Solved

Mobile penetration testing

Posted on 2016-10-28
2
148 Views
Last Modified: 2016-10-28
Hi to all of you,
I've been asked to write guidelines on how to perform Penetration Testin over mobile devices.

Can you please provide me some help , in particular based on your experience the methodology and  tools you use .
Thank you
Carlo
0
Comment
Question by:carlettus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41863714
You can check out OWASP top ten mobile threats and the pentest scope should include them minimally in scope of appl checks. See checklist in https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

However, for a more comprehensive coverage of Penetration testing, it should include minimally
a) vulnerability scanning that covers network/OS scan and appl scans. The appl scan will cover whitebox check (source code, if avail) and blackbox check (dynamic exchanges with appl). The OWASP can be reference as mentioned earlier
b) manual check for weak spots in the mobile device/architecture/access control/configuration to further intrude so as to surface the potential damage to the whole mobile setup (leading to data breaches). primarily is also to verify the existing safeguards control in place  

Determine the scope of the pentest is important otherwise you need to cover check for the whole robustness of the security architecture, mobile OS (apples/Android/Windows Phone etc) and device hardening and services integrity. This is very different if just going for mobile appl pentest that is driven more from OWASP check as shared earlier. See one PT sharing on iPhone/Android platform.
https://www.owasp.org/images/4/40/Pentesting_Mobile_Applications.pdf

The final report of the mobile security PT should cover the scope, tools, rule of engagement, findings, severity of vulnerability, remediation action and risk acceptance (for findings not closed). have caveats that the testing does not introduce backdoor, bring outage or damage the target or compromise actual target sensitive (personal data) information.
1
 

Author Closing Comment

by:carlettus
ID: 41863720
Thank you , this is an excellent point to start.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question