MENU

Mobile App Security: Your app(s) tested for security

Improved security of your app(s) through penetration testing

Personal information, photos or account details - apps store a lot of sensitive data. However, these private data is at risk if applications are not adequately protected against potential hacker attacks.

We will prepare you for any hacking emergency: With the help of needs-based penetration tests (pen tests), we will test the security of your app(s) and support you in securing them in the best possible way against cyberattacks and data theft. To do this, our experts review established security measures, determine specific risks and uncover vulnerabilities.

You will then receive a detailed report containing the results of the test as well as possible recommendations for action to eliminate vulnerabilities.

Our services: three levels of the analysis

Web Application Security – Leistungen: Spot Check Level 1 Web Application Security – Leistungen: Spot Check Level 1 Web Application Security – Leistungen: Spot Check Level 1 Web Application Security – Leistungen: Spot Check Level 1

Spot Check

Level 1

Random assessment of the security level of your app with regard to vulnerabilities.


Random sample / First assessment

Web Application Security – Leistungen: Regular Pentest Level 2 Web Application Security – Leistungen: Regular Pentest Level 2 Web Application Security – Leistungen: Regular Pentest Level 2 Web Application Security – Leistungen: Regular Pentest Level 2

Regular Pentest

Level 2

Analysis to assess the security, with the aim of determining the most common risks and vulnerabilities for apps.


For most applications

Web Application Security – Leistungen: Advanced Pentest Level 3 Web Application Security – Leistungen: Advanced Pentest Level 3 Web Application Security – Leistungen: Advanced Pentest Level 3 Web Application Security – Leistungen: Advanced Pentest Level 3

Advanced Pentest

Level 3

A more in-depth analysis that, in addition to Level 2, also identifies risks and vulnerabilities that are difficult to exploit, especially through additional test cases.

High security level

Your benefits at a glance

  • Professional testing of your app(s) according to OWASP Mobile Application Security Verification Standard (MASVS)
  • Detection of potential vulnerabilities & reduction of IT risks
  • Meaningful test report with the main test results
  • Recommendations for action to successfully eliminate vulnerabilities
  • Continuous optimization of the IT security of your app(s)
  • Objective proof of the IT security of your product
Mobile App Security: Test Areas

Content of the pentest

As part of the penetration test, a mobile Android / iOS app is automated and manually examined for security vulnerabilities.  

The aim is to determine the most critical or most frequently exploited security risks for mobile apps.

The test focuses on the following areas:

  • Data storage​​: Data loss can be caused not only by theft, loss or unauthorized access to a device, but also by malicious apps. Among other things, it checks how the app processes, transmits and stores data on the device.
     
  • Cryptography: Data protection plays a particularly important role when it comes to mobile devices. One of the checks is whether up-to-date cryptographic procedures and algorithms are used, e.g. for storing data.
     
  • Authentication and session management: The protection mechanism of the app or the app's data against unauthorized access is checked. The focus here (if applicable) is also on the API endpoints (backend systems)
     
  • Network communication: Secure data transmission is an important aspect, especially for mobile devices. One of the checks is whether the data is securely encrypted during transport and whether (TLS) certificates are correctly checked.
     
  • Platform interaction: Mobile operating systems differ from desktop operating systems in many ways. For example, permissions are assigned per app. There is also an interprocess communication (IPC) for data exchange. These and other functions are checked regarding safe security.
     
  • Manipulation resistance/resilience: If the app is protected against unauthorized manipulation, this will further increase security, e.g. against reverse engineering.
     
  • API endpoints / backend: Almost every app communicates with backend services (API endpoints). These must also be taken into consideration during an app pen test and are often vulnerable to the same types of attacks that can occur with web applications. For this reason, the OWASP Top 10 Vulnerabilities for Web Applications/APIs (where possible) are also randomly included.

Penetration tests are carried out as a combination of automated and manual tests in order to achieve meaningful and high-quality results. Special features or focus topics from the kick-off meeting may be taken into account, depending on the specific characteristics of the object to be examined.

Mobile App Security: Abschlussbericht

What the final report contains

All results of an analysis are made available to the client in the form of a detailed final report.

The final report is always created individually and in an easily understandable form by our experts (no automatic generation) and contains at least the following information:

  • Introduction: A brief description of the test object and the aim of the pentest.
     
  • Management/Executive summary: A summary of the results.
     
  • Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
     
  • Clear representation: Clear representation of all identified vulnerabilities in a table.
     
  • Detailed description of vulnerabilities & Proof-of-Concept: For each vulnerability there is an individual description that reflects precisely how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
     
  • Evaluation of automated tests: The results of the automated tests are evaluated by the TÜViT experts, checked for false/positive results and then summarized in the report.
     
