iOS- & Android App Penetration Testing

We offer penetration testing (offensive security) of iOS and Android apps in accordance with the OWASP Mobile Security Testing Guide (MSTG) by our ISO 27001 & IEC 62443 certified consultants and lead auditors as well as OSCP and OSWE certified pentesters. When testing the apps, we use both static and dynamic test methods.

As part of the static analysis, we check the app binaries and carry out reverse engineering of the applications to check configuration files and source code for vulnerabilities. Particular attention is paid to zero-day vulnerabilities, i.e. vulnerabilities for which no patch or remedial measures are yet available. These can pose a threat.

For dynamic analyses, we use both devices in the standard configuration and devices with root or jailbreak to examine apps during runtime. We use network traffic analyses, analyses of the runtime environment and manipulation of the app packages with the help of pentesting frameworks and toolsets on the test devices.

Static and dynamic analyses (iOS & Android)

The client-side application functionalities are checked as part of a dynamic and static analysis and without insider knowledge (black box test). The iOS and Android apps are extracted and reverse engineered as part of the static tests. During the dynamic tests, "hooking" is used to intervene in the processes and manipulate the system calls in order to uncover further vulnerabilities. Depending on the effectiveness of the obfuscation (concealment of the source code), further in-depth analyses can be carried out.

The tests are based on best practices such as the "OWASP Mobile Security Testing Guide" and include the following test aspects, among others:

  • Anti reverse engineering
  • Runtime security (hooking, anti-debugging, tampering detection)
  • Binary analysis (binary protections, encryption, decompiling)
  • Authentication & authorization
  • Session management
  • Key & password management
  • Secure use of web content
  • Function and application logic (client and server side)
  • Storage and transmission of sensitive data (encryption)
  • Client-side injection attacks
  • Web vulnerabilities (e.g. SQL injection, information disclosure)
  • Client separation
  • caching
  • Input validation
  • Error handling

OWASP Mobile Application Security Verification Standard

MASVS Diagramm

The OWASP MASVS (Mobile Application Security Verification Standard) or OWASP MSTG (Mobile Security Testing Guide) is an international standard and specifies security best practices and hardening measures for an iOS and Android app as well as for the backend API. This contains Level 1 security controls for basic requirements and Level 2 security controls for applications with increased protection requirements. We generally recommend carrying out the security assessment for Level 1 and Level 2 and weighing up any implementation of the missing Level 2 security controls separately depending on the risk. As part of a penetration test, we check your apps for compliance with a total of 156 security controls from the MASVS.

MASVS Diagramm

scroll to top