Mobile Application Penetration Testing

Discover how to protect your mobile data in the event the user's device is compromised

Raxis engineers use jailbroken or rooted devices as well as emulators when testing mobile applications. While the workflow is much like that of web application tests and closely follows the OWASP Top 10 security guidelines, mobile applications bring another layer of complexity. From SSL certificate pinning to root/jailbreak detection and loggers transmitting sensitive data, Raxis engineers move beyond other application testing in order to provide a comprehensive test of all entry points.

Raxis engineers are well versed in mobile applications technologies and frameworks. With a focus on device security, platform configuration, mobile API elements, credential management, at-rest and in-transit data encryption, and data compartmentalization, we test your apps as well as specialized devices you may require for internal mobile applications used by your employees.

Does my app require a mobile application penetration test?

Yes. Any application always presents a potential attack point. Raxis urges our customers to test all of their applications (web, mobile, or thick client) following industry best practices of annual testing or before any major updates are released.

While mobile apps may mimic the functionality of your web application for your users (and may even use the same API behind the scenes), to a hacker, they open up a whole new avenue into your sensitive data and systems.

Should mobile app testing be a part of our Mobile Software Development Lifecycle (SDLC)?

We highly recommend that it is. Raxis customers do this in several ways:

New applications - Raxis can test your application in a QA environment before you go live so that you -- and your customers -- can rest assured that security features have been thoroughly tested and protections are in place to stop malicious actors from gaining access to your site and systems or even disrupting the environment.

Applications in constant development - When your application changes rapidly with agile teams pushing updates to production often, Raxis recommends the Pen Test as a Service (PTaaS) for mobile applications. This service includes an annual traditional penetration test and then monthly manual testing to check for updates and differences. If changes are discovered, a Raxis pentester will manually look at newly discovered vulnerabilities and alert your team. In this way your security keeps up with your constantly developing application..

Applications with scheduled updates - For applications that update rarely... quarterly or even annually, companies sometimes prefer scheduling full pentests against the changes before the updates go live. As with applications that are in constant development, Raxis can work with your team during the development process to test changes as the application is updated and to guide you on when the application should have a new full pentest as it grows.

What if my application runs on proprietary equipment?

We recommend you not only test the application, but also the device running the application. A Raxis pentest on proprietary equipment can include destructive testing to try to access ports and other device-based connections that allow us to manipulate your device and application in ways you might not foresee. Depending on the environment, knowledge of what an attacker could do upon gaining unattended access to the device is critical for a full understanding of potential risk.

If I’ve already had a web or API test, is a mobile app test needed as well?

In short, yes. Each environment offers new potential risks. If your company has in-house developed mobile applications, you should be testing them in cycle along with all of your other penetration testing.