Mobile Penetration Testing

The main difference is the amount of human time spent on a project to detect the most sophisticated, untrivial and novel security vulnerabilities. All other technical and reporting capacities and features are the same.

Our award-winning Machine Learning technology, based on Artificial Neural Networks (ANN), considerably reduces the testing time. Differently from automated scanners that penetration testers use to conduct basic testing, our proprietary technology delivers a superior quality of testing and sends less HTTP requests. While our AI technology, based on various Deep Learning algorithms, is used for intelligent automation of the testing processes thereby ensuring that all possible attack vectors and exploitation techniques are properly tested. Eventually, what a traditional penetration testing delivers in a week, our team of penetration testers will likely deliver in a couple of days or even faster.

Considering a wide spectrum of platform-specific attacks and weaknesses, each mobile app requires a separate package. However, if your mobile backend is the same, we will gladly provide you with a discount, please contact our Sales team for this.

All projects are performed in accordance to OWASP Testing Guide for Mobile Applications. For every project we have at least two security analysts conducting advanced manual testing on top of intelligently automated and accelerated vulnerability scanning by our award-winning AI technology. Additionally, we may enhance the methodology with NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, PCI DSS Information Supplement: Penetration Testing Guidance, FedRAMP Penetration Test Guidance and ISACA’s How to Audit GDPR guide. Might you need a specific methodology or testing framework not listed above, please just indicate this in “Special Requirements” field during the first step of project creation.

The project scope includes the provided mobile application and its backend (API and microservice). We conduct penetration testing only on web applications, APIs and web services without testing network layer.

Yes, if necessary, you can request a specific timeframe for your project. Please, indicate the preferred testing period in “Special Requirements” field during the first step of project creation. By default, all projects start at 9:00 AM CET of the scheduled day.

When creating a project, just specify in plain English any special requirements for testing and remediation, from scope and methodology to reporting. For example, you may command to spend additional time on sophisticated 2FA bypass techniques, avoid reporting low-risk XSS or provide in-depth remediation guidelines for PHP developers, and we will do so.

We provide actionable remediation guidelines for each of the detected vulnerabilities. Moreover, you have unlimited access to our security analysts might you have any further questions about remediation. Furthermore, we offer one-click virtual patching via WAF by F5, Imperva, Fortinet, Barracuda, Qualsy and DenyAll.

It is a binding contractual clause for every project with no exception. The clause clearly stipulates that for one single false positive in your report you will get back the entire amount paid for the project.

All exploitable and confirmed vulnerabilities will receive a CVSSv3 Base score. Moreover, we assess and indicate such important criteria as public availability of exploit, ongoing exploitation campaigns in the wild or vendor-supplied solution for the vulnerability. Issues that cannot be exploited or confirmed (e.g. a security flaw presumably affecting your Admin area where we do not have an access), will be added separately as security warnings without a CVSSv3 score.

In addition to our DevSecOps-enabled, multi-role dashboard you can download a report in PDF and XML formats. Likewise, we offer one-click integration with the most popular developers, CI/CD and DevSecOps tools, such as Jira or Mantis. Likewise, you can securely access your report data via our API.

All ImmuniWeb customers get unlimited access to our security analysts via ImmuniWeb Portal. You can ask questions about exploitation, remediation or any other project-related topics.

All penetration testing data is securely stored in our ISO 27001:2013 infrastructure in Canada and Switzerland (both recognized by the European Commission as countries providing an adequate level of data protection for the purpose of GDPR). For most of the projects we automatically and securely delete the data in 90 days after report delivery. Upon your request all data can be securely deleted at any moment.