices have become an extremely attractive platform for the development of business applications in various industries. Ease of use and mobility are just some of the advantages that such mobile applications bring when compared to standard online services. On the other hand, new attack vectors and threats against mobile devices are often overseen.


Some of mobile application threats typically do not exist on other platforms or technologies and this makes them especially interesting for attackers. A mobile device being lost or stolen is just one such specific threat that needs to be taken under consideration when assessing mobile device security. Other well known threats include malicious software, insecure storage of sensitive information, data leakage and similar.

Due to this new threat landscape, Griffinix offers specialized mobile application penetration test services that are customized for popular mobile platforms such as:

  • iOS (Apple iPhone, iPad),
  • Android
  • Windows Phone
  • BlackBerry

Mobile application penetration testing includes security assessments of both client and server sides used by the tested application. Some of the tests that are conducted on the client side include the following:

  • Reverse engineering mobile application to determine how it works and its architecture,
  • Analysis of protection of sensitive data at rest and in transit,
  • Verification of implemented cryptographic algorithms and their correct usage and implementation,
  • Analysis of authentication methods (i.e. secure storage and verification of PINs),
  • Analysis of implemented authorization controls.
On the server side, vulnerabilities typical for web applications are normally verified. This ensures that the application has been thoroughly examined for all potential security vulnerabilities. Once the identified vulnerabilities have been mitigated, a follow up test is conducted to confirm that the previously identified vulnerabilities do not exist anymore or cannot be exploited due to newly implemented security controls.
 
Mobile application penetration tests are aligned with industry standards such as the OWASP Mobile Security Project, while the methodology and findings are aligned with requirements of applicable regulatory requirements, such as PCI DSS.