Overview: Mobile Application Penetration Testing
Raxis penetration testers are code developers that have a strong understanding of mobile applications. We've worked extensively with mobile coding languages and frameworks for Apple, Android and Windows mobile devices. Raxis' mobile application testing encompasses injection testing such as SQLi and directory path traversal as well as session testing such as SSL pinning and testing of the application itself for insecure data storage within application files that are downloaded to user devices. Raxis has been successful in performing privilege escalation, information disclosure, and database compromise on multiple past projects.
Our testing will help you understand the potential security risks that you may be exposing your system to. We recommend that you provide credentials to ensure that we test the application thoroughly on all platforms. We encourage testing of mobile applications in test or QA environments prior to original release as well as testing production apps after release.
Raxis Mobile Application testing will perform:
- Fuzzing against any input variable to test for proper input sanitation
- Testing each form in detail to ensure proper handling
- Checking for login and ‘forgot password’ page vulnerabilities that are exposed to unauthenticated users
- Ensuring session management is properly handled
- Checking for certificate pinning and jailbreak detection
- Attempting to brute force any applicable user credentials
- Attempting to access data outside of the intended user role permissions
- Testing for injection vulnerabilities such as SQL injection, data path traversal and cross-site scripting
- Attempting to exfiltrate confidential data from the server or database
- And, if obtained, cracking of password hashes to be leveraged for additional access
Download our Penetration Testing Service Brief (PDF) for more information.
Transporter Remote Access
Raxis Transporter provides an easy to deploy "virtual wire" network connection to our manual penetration testers, vulnerability assessors, and R3 incident response team.
On-Site Penetration Testing
Sometimes it's necessary to be on-site to get access to internal networks or examine a breach first hand. No problem, our consultants will fly to you.
FAQ: Mobile Application Penetration Test
How Does Raxis Perform a Mobile Penetration Test?
Raxis only performs fully manual penetration testing against mobile technology. We apply the same hacking concepts, custom tools, and professional grade software used by the adversarial hackers located across the globe. By using the same formula, Raxis is able to achieve similar results as to what would be found by an actual unethical hacking group. Many of our mobile pen tests will start with a man-in-the-middle (MiTM) style attack to gain visibility into the application communication protocol. We'll then reverse engineer the communication to determine where the best point of attack might be.
Do you test both the mobile applciation and the mobile application server?
Yes. Both sides of the mobile application will be tested for security vulnerabilities. This is the only way to get a good overview of where an attacker might be able to exploit the system. We'll utilize a jailbroken or rooted device to gain additional access to the sandboxed mobile application and any data associated with it. In addition, Raxis has a lot of expertise with API design and is able to test REST and SOAP calls as well.
What does mobile application penetration testing cost?
Raxis charges by the number of user roles and size of the web application. Costs range from as little as $6,000 to over $25,000 for a large enterprise mobile application. We will work with you to get the right scope to meet your budget.
How long does it take to perform a pen test against my mobile application?
While it depends largely on the number of user inputs and size of the application, most Raxis penetration tests are performed within 5 business days.
Yes. Raxis penetration testing and reports exceed NIST 800-115 standards required by most regulatory agencies. If a clean penetration test report is needed to meet requirements, we can work with you to re-test any findings and validate that the proper configuration changes or upgrades were made.
How often should I get a penetration test?
Many regulatory agencies require a penetration test each year, or after any changes are made to the software code or configuration. With self-built web applications, it is highly recommended to perform a penetration test at every release to ensure any new code does not introduce a new security risk.
A Smarter Way to Stay Secure
Learn how hacking can help find and fix security gaps you never knew about.