Penetration Testing
      Back to home
      1. Secure Ideas Help Center
      2. Services
      3. Penetration Testing

      What factors impact the cost of a mobile application penetration test?

      This article describes the main factors we take into account when estimating the cost of a mobile application penetration test.

      The penetration testing of applications on a mobile platform comes with some challenges. Today's mobile platforms (Android and iOS) sport security features that help protect user data and the platform in the event of malware. In most mobile app penetration tests, the goal is to test the application's controls rather than the platform's controls. We built the following list of main factors that impact the level of effort for this kind of test:

      1. Certificate Pinned Application

      When an application is pinned to a particular digital certificate, it will not trust HTTPS connections from sources other than the one matching the pinned certificate. Certificate pinning is an excellent security feature for preventing connections through decrypting proxies. Unfortunately, this is precisely the tool that a penetration tester must use to inspect the request and response traffic between the mobile application and its services. While circumventing a certificate-pinned application is technically possible, it is not a simple task and will add significant effort to a penetration test.

      2. Obfuscated Source code

      In a sense, all mobile application penetration tests are white box tests because the tester can reverse-engineer the application's binary code into source code. Because of this, it may be tempting to withhold the actual source code from the test team. Reversing is not a significant hurdle unless the build process applies an obfuscation method. Code obfuscation is a technique designed to make the code less readable.

      Reversing and understanding obfuscated code takes significantly more effort than reading source code. Therefore, we recommend either supplying the source code or time-boxing the reversing process to keep the penetration test cost-effective.

      3. Business Purpose

      Since we have previously tested many different types of applications, we can often accurately estimate the effort to test a new one with little more than a short description of the application and its business purpose.  For example, a simple loyalty program app will be significantly less complex than a Customer Relationship Management (CRM) app.  We can compare the scope to similar applications in most cases. If there are any doubts, a brief demonstration of the app is usually sufficient to estimate the testing effort.