Mobile Applications Penetration Testing

SKU: VS810591 Categories: ,

View Price

FacebookTwitterGoogle PlusPinterestTumblrLinkedinEmail


A Mobile  application security test focuses only on evaluating the security of a web application. The process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.

MSPKART Mobile Application Penetration Testing service leverages application mapping, reverse engineering and proprietary tools to identify business logic and technical vulnerabilities in your mobile applications. Many of the risks associated with mobile application are similar to those of web applications such as user authentication, data security, data in transit, etc. Our core focus lies not only in identifying technical vulnerabilities but identify key issues related to application permission and data flow.

MSPKART Testing Approach

– Reverse Engineering and Static Analysis

– Dynamic and Run-time Analysis

– Network Analysis and Server Side Testing

S.No Vulnerability Name Classification
Client Side Checks
1 Account Lockout Dynamic Checks
2 Application is Vulnerable to XSS Static Dynamic Chec
3 Authentication bypassed Dynamic Checks
4 Hard coded sensitive information in Application Code (including Crypt Static Checks
5 Malicious File Upload Dynamic Checks
6 Session Fixation Dynamic Checks
7 Privilege Escalation Dynamic Checks
8 SQL Injection Static Dynamic Chec
9 Attacker can bypass Second Level Authentication Dynamic Checks
10 Debug is set to TRUE Static Checks
11 Application makes use of weak Cryptography Static Checks
12 Cleartext information under SSL Tunnel Dynamic Checks
13 Client Side Validation can be bypassed Dynamic Checks
14 Invalid SSL Certificate Static Checks
15 Sensitive Information is sent as Clear Text over network/Lack of Data Dynamic Checks
16 CAPTCHA is not implemented on Public Pages/Login Pages Dynamic Checks
17 Improper or NO implementation of Change Password Page Dynamic Checks
18 Application does not have Logout Functionality Dynamic Checks
19 Sensitive information in Application Log Files Dynamic Checks
20 Sensitive information sent as a querystring parameter Dynamic Checks
21 URL Modification Dynamic Checks
22 Sensitive information in Memory Dump Dynamic Checks
23 Weak Password Policy Dynamic Checks
24 Autocomplete is not set to OFF Static Checks
25 Back-and-Refresh attack Dynamic Checks
26 Directory Browsing Static Dynamic Chec
27 Usage of Persistent Cookies Dynamic Checks
28 Open URL Redirects are possible Dynamic Checks
29 Improper exception Handling: In code Static Checks
30 Insecure Application Permissions Static Checks
31 Certificate Chain is not Validated Static Dynamic Chec
32 Last Login information is not displayed Dynamic Checks
33 Private IP Disclosure Static Checks
34 UI Impersonation through JAR file modification Dynamic Checks
35 Operation on a resource after expiration or release Dynamic Checks
36 No Certificate Pinning Dynamic Checks
37 Cached Cookies or information not cleaned after application removal/ Dynamic Checks
38 Clipboard is not disabled Dynamic Checks
39 Android Backup Vulnerability Static Checks
40 Unencrypted Credentials in Databases (sqlite db) Dynamic Checks
41 Store sensitive information outside App Sandbox (on SDCard) Dynamic Checks
42 Allow Global File Permission on App Data Dynamic Checks
43 Store Encryption Key Locally/Store Sensitive Data in ClearText Dynamic Checks
44 Third-party Data Transit on Unencrypted Channel Dynamic Checks
45 Weak Custom Hostname Verifier Static Checks
46 App/Web Caches Sensitive Data Leak Dynamic Checks
47 Leaking Content Provider Dynamic Checks
48 Redundancy Permission Granted Static Checks
49 Use Spoof-able Values for Authenticating User (IMEI, UDID) Dynamic Checks
50 Use of Insecure and/or Deprecated Algorithms Static Checks
51 Local File Inclusion (might be through XSS Vulnerability) Static Dynamic Check
52 Malicious Broadcast Injection Static Checks
53 Malicious Activity/Service Launch Static Checks
54 Using Device Identifier as Session Dynamic Checks
55 Lack of Check-sum Controls/Altered Detection Dynamic Checks
Server Side Checks
56 Cleartext password in Response Dynamic Checks
57 Direct Reference to internal resource without authentication Dynamic Checks
58 Application has NO or improper Session Management/Failure to Invalid Dynamic Checks
59 Cross Domain Scripting Vulnerability Dynamic Checks
60 Cross Origin Resource Sharing Dynamic Checks
61 Improper Input Validation – Server Side Dynamic Checks
62 Detailed Error page shows internal sensitive information Dynamic Checks
63 Application allows HTTP Methods besides GET and POST Dynamic Checks
64 Cross Site Request Forgery (CSRF)/SSRF Dynamic Checks
65 Cacheable HTTPS Responses Dynamic Checks
66 Path Attribute not set on a Cookie Dynamic Checks
67 HttpOnly Attribute not set for a cookie Dynamic Checks
68 Secure Attribute not set for a cookie Dynamic Checks
69 Application is Vulnerable to Clickjacking/Tapjacking attack Dynamic Checks
70 Server/OS fingerprinting is possible Dynamic Checks
71 Lack of Adequate Timeout Protection Dynamic Checks

Assumptions & Dependencies


  • Availability and necessary access to mobile  application environment for entire duration of the engagement.
  • Applications that need to be tested are and remain functionally stable during the course of engagement.
  • Sample test data (including sample user credentials) will be provided by client for mobile  applications
  • Support from client’s infrastructure or Application development team will be provided during the testing
  • The required test accounts will be provided for security and penetration testing.
  • The application overview, App server and DB details access should be given to know the configurations of the system

Note : Cost is per application/per platform(Android/IOS)

Billing: We require 50% advance payment  to start the  service & 50% at the end of the service.


There are no reviews yet.

Be the first to review “Mobile Applications Penetration Testing”

Your email address will not be published. Required fields are marked *