Appscanner is a tool to check security vulnerabilities of your Android based mobile app.







01

Before Testing Starts

  • Sign NDA
  • Freeze on scope
  • Study Mobile App Architecture
  • Study Mobile App Functionality
  • Decide attack vectors and prioritize
  • Allocate single point of contact

02

During Testing

  • Black box testing (Without device rooting, jailbreaking)
  • Gray box testing (With device rooting, jailbreaking)
  • Automatic and Manual Testing
  • Testing using OWASP-Mobile-Top-10 Standard
  • Scanning
  • Configuration Check
  • Manifest/Binary Config check
  • Gathering Logs

03

Testing Details

  • Analysis of data in transit between mobile app stack
  • Analysis of data in transit between app and caller web services
  • Capture and analysis of data at rest on the mobile device
  • Perform Android and iOS specific checks and log capture
  • Map security scenario attack vectors to ensure accuracy
  • Perform analysis on app code modules
  • Manifest/Binary Config check

04

After Testing

  • Analyse logs
  • Confirm results
  • Apply Knowledge
  • Apply Experience
  • Repeat Test if required

05

Testing Outcome

  • Detailed technical report
  • Executive summary
  • High level fixation solutions
  • Testing using OWASP-Mobile-Top-10 Standard
  • Certificate of testing completion (optional)

92%
Data In Trasit Attacks
78%
Data At Rest Attacks
43%
High Risk Vulnerability
76%
Insecure data storage

Mobile App Pentesting

While android and iOS app pentesting is a very detailed process and results into an elaborate checklist, below details can provide a glimpse of the all the tasks at a high level. All mobile app security testing companies who are best vendors for this task, follow OWASP Top 10 Mobile model and its summarized below. There are multiple mobile app security tools involved in this process, although we take pride in performing the testing manually to achieve best results.

Mobile app security testing is of four stages:

  • Discovery requires the pentester to collect information that is essential in understanding events that lead to the successful exploitation of mobile applications.
  • Assessment or analysis involves the penetration tester going through the mobile application source code and identifying potential entry points and weaknesses that can be exploited.
  • Exploitation involves the penetration tester leveraging the discovered vulnerabilities to take advantage of the mobile application in a manner not intended by the programmer initially did not intend.
  • Reporting is the final stage of the methodology and it involves recording and presenting the discovered issues in a manner that makes sense to management. This is also the stage that differentiates a penetration test from an attack. A more detailed discussion of the four stages follows.

How do I make my mobile apps secure?

Enforce Strong Authentication:

Use authentication mechanism to restrict login to only the authorized user. Using Multi-Factor authentication provides extra layer of protection. If the application deals with sensitive data or stores critical information enforcing a strong authentication mechanism is a must to protect against authentication Bypass attacks.

Encrypt Communication & Data:

  • Ensure your application data is transmitted using the HTTPS protocol.
  • Any sensitive data like password that is being transmitted need to be encrypted.
  • Enforce encryption of the cache/temporary data that the application stores in the users device.
  • Protect app data:

    Implement data security policies and guidelines in the application to ensure users don't fall prey in the trap set by hackers.

    Use minimal application permissions:

    Giving too many permissions in the application may end up being used by hackers for their entry point. So, limit the applications permissions to its functionality areas.

    Certificate pinning:

    Implement certificate pinning to guard the application's Data in transit from Man In the Middle attacks.

    Perform VAPT :

    Get Vulnerability Assessment and Penetration Testing done for the application to find and fix the security vulnerabilities/ loopholes.

    Quick FAQ

    Is this a free service?

    Yes. Absolutely. Also, we do not need your personal info, or payment details at all.

    How do I use it?

    Just use the web form on next page, to upload your binary, and wait a bit to see the results.

    How does it work?

    It works by decompiling your apk binary, and perform detailed analysis of your code.

    What results do I get?

    You get a count of Critical, High and Low vulnerabilities

    What standard do you follow?

    We use worldwide OWASP Mobile Top-10 standard for our analysis

    Is my apk stored at your end?

    No it is not. Firstly because we respect your coding and privacy. Secondly, and most importantly, we do not want to spend on disk space :)

    Do I get a detailed report?

    No. Its a premium feature. Contact us for further information

    Are the results accurate?

    Test it yourself. If you are a pro in android programming, and mobile app security, you will know how detailed the analysis is.

    Is there such a tool for Apple iOS?

    Not yet. Its work in progress, so please stay tuned.

    Liked the tool but want more detailed testing. What do I do?

    Contact Us to talk with us.

    Contact Us

    Fill Out The Form Below To Get In Touch With Us