Mobile application testing approach

IronSky performed a mobile application penetration test to identify vulnerabilities and security issues. The following is a description of the attack methodologies utilised:
Static Analysis
This phase involved performing decompiling the mobile applications and testing for hardcoded API keys, hardcoded URLs and other hardcoded potentially sensitive information. This phase also involves analysing the code that can be decompiled for vulnerabilities and other permission issues.
Mobile Application vulnerability Assessment
A mobile vulnerability scan will be run on the mobile applications to identify the use of outdated plugins and test the mobile application against the OWASP mobile application top 10 vulnerabilities.
Virtual Environment Assessment
The mobile applications will be tested on a virtual environment to assess whether the applications can detect that they are running in a virtual environment. If the application cannot detect that it is running in a virtual environment, the analyst will continue the assessment using the virtual environment.
Physical Device Assessment
Physical device testing encompasses installing the mobile application on a physical device and testing the process and flow of the application. Additionally, the mobile application process will be assessed using third-party tools to identify vulnerabilities and bugs that vulnerability assessments and static analysis would not pick up. The backend web server that the mobile application connects too will also be tested to ensure that the web server has sufficient security.
This phase concluded testing with thorough documentation of the vulnerabilities that were discovered. This includes detailed steps to reproduce the vulnerability, screenshots, a description of the impact and exploitability as well as various options for remedial action to mitigate the risk.