Mobile App Security: Pentests against mobile apps

Request an individual offer now

Increase the security of your app(s) with mobile app pentests

Personal information, photos or account details - apps store a lot of sensitive data. However, these private data is at risk if applications are not adequately protected against potential hacker attacks.

With the help of needs-based penetration tests (pen tests), we will test the security of your app(s) and support you in securing them in the best possible way against cyberattacks and data theft. To do this, our experts review established security measures, determine specific risks and uncover vulnerabilities.
 

  Professional testing of your Android or iOS app according to MASVS

Our experts check your app in accordance with the requirements of the OWASP Mobile Application Security Verification Standard (MASVS), among others.
 

  Your app optimally protected against attacks

Using pentests, our experts uncover potential vulnerabilities within your mobile app before cybercriminals can exploit them.
 

  Report with recommendations for corrective action

You will receive a detailed report containing the results of the tests and possible recommendations for action to eliminate weaknesses.

What is an app pentest?

An app penetration test (mobile app penetration testing) is an IT security measure used to check and evaluate the security of mobile applications (in short: apps).

The aim is to identify potential vulnerabilities and points of attack at an early stage and thus increase the security of the tested app. Trained IT security experts use methods and means that real attackers would also use.

Would you like to find out more? Please feel free to contact us!

Pentests against apps: Your benefits at a glance

Detection of potential vulnerabilities
Pentests allow you to identify potential vulnerabilities in your mobile app and proactively close them. 
 

Higher IT security, lower IT risks
Pentests help you to increase the security of your mobile app and reduce potential security risks.
 

Pentests according to recognized standards
We test your app based on the Mobile Application Security Verification Standard & Mobile Security Testing Guide.
 

Trust by customers & business partners
An independent security analysis of your app strengthens the trust of your customers & business partners.
 

Avoidance of economic & reputational damage
With the help of pentests, you can prevent possible attacks & protect yourself from the associated damage. 
 

Continuous optimization of IT security
By uncovering optimization potential, you continuously improve the IT security of your app.
 

Final test report including recommendations for action
In addition to the test results, we also provide you with recommendations for remedying weaknesses.

Vorteile Mobile App Pentests: Automatisierte sowie manuelle Pentests Vorteile Mobile App Pentests: Automatisierte sowie manuelle Pentests Vorteile Mobile App Pentests: Automatisierte sowie manuelle Pentests Vorteile Mobile App Pentests: Automatisierte sowie manuelle Pentests

Automated and manual pentests
Useful addition of manual tests that are generally not found using automated tools.

Our services: 3 types of pentests against apps


Spot Check
– Level 1

Random assessment of the security level of your app with regard to vulnerabilities.

Random sample / First assessment


Regular Pentest
– Level 2

Analysis to assess the security, with the aim of determining the most common risks and vulnerabilities for apps.

For most applications


Advanced Pentest
– Level 3

A more in-depth analysis that, in addition to Level 2, also identifies risks and vulnerabilities that are difficult to exploit, especially through additional test cases.

High security level

Procedure of a mobile app pentest

  

1.

Preparation & Kickoff

Discussion of specific technical & organizational features and the prerequisites. 

2.

Information Gathering & Analysis

Gathering the essential information about the app to be examined.

3.

Performance of Penetration Tests

Analysis of the selected app(s) based on the information collected.

4.

Final Report

Summary of all test results in the form of a meaningful final report. 

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively).  

  

This is being tested

As part of the penetration test, a mobile Android / iOS app is automatically and manually examined for security vulnerabilities. The aim is to identify the most critical or most frequently exploited security risks for mobile apps.

 

Data storage​​: Data loss can be caused not only by theft, loss or unauthorized access to a device, but also by malicious apps. Among other things, it checks how the app processes, transmits and stores data on the device.
 

Network communication: Secure data transmission is an important aspect, especially for mobile devices. One of the checks is whether the data is securely encrypted during transport and whether (TLS) certificates are correctly checked.
 

Platform interaction: Mobile operating systems differ from desktop operating systems in many ways. For example, permissions are assigned per app. There is also an interprocess communication (IPC) for data exchange. These and other functions are checked regarding safe security.
 

