Skip to content

Pentests

Mobile App Pentest

Penetration testing for mobile apps

Personal information, photos, or account details—apps store a wide range of sensitive data. However, if applications are not adequately protected against potential hacker attacks, this private data is at risk.
We put your app(s) through their paces with customized penetration tests (pentests).

Testing of Android/iOS app according to

Our experts check your app according to the requirements of the OWASP Mobile Application Security Verification Standard (MASVS), among others.

Best possible protection against attacks

With the help of pentests, our experts uncover potential vulnerabilities within your mobile app before cybercriminals can exploit them.

Test report with recommendations for act

You will receive a detailed report containing the results of the audit and possible recommendations for action to eliminate weaknesses.

A person types code on a laptop

What is an app pentest?

An app penetration test (mobile app penetration testing) is an IT security measure used to check and evaluate the security of mobile applications (apps for short).

The aim is to identify potential vulnerabilities and points of attack at an early stage and thus increase the security of the tested app. Trained IT security experts use methods and means that real attackers would also use.

Your benefits at a glance

Penetration testing for secure apps

Mobile apps are frequent targets of cyberattacks - making it all the more important to check their security in a targeted manner. Penetration tests help to identify vulnerabilities at an early stage, minimise risks and strengthen the trust of users and business partners.

  • Detection of potential vulnerabilities
    Pentests allow you to recognise potential vulnerabilities in your mobile app and proactively close them.
  • Pentests in accordance with recognised standards
    We test your app in accordance with the Mobile Application Security Verification Standard & Mobile Security Testing Guide.
  • Avoidance of economic & reputational damage
    With the help of pentests, you can prevent potential attacks & protect yourself from the associated damage.
  • Final test report including recommendations for action
    In addition to the test results, we also provide you with recommendations for remedying vulnerabilities.
  • Higher IT security, lower IT risks
    Pentests help you increase the security of your mobile app and reduce potential security risks.
  • Trust with customers & business partners
    An independent security analysis of your app strengthens the trust of your customers & business partners.
  • Continuous optimisation of IT security
    By identifying potential for optimisation, you continuously improve the IT security of your app.
  • Automated and manual pentests
    Useful addition of manual tests that are usually not found using automated tools.

Procedure for a pentest against a mobile app

1

Preparation & Kickoff

Clarification of technical and organisational features and requirements.

2

Information gathering & analysis

Determination of basic information about the object of investigation.

3

Carrying out penetration tests

Analysis of the selected web application based on the information collected.

4

Final report

Summary of all results of the audit in the form of a final report.

5

Optional: Re-test

Check whether the implemented improvement and defence measures are (effective).

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the test offers Contact us

This is being investigated.

As part of the penetration test, a mobile Android/iOS app is automatically and manually scanned for security vulnerabilities. The goal is to identify the most critical or most frequently exploited security risks for mobile apps.

Data storage: In addition to data loss in the event of theft, loss or unauthorised access to a device, this can also be caused by malicious apps. Among other things, we check how the app processes, transmits and stores data on the device.

Network communication: Secure data transmission is an important aspect, especially for mobile devices. Among other things, it is checked whether the data is securely encrypted during transport and whether (TLS) certificates are checked correctly.

Platform interaction: Mobile operating systems differ from desktop operating systems, e.g. through the assignment of authorisations per app or an inter-process communication (IPC) option for data exchange. These and other functions are checked for secure use.

Authentication and session management: The protection mechanism of the app or the app's data against unauthorised access is checked. The endpoints (backend systems) are also focussed on here (if available).

Cryptography: Data protection plays a particularly important role for mobile devices. Among other things, it is checked whether current cryptographic procedures and algorithms are used, e.g. for storing data.

Manipulation security/resilience: If the app is protected against unauthorised manipulation, this further increases security, e.g. against reverse engineering.

API endpoints / backend: Almost every app communicates with backend services (API endpoints), which are often susceptible to the same types of attacks as web applications. Therefore, the OWASP Top 10 vulnerabilities for web applications/APIs are also randomly included (where possible).

Frequently Asked Questions (FAQ)

What you need to know about web pentests

The final report is always prepared by our experts individually and in an easily understandable form (no automatic generation) and contains at least the following information:

  • Introduction: Brief description of the test object, objective of the pentest and documentation of special features during the investigation.
  • Management/Executive Summary: Summary of the results and assessment of the general safety level.
  • Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
  • Clear presentation: Clear presentation of all identified vulnerabilities in a table as well as in a risk beam, which shows the number of vulnerabilities per risk level.
  • Detailed description of vulnerabilities & proof-of-concept: For each vulnerability, there is an individual description that shows exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
  • Evaluation of automated tests: The results of the automated tests are evaluated by the TÜVIT experts, checked for false positives and then summarised in the report.
  • Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
  • References: If available, we provide references to vulnerability databases (e.g. CVE).
  • Technical attachments : If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.

  • Black box
    Pentest without additional information
  • Grey box (standard)
    Pentest with additional information, e.g. test access data and (API) documentation
  • White box
    Pentest with additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data

The approach of the TÜVIT experts is based on the OWASP Application Security Verification Standard (ASVS)which describes the basic security requirements for web applications and the OWASP Web Security Testing Guide (WSTG)which describes how the requirements from the ASVS can be verified. Furthermore, the OWASP Top 10 Vulnerabilities for Web Applications and the implementation concept for penetration tests from the BSIare taken into account.

The costs depend on the type of investigation selected (level 1 to 3) and the complexity of the subject of the investigation. A spot check is in the lower to mid four-figure range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an exact price indication, we need more information about your web application.

The duration of the test depends on the type of test selected (Level 1 to 3), see above. Deviating from the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) and at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) pentest.

Why we are a strong partner for you

Good reasons that speak in our favour

Independence
International network of experts
Expertise
Industry experience
Customised for you
Optimally secured

Three areas of application – three penetration tests

Whether security risks in web applications, mobile apps or in IT infrastructure: you are on the safe side with the right pentest procedure.
Ein Mann sitz an einem Schreibtisch mit zwei Bildschirmen und analysiert Daten.
Web pentest
Close-up of code on the screen
Penetration tests
Flur in einem Rechenzentrum
Infrastructure pentest