Conquest

#Conquest Security

Mobile Application Penetration Testing

Why Mobile Application Penetration Testing?

Hardly any market is growing faster than mobile applications with exponential growth forecasted for the years to come. Mobile Apps have become a prime target for attacks.
  • Compliance regulations may require regular pen testing
  • Customers and partners may require proof of regular pen testing
  • Proactive security investment instead of reactive repair costs
  • Avoid legal action and reputational damage following a breach

Service Description

The service covers all threat vectors concerning mobile applications on Apple iOS and Google Android. The audits carried out include reverse engineering of the application, application runtime analysis, traffic flow & encryption flaws, insecure storage, code signing, memory protections, API endpoints analysis as well as fuzzing and exploitation. We will test your Android and iPhone mobile applications to make sure they cannot be compromised. We can also include backend servers in the testing. 

Tests performed

Our testing methodologies are aligned with the following frameworks: NIST, OWASP Top 10 API as well as SANS Top 25. A lot of the flaws are identical to the ones encountered on web applications, but are exposed through APIs instead. These include user input not being sanitized, clear text transmission of confidential information to server, the possibility to introduce own code and the manipulation of the execution flow. 

Deliverables

Full report (Executive summary and in-depth technical report)
Mitigation Advice on encountered vulnerabilities

 

Instant notification of critical vulnerabilities found during testing phase
Secure report delivery by encrypted email

Flexible Options

Grey-box Pen Test (from a malicious user’s perspective with user credentials)
White-box Pen Test (with full admin credentials & access to underlying source code)

 

Packages for recurring and continuous automated testing available
Impact minimization by protection from malicious exploits or DDoS tests
Fine grained scoping and testing only during agreed schedule

Why us?

  • Consultants with 10+ years of ethical hacking experience
  • Consultants certified to highest levels such as OSCP, OSCE, OSWE, GIAC
  • Experience across all industry and government sectors
  • We are an independent third party concerned with finding & fixing flaws
  • No conflict of interest. We are not embedded with HW/SW vendors
  • Dedicated Red Team approach with specialists in all technologies