We're Hiring!

Pentesting Mobile Platforms - A Short Guide Based On Experience

Dark blue background with binary numbers; Text 'Pentesting Phases - Capturing Some Guidance from Pentesting'

Penetration testing (Pentesting) is a well understood process for validating network security. The requirements and desired outcomes have been developed over time and are generally clear. However the existence of a mobile channel changes the picture. In this article we tap into our experiences (good and bad) of working with pentesters to validate and verify the efficacy of our customers’ mobile business protection.

This article outlines the phases and procedures involved in pentesting that we recommend to our customers. Over the last several years we have had a few situations where pentesters have not clearly understood how mobile apps change their work. 

One way in which problems can occur is where pentesters are constrained by silo-based thinking. We’ve seen situations where much effort has been put into reverse engineering mobile apps, resulting in the extraction of secrets stored in those apps, such as API keys. The issue which must be borne in mind is not whether such secrets can be removed from the mobile apps, but whether the secrets can be used to gain access to backend resources. If a simple script can present the secret and pass through the network security checks then there is indeed a problem; equally, if the defenses work and block the script then the fact that the secret could be extracted from the app is irrelevant.

Another common situation we see is what might be called “pentesting by numbers”, namely following a prescriptive approach based on industry lists of commonly found issues. The OWASP API Security Top 10 is a good example of this. To be clear, the OWASP project is excellent; the point is that if a pentester showed that none of the Top 10 issues applied to your platform, that does not mean you are immune to successful attack and potential fraud and/or data breaches. It is vital to consider all the ways that bad actors game the systems and not just think about checking for common vulnerabilities.

We hope that the rest of this article will help you to test and identify mobile application weaknesses in the way that hackers would. After all, your adversaries consider your mobile app as a toolbox of goodies to construct attacks against your business.

Pentesting Mobile Apps and APIs Guidance by Phase

The table below provides some guidance for each pentesting stage. This guide will help you define your pentesting procedures and the tools required.

The first section covers the preparation phase and is extremely important. Don’t skim over or skip entirely this phase because it’s vital that both parties understand what the scope and goals of the testing are.

Testing Phase Purpose Specific Guidance
Pre-engagement planning To define the scope of testing. This is best done in collaboration with a pentesting company. Due to their vast experience, the pentesting company should be able to highlight all logistics and legal requirements for a successful pentest.
  • Use the company’s security policy to align your scope to pre-approved guidelines.
  • Specify the testing environment, app APIs, and versions for testing and what vulnerabilities will be explored.
  • Outline a communication plan that indicates the team, communication channels, and communication frequency.
Intelligence Gathering The purpose is for the pentester to collect information from the client organization to facilitate the pentesting process.

The critical information required during this stage is:

  • Confirm if certificate pinning is applied to the APIs
  • Identify access to public APIs
  • Identify security countermeasures and determine if they’re effective
  • Determine the authentication method for API users
Threat modeling To identify areas that need protection and identify remedy strategies for system security. Threat modeling evaluates risk levels on exposed assets such as user credentials, level of exploitation on APIs, and countermeasures required for valuable assets.

Next we move into the important technical work of searching for holes in the security arrangements and verifying if they can be exploited. As covered early, it is vital that exploitation be considered in its broadest sense, i.e. not constrained to testing specific vulnerabilities but rather considering exploitation through scripted impersonation of genuine mobile app traffic.

Testing Phase Purpose Specific Guidance
Vulnerability Analysis and Assessment This assessment aims at identifying security risks caused by vulnerabilities and flaws in an organization's systems.
  • The scope of testing should dictate the extent of a vulnerability assessment.
  • If identifying mobile app loopholes is part of the scope, reverse engineer apps with a Mobile Security Framework (MobSF) to automate code assessments.
  • Apply OWASP Top 10 to test all vulnerabilities and effectiveness of countermeasures.
Exploitation This phase establishes main entry points to an organization's systems and identifies high-value targets.
  • This stage exploits entry point vulnerabilities to identify high target areas. Attackers primarily target authentication, authorization, and availability to breach security restrictions.
  • Pentesters can use custom API requests created with postman and Burp Suite pro to intercept app traffic, modify and replay it to APIs to identify potential attackers.

Finally, we look at how the pentest results are best collated for consideration by the commissioning entity, and how that entity should assess and action those results.

Testing Phase Purpose Specific Guidance

Final Analysis and Review

  • Document access methods to your organization’s systems, the value of compromised systems, and the value of information targeted.
  • At this stage, the pentester should clean up the environment, reconfigure access details used to penetrate the environment, and prevent unauthorized access into the system.
  • The final analysis identifies system strengths and vulnerabilities, likelihood, and extent of potential attacks.
  • The pentester should document each test scenario and the corresponding vulnerability and/or exploit.
  • Make recommendations on threat resolution and minimization strategies.

Apply test results

  • This stage involves reporting and reviewing recommendations made by the pentesting company.
  • The report should highlight insights and opportunities to improve mobile app/API security – i.e., entry points discovered, and remedy solutions.
Summarize final results from pentesting, security exposure, and measures to be applied to minimize potential threats.

Wrap Up

Anyone can download your mobile apps and study them and reverse engineer them for as long as they want. Anyone can probe your APIs and study their protocols and responses. Moreover, API vulnerabilities are not the only way to abuse your APIs and negatively impact your business.

It is vital that pentesters think like bad guys, appreciate how they perceive mobile first enterprises and consider all the different ways APIs that service mobile apps can be exploited. Only then will enterprises get the value they want and expect from 3rd party pentesting efforts.


David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.