Mobile App Security: Your app(s) tested for security

Improved security of your app(s) through penetration testing

Personal information, photos or account details - apps store a lot of sensitive data. However, these private data is at risk if applications are not adequately protected against potential hacker attacks.

We will prepare you for any hacking emergency: With the help of needs-based penetration tests (pen tests), we will test the security of your app(s) and support you in securing them in the best possible way against cyberattacks and data theft. To do this, our experts review established security measures, determine specific risks and uncover vulnerabilities.

You will then receive a detailed report containing the results of the test as well as possible recommendations for action to eliminate vulnerabilities.

Request an individual offer

Our services: three levels of the analysis

Web Application Security – Leistungen: Spot Check Level 1

Spot Check

Level 1

Random assessment of the security level of your app with regard to vulnerabilities.

Random sample / First assessment

Web Application Security – Leistungen: Regular Pentest Level 2

Regular Pentest

Level 2

Analysis to assess the security, with the aim of determining the most common risks and vulnerabilities for apps.

For most applications

Web Application Security – Leistungen: Advanced Pentest Level 3

Advanced Pentest

Level 3

A more in-depth analysis that, in addition to Level 2, also identifies risks and vulnerabilities that are difficult to exploit, especially through additional test cases.

High security level

To the detailed overview

As part of the penetration test, a mobile Android / iOS app is automated and manually examined for security vulnerabilities.

The aim is to determine the most critical or most frequently exploited security risks for mobile apps.

The test focuses on the following areas:

Data storage: Data loss can be caused not only by theft, loss or unauthorized access to a device, but also by malicious apps. Among other things, it checks how the app processes, transmits and stores data on the device.
Cryptography: Data protection plays a particularly important role when it comes to mobile devices. One of the checks is whether up-to-date cryptographic procedures and algorithms are used, e.g. for storing data.
Authentication and session management: The protection mechanism of the app or the app's data against unauthorized access is checked. The focus here (if applicable) is also on the API endpoints (backend systems)
Network communication: Secure data transmission is an important aspect, especially for mobile devices. One of the checks is whether the data is securely encrypted during transport and whether (TLS) certificates are correctly checked.
Platform interaction: Mobile operating systems differ from desktop operating systems in many ways. For example, permissions are assigned per app. There is also an interprocess communication (IPC) for data exchange. These and other functions are checked regarding safe security.
Manipulation resistance/resilience: If the app is protected against unauthorized manipulation, this will further increase security, e.g. against reverse engineering.
API endpoints / backend: Almost every app communicates with backend services (API endpoints). These must also be taken into consideration during an app pen test and are often vulnerable to the same types of attacks that can occur with web applications. For this reason, the OWASP Top 10 Vulnerabilities for Web Applications/APIs (where possible) are also randomly included.

Penetration tests are carried out as a combination of automated and manual tests in order to achieve meaningful and high-quality results. Special features or focus topics from the kick-off meeting may be taken into account, depending on the specific characteristics of the object to be examined.

All results of an analysis are made available to the client in the form of a detailed final report.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

Introduction: A brief description of the test object and the aim of the pentest.
Management/Executive summary: A summary of the results.
Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
Clear representation: Clear representation of all identified vulnerabilities in a table.
Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g., CVE).
Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.

Procedure of a web application security pentest

Web Application Security Pentest Procedure: Preparation & Kickoff

Discussion of specific technical & organizational features and the prerequisites.

Web Application Security Pentest Procedure: Information Gathering & Analysis

Gathering the essential information about the app to be examined.

Web Application Security Pentest Procedure: Performance of Penetration Tests

Analysis of the selected app(s) based on the information collected.

Web Application Security Pentest Procedure: Final Report

Summary of all test results in the form of a meaningful final report.

Ablauf Web Application Security Pentest: Re-Test (Optional)

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively).

Frequently asked questions (FAQ):

Which test methods do we offer?

Black box
Pentest without additional information
Gray box (standard)
Pentest with additional information, e.g. test access data and (API) documentation
White box
Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data

On what standards does TÜViT align itself when conducting penetration tests?

The approach of the TÜViT experts is based on the OWASP Mobile Application Security Verification Standard (MASVS), which defines basic security requirements for mobile apps, and the Mobile Security Testing Guide (MSTG), which describes how the requirements from the MASVS can be verified.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of check selected (levels 1 to 3) as well as the complexity of the subject of the check. A Spot Check is in the lower to mid four-digit range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an accurate price indication, we need more information about your app.

Request an individual offer

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

You have questions? We are pleased to help!

Send mail +49 201 8999-614 Contact

Alexander Padberg Global Account Manager Cyber Security

Send mail +49 201 8999-411 Contact

Gerald Krebs Global Account Manager