THE WHY

A mobile application is in many ways similar to a web application. It often includes both a front- and backend with many of the same vulnerability categories as a web application:

Identity Management Testing
Authentication Testing
Authorization Testing
Session Management Testing
Input Validation Testing
Error Handling
Cryptography
Business Logic Testing
Client Side Testing

The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

The test method of the guide is based on a combination of automated and manual tests, in order to ensure a thorough penetration test of the mobile application.

THE HOW

Nordic Resilience’s method to conduct a penetration test of a mobile application is built from OWASP’s Mobile Security Testing Guide. This guide includes two essential parts; Mobile Security Testing Guide (MSTG) and Mobile App Security Requirements and Verification (MASVS)

The MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:

Mobile platform internals
Security testing in the mobile app development lifecycle
Basic static and dynamic security testing
Mobile app reverse engineering and tampering
Assessing software protections
Detailed test cases that map to the requirements in the MASVS.

The OWASP Mobile Application Security Verification Standard (MASVS) is, as the name implies, a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

The test method of the guide is based on a combination of automated and manual tests, in order to ensure a thorough penetration test of the mobile application.

THE DELIVERABLE AND DURATION

A penetration test of a mobile application (iOS or Android) usually takes 5 days but this varies from application to application due to differences in complexity. At the end of the penetration test, the organization will receive a single commercial-grade report that will contain a non-technical section for the C-suite members of the organization, as well as a technical section that will provide in-dept details regarding the vulnerabilities that were observed. Lastly, all vulnerabilities will be manually scored with a risk-assessment (CVSS or Low/Medium/High/Critical), in order to assist the organization with the priority of remediating each one.