Implement Network and Mobile Application Pen Testing
Learning Objectives
After completing this unit, you’ll be able to:
- Explain network testing.
- Describe mobile application penetration testing.
Network Testing
Mobile devices regularly connect to a variety of networks, including public Wi-Fi networks shared with other (potentially malicious) clients. This creates opportunities for a wide variety of network-based attacks ranging from simple to complex and old to new. Therefore, it’s vital to maintain the confidentiality, integrity, and availability (CIA) of information exchanged between the mobile application (app) and remote service endpoints.
One best practice is to verify your mobile app sets up a secure, encrypted channel for network communication using the latest version of transport layer security (TLS) protocol with appropriate settings.
Network security specialists, pen testers, and mobile application security (appsec) engineers conduct regular pen testing and vulnerability checks to enable smooth and secure functioning of mobile apps. They test how the app performs under various network types, connection speeds, and quality levels including slow and interrupted connections. They also attempt to circumvent the security of the app by trying to exploit the app’s functionality through pen testing.
Mobile Application Pen Testing
A mobile app pen test emulates an attack specifically targeting a custom mobile app and aims to enumerate all vulnerabilities within the app. Pen testing can be used across the entire spectrum of an IT infrastructure, including network, web application, and database. But today, we also see pen testing used widely for another segment: mobile appsec.
You perform pen tests of mobile apps for security vulnerabilities by using either manual or automated techniques to analyze the app. You use these techniques to identify security flaws that may occur in the mobile app. Your purpose in pen testing is to ensure that the mobile app is not vulnerable to attack and that mitigations are in place to prevent exploitation.
Pen testing requires a diligent effort to find weaknesses, just like an attacker would. You perform deep-dive testing into local on-device security issues, back-end web services, and the application programming interfaces (APIs) that connect them. You customize assessments to specific concerns, such as reverse engineering an iOS app or malware threats to an Android app.
During pen testing, you simulate multiple attack vectors and risks, including insecure storage, stolen device risk, mobile malware attacks, and both authenticated and unauthenticated app users. By conducting pen testing, you can gain insights into the application’s vulnerabilities, bottlenecks, and attack vectors before an adversary is able to discover and exploit them. This way, once you identify an app’s shortcomings, your developers can put in fixes to plug these gaps and change the design to address the issues at hand.
Broadly speaking, mobile app pen testing methodologies include the following stages.
- Discovery: You gather information, which will further form the basis of the pen testing phases.
- Assessment and analysis: You assess the app using static application security testing (SAST), reverse engineering, dynamic application security testing (DAST), and more.
- Exploitation: You find hidden cues which can successfully shed light on different vulnerabilities.
- Reporting: You report the findings via technical reports and executive-level papers.
Sum It Up
In this module, you’ve been introduced to the OWASP Mobile Top 10 as a way to identify and mitigate mobile appsec risks. You’ve also learned how to test mobile apps using a variety of techniques.
Along with the information you reviewed in the Mobile Application Security module, you should now have a better understanding of what it takes to be a mobile appsec engineer. You can learn more about the in-demand cybersecurity skills needed to get a job in mobile appsec, or another field, and learn more from real security practitioners by visiting the Cybersecurity Learning Hub on Trailhead.