Apps give the impression that they are much more sealed off and thus less vulnerable to attack than browser-based applications. However, this impression is deceptive, as an attacker can use his tools to reveal not just the internal structures and workings of the app but also the communication and points of entry into the server-side application.
The need for vulnerability-free programming is therefore just as urgent as with traditional web applications, yet generally much harder to achieve owing to their greater complexity.
We analyse apps in their entirety. We either use individual measures or all the measures listed below, depending on the type of app and protection needs:
Server-side web application
Communication
Architecture
Selective or comprehensive code analysis
Code analysis is performed if more stringent security requirements are placed on the app and the results of the penetration test or architecture analysis also suggest this. All the points and processes in the code that affect sensitive data and functions are examined, with particular attention being paid to the secure storage of sensitive data on the device.
Comprehensive code analysis is performed in special cases with specific protection needs.
Misuse scenarios and user errors
See also:
Static code analysis can be a supplement or alternative to penetration testing:
Additional information:
We rely on the OWASP Mobile Security Testing Guide as baseline for our tests.
The Big Application Security Penetration Testing FAQ for Clients provides answers to many important questions concerning the commissioning of penetration tests.
