Pentests
Penetration testing for mobile apps
Personal information, photos, or account details—apps store a wide range of sensitive data. However, if applications are not adequately protected against potential hacker attacks, this private data is at risk.
We put your app(s) through their paces with customized penetration tests (pentests).
An app penetration test (mobile app penetration testing) is an IT security measure used to check and evaluate the security of mobile applications (apps for short).
The aim is to identify potential vulnerabilities and points of attack at an early stage and thus increase the security of the tested app. Trained IT security experts use methods and means that real attackers would also use.
Mobile apps are frequent targets of cyberattacks - making it all the more important to check their security in a targeted manner. Penetration tests help to identify vulnerabilities at an early stage, minimise risks and strengthen the trust of users and business partners.
Data storage: In addition to data loss in the event of theft, loss or unauthorised access to a device, this can also be caused by malicious apps. Among other things, we check how the app processes, transmits and stores data on the device.
Network communication: Secure data transmission is an important aspect, especially for mobile devices. Among other things, it is checked whether the data is securely encrypted during transport and whether (TLS) certificates are checked correctly.
Platform interaction: Mobile operating systems differ from desktop operating systems, e.g. through the assignment of authorisations per app or an inter-process communication (IPC) option for data exchange. These and other functions are checked for secure use.
Authentication and session management: The protection mechanism of the app or the app's data against unauthorised access is checked. The endpoints (backend systems) are also focussed on here (if available).
Cryptography: Data protection plays a particularly important role for mobile devices. Among other things, it is checked whether current cryptographic procedures and algorithms are used, e.g. for storing data.
Manipulation security/resilience: If the app is protected against unauthorised manipulation, this further increases security, e.g. against reverse engineering.
API endpoints / backend: Almost every app communicates with backend services (API endpoints), which are often susceptible to the same types of attacks as web applications. Therefore, the OWASP Top 10 vulnerabilities for web applications/APIs are also randomly included (where possible).
The final report is always prepared by our experts individually and in an easily understandable form (no automatic generation) and contains at least the following information:
The approach of the TÜVIT experts is based on the OWASP Application Security Verification Standard (ASVS)which describes the basic security requirements for web applications and the OWASP Web Security Testing Guide (WSTG)which describes how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications and the implementation concept for penetration tests from the BSIare taken into account.
The costs depend on the type of investigation selected (level 1 to 3) and the complexity of the subject of the investigation. A spot check is in the lower to mid four-figure range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an exact price indication, we need more information about your web application.
The duration of the test depends on the type of test selected (Level 1 to 3), see above. Deviating from the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) and at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) pentest.
Good reasons that speak in our favour