Authentication and session management: The protection mechanism of the app or the app's data against unauthorized access is checked. The focus here (if applicable) is also on the API endpoints (backend systems)

Cryptography: Data protection plays a particularly important role when it comes to mobile devices. One of the checks is whether up-to-date cryptographic procedures and algorithms are used, e.g. for storing data.
 

Manipulation resistance/resilience: If the app is protected against unauthorized manipulation, this will further increase security, e.g. against reverse engineering.


API endpoints / backend: Almost every app communicates with backend services (API endpoints). These must also be taken into consideration during an app pen test and are often vulnerable to the same types of attacks that can occur with web applications. For this reason, the OWASP Top 10 Vulnerabilities for Web Applications/APIs (where possible) are also randomly included.

Frequently asked questions (FAQ):

What does the final report contain?

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:
 

  • Introduction: A brief description of the test object and the aim of the pentest.
  • Management/Executive summary: A summary of the results.
  • Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
  • Clear representation: Clear representation of all identified vulnerabilities in a table.
  • Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
  • Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
  • Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
  • References: If available, we provide references to vulnerability databases (e.g., CVE).
  • Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.
Which test methods do we offer?
  • Black box
    Pentest without additional information
     
  • Gray box (standard)
    Pentest with additional information, e.g. test access data and (API) documentation
     
  • White box
    Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data
On what standards does TÜVIT align itself when conducting penetration tests?

The approach of the TÜVIT experts is based on the OWASP Mobile Application Security Verification Standard (MASVS), which defines basic security requirements for mobile apps, and the Mobile Security Testing Guide (MSTG), which describes how the requirements from the MASVS can be verified.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of check selected (levels 1 to 3) as well as the complexity of the subject of the check. A Spot Check is in the lower to mid four-digit range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an accurate price indication, we need more information about your app. 


Request an individual offer

Why we are a strong partner for you

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision and penetration tests.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

 

You have questions? We are pleased to help!

  

Alexander Padberg

Sales Manager

+49 201 8999-614
a.padberg@tuvit.de

Gerald Krebs

Global Account Manager

+49 201 8999-411
g.krebs@tuvit.de

Further services

Penetration Tests

As an IT security service provider for penetrationtesting we help to identify organizational and technical security vulnerabilities.
Read more
System and Network Security

System and Network Security

The commonest targets of hacker attacks are the IT systems and data networks of companies. In order to detect attacks as early as possible, TÜVIT offers penetration tests on system and network levels.
Read more
Web Application Security

Web Application Security

In order to enable you to secure the applications that drive your business, TÜVIT offers penetration tests for web applications tailored to your needs.
Read more
Advanced Persistent Threats

Advanced Persistent Threats

Advanced Persistent Threats (APTs) are highly developed and targeted attacks that operate covertly in order to leave no visible traces. TÜVIT offers various modules to prevent Advanced Persistent Threats.
Read more
Enhanced Security Services

Enhanced Security Services

TÜVIT offers Enhanced Security Services, to keep your IT security level high at all times: from monitoring and retesting up to Red-Teaming.
Read more
Industrial Security

Industrial Security

In the context of the Internet of Things (IoT), the networking of systems for process control, production and automation is increasing dramatically. As a result, challenges are also increasing in relation to security. TÜVIT offers security checks and penetration tests in order to reduce security vulnerabilities in your production infrastructure.
Read more
SQ Best Practice Certification Procedure

SQ Best Practice Certification Procedure

With its Security Qualification (SQ), TÜVIT offers a standardized and flexible certification procedure that allows the integrated analysis of products and networked system solutions.
Read more

Router Security: BSI TR-03148

With BSI TR-03148 for "Secure Broadband Routers", you – as a manufacturer – can prove that your broadband routers meet the security requirements defined by the BSI. We check the implementation and accompany you on the way to successful certification according to BSI TR-03148.
Read more

CyberSecurity Certified (CSC)

Are you a manufacturer of a CIoT product and want the security of your (smart home) device confirmed by an independent third party? Then we will be happy to accompany you on your way to a successful CSC certificate.
Read more

Accelerated Security Certification (BSZ)

The BSZ is an independent certificate that confirms the security statement of your IT product – quickly, predictably and with a minimum amount of documentation.
Read more