  • Recommend measures to remedy the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
     
  • References: If available, we provide references to vulnerability databases (e.g., CVE).
     
  • Technical Appendices: If available, further information and files on the tests performed are provided as an Appendix, e.g. the raw results of the port and vulnerability scans.

Procedure of a web application security pentest

  

Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff Web Application Security Pentest Procedure: Preparation & Kickoff

Discussion of specific technical & organizational features and the prerequisites.

Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis Web Application Security Pentest Procedure: Information Gathering & Analysis

Gathering the essential information about the app to be examined.

Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests Web Application Security Pentest Procedure: Performance of Penetration Tests

Analysis of the selected app(s) based on the information collected.

Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report Web Application Security Pentest Procedure: Final Report

Summary of all test results in the form of a meaningful final report.

Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional) Ablauf Web Application Security Pentest: Re-Test (Optional)

Optional: Re-Test

Check whether the implemented improvement & defense measures are working (effectively). 

  

Frequently asked questions (FAQ):

Which test methods do we offer?
  • Black box
    Pentest without additional information
     
  • Gray box (standard)
    Pentest with additional information, e.g. test access data and (API) documentation
     
  • White box
    Pentest with further additional information, e.g. architecture/design documents, communication matrix or source code in addition to test access data
On what standards does TÜViT align itself when conducting penetration tests?

The approach of the TÜViT experts is based on the OWASP Mobile Application Security Verification Standard (MASVS), which defines basic security requirements for mobile apps, and the Mobile Security Testing Guide (MSTG), which describes how the requirements from the MASVS can be verified.

How long does a test take?

The test duration depends on the selected type of analysis (Level 1 to 3) – see above. Notwithstanding the test period, a period of at least 1 week is assumed for the Spot Check (Level 1) or at least 2 weeks for the Regular (Level 2) and Advanced (Level 3) Pentest.

What does a pentest cost?

The costs depend on the type of check selected (levels 1 to 3) as well as the complexity of the subject of the check. A Spot Check is in the lower to mid four-digit range. The Regular Pentest is in the upper four-digit or lower five-digit range and the Advanced Pentest starts in the lower five-digit range. For an accurate price indication, we need more information about your app. 


Request an individual offer

Why we are a strong partner for you

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision, IS consulting and penetration tests.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

International network of experts

Around the globe: We consult and support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.
You have questions? We are pleased to help!

  

Further services

Penetration Tests
As an IT security service provider for penetrationtesting we help to identify organizational and technical security vulnerabilities.
Read more
System and Network Security

System and Network Security
The commonest targets of hacker attacks are the IT systems and data networks of companies. In order to detect attacks as early as possible, TÜViT offers penetration tests on system and network levels.
Read more
Web Application Security

Web Application Security
In order to enable you to secure the applications that drive your business, TÜViT offers penetration tests for web applications tailored to your needs.
Read more
Advanced Persistent Threats

Advanced Persistent Threats
Advanced Persistent Threats (APTs) are highly developed and targeted attacks that operate covertly in order to leave no visible traces. TÜViT offers various modules to prevent Advanced Persistent Threats.
Read more
Enhanced Security Services

Enhanced Security Services

TÜViT offers Enhanced Security Services, to keep your IT security level high at all times: from monitoring and retesting up to Red-Teaming.
Read more
Industrial Security

Industrial Security
In the context of the Internet of Things (IoT), the networking of systems for process control, production and automation is increasing dramatically. As a result, challenges are also increasing in relation to security. TÜViT offers security checks and penetration tests in order to reduce security vulnerabilities in your production infrastructure.
Read more
SQ Best Practice Certification Procedure

SQ Best Practice Certification Procedure
With its Security Qualification (SQ), TÜViT offers a standardized and flexible certification procedure that allows the integrated analysis of products and networked system solutions.
Read more

Router Security: BSI TR-03148
With BSI TR-03148 for "Secure Broadband Routers", you – as a manufacturer – can prove that your broadband routers meet the security requirements defined by the BSI. We check the implementation and accompany you on the way to successful certification according to BSI TR-03148.
Read more

CyberSecurity Certified (CSC)
Are you a manufacturer of a CIoT product and want the security of your (smart home) device confirmed by an independent third party? Then we will be happy to accompany you on your way to a successful CSC certificate.
Read more

Accelerated Security Certification (BSZ)
The BSZ is an independent certificate that confirms the security statement of your IT product – quickly, predictably and with a minimum amount of documentation.
Read more