Mobile & Desktop App Penetration Test - Audits

The standard signed offer for this service includes:

100% Quality Guarantee
Free Fix Verification Bonus
A brief and to-the-point report with sufficient technical details to solve the issues found, along with an executive introduction and conclusion. Examples are available via our public work so that you know what to expect.
Optionally, we can add security issues into your bug tracking system.

The Threat

Mobile and Desktop application developers, like web developers, are generally:

Under pressure to meet deadlines and release into production
Rarely taught about security at university and programming courses
Often unaware of mobile and desktop application security attack vectors

Adversaries can take advantage of this by running your apps in their environment, to identify and exploit overlooked security flaws, which may negatively affect your organization or your customers.

The Solution

A mobile or desktop application penetration test facilitates the identification of security flaws before real attackers can take advantage of them. Furthermore, the mitigation guidance provided will substantially reduce the likelihood of certain attack vectors in the future. Any penetration tester can confirm this for you: It is extremely difficult to find any serious security issue in any application that has been tested professionally multiple times (when the developers have also implemented the suggested fixes each time).

Customers often combine this test with:

Web App Penetration Test: Apps are rarely standalone, they usually communicate with some web application or backend using APIs. In these cases, it is important to include the associated web app(s) in the test so the testers get a full picture of the threat model. For example, a mobile API issue might be irrelevant for the security of the mobile app but could introduce a serious issue in the web app. Similarly, invalid input could be harmless on the web app but result in a serious issue on the mobile or desktop app.
Code Review: A code review in combination with an app pentest provides you with the most value for money as testers have complete visibility. Many subtle issues can only be found in an efficient way via Code Review. We are familiar with the vast majority of popular mobile and desktop app development languages and their associated frameworks. Most of the time, we review Android and iOS mobile apps, as well as Windows, Linux and Mac OS X desktop apps.

The Methodology

We do not lock ourselves into any particular list and will review your security from the perspective of a real attacker, using manual testing techniques and also automation where needed, but in a controlled fashion and always with your permission. That said, our application penetration tests typically cover the OWASP Mobile Top 10 and the relevant tests from the OWASP Mobile Security Testing Guide applicable to the target application. Some examples of this are public. We focus on high impact application areas to ensure that critical issues are identified and subsequently eliminated. However, we will always tailor the test to meet your specific needs, for example, maybe your threat model is different and you are worried about a different type of attacker or what your application is trying to protect is simply something not standard, we can help you with that.

How To Order

Simply contact us, let us know what you need to test. We will revert with some questions to understand the scope, schedule the test and tailor the test to meet your needs, for free. If you want to proceed, we will send you an offer for signing and coordinate the steps together from there.