Mobile application penetration testing

Mobile Penetration Testing Made Simple

Zero False-Positive SLA

Money-Back Guarantee for
a single false-positive

Rapid Delivery SLA

Guaranteed schedule of execution
and report delivery

In-Depth Testing

Business logic testing, SANS Top 25,
PCI DSS & OWASP coverage

Actionable Reporting

Tailored remediation guidelines
and 24/7 support

DevSecOps Tailored

SDLC and CI/CD tools integration,
WAF for mobile backend flaws

Actionable Remediation Report

Developers Environment

Web Application Firewalls

Mobile Penetration Test For Any Need

Ultimate Mobile App Testing

Static, dynamic and interactive
security testing with SCA

Backend Security Testing

Manual security testing of
Web Services and APIs

Intelligent Behavioral Analysis

Machine learning technology enhanced
with manual security testing

Black & White Box

Authenticated (including 2FA/MFA)
or Black Box testing

Attack Simulation

Threat-aware testing scenarios and
attack vectors upon request

Advanced Reconnaissance

Expert analysis of threats at Dark Web
and Public Code repositories

OWASP Mobile Security Testing Guide
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
PCI DSS Information Supplement: Penetration Testing Guidance
FedRAMP Penetration Test Guidance
ISACA’s How to Audit GDPR

NIST SP 800-115 Technical Guide to Information Security Testing and Assessment

PCI DSS Information Supplement: Penetration Testing Guidance

Common Vulnerabilities and Exposures (CVE) Compatible
Common Weakness Enumeration (CWE) Compatible
Common Vulnerability Scoring System (CVSSv3)

A8: Insecure Deserialization
A4: XML External Entities (XXE)
A9: Using Components with Known Vulnerabilities
A5: Broken Access Control
A10: Insufficient Logging & Monitoring

Injection Flaws
Many other "High" Risk Vulnerabilities
Buffer Overflows
Cross-Site Scripting (XSS)
Insecure Cryptographic Storage

Improper Access Control
Insecure Communications
Cross-Site Request Forgery (CSRF)
Improper Error Handling
Broken Authentication and Session Management

CWE-90: LDAP Injection
CWE-79: Reflected XSS
CWE-91: XML Injection
CWE-79: DOM-Based XSS
CWE-93: CRLF Injection

CWE-345: Insufficient Verification of Data Authenticity
CWE-352: Cross-site request forgery (CSRF)
CWE-384: Session Fixation
CWE-400: Resource Exhaustion
CWE-434: Arbitrary File Upload

CWE-502: Deserialization of Untrusted Data
CWE-521: Weak Password Requirements
CWE-601: Open Redirect
CWE-611: Improper Restriction of XML External Entity Reference (XXE)
CWE-613: Insufficient Session Expiration

CWE-643: XPath Injection
CWE-804: Guessable CAPTCHA
CWE-799: Improper Control of Interaction Frequency
CWE-918: Server-Side Request Forgery (SSRF)
CWE-942: Overly permissive Cross-domain Whitelist

Most Comprehensive Mobile Penetration Testing

In every ImmuniWeb MobileSuite package

Penetration Testing

Mobile App Penetration Testing
- Mobile App Audit
- Mobile Endpoints Audit
- SANS Top 25 Full Coverage
- OWASP Top 10 Full Coverage
- OWASP Mobile Top 10 Full Coverage
- PCI DSS 6.5.1-6.5.11 Full Coverage
- AI Augments Human Testing and Analysis
- Machine Learning Accelerates Testing
Full Customization of Testing
Rapid Delivery SLA Money back

Contractual money-back guarantee for a delayed delivery date.

Reporting

Threat-Aware Risk Scoring
Step-by-Step Instruction to Reproduce
Web Interface, PDF and XML Formats
Tailored Remediation Guidelines
PCI DSS and GDPR Compliances
CVE, CWE and CVSSv3 Scores
Zero False-Positive SLA Money back

Contractual money-back guarantee for one single false positive.

Remediation

24/7 Access to Our Security Analysts
DevSecOps & CI/CD Tools Integration
One-Click Virtual Patching via WAF
(backend)
Multirole RBAC Dashboard

ImmuniWeb® MobileSuite Packages

Mobile Application Penetration Testing

Includes mobile app and its endpoints testing Each penetration test includes testing of your mobile app (iOS or Android) and its endpoints (e.g. web services or APIs).	Corporate Pro For a payment or banking app Corporate Pro package is best suited for business critical apps handling sensitive data of your clients, such as e-banking or e-payments apps with 15 or more systems in the mobile backend (e.g. web services, APIs, etc).	Corporate For a business or booking app Corporate package is best suited for business applications that process data of your clients or partners, such as online booking, basic e-commerce or document processing apps with up to 10 systems in the mobile backend (e.g. web services, APIs, etc).	SMB For a simple entertainment app SMB package is best suited for small mobile apps, such as games or news apps with up to 5 systems in the mobile backend (e.g. web services, APIs, etc).
AI-Automated Penetration Testing Our award-winning Deep Learning AI technology accelerates and intelligently automates over 10,000 security checks and tests that usually require human intelligence and cannot be detected by automated scanning. Full coverage of OWASP Top 10 and detection of over 20,000 known vulnerabilities in open source and commercial web software.	5 days	3 days	1 day
Enhancement with Manual Testing Our CREST-accredited security experts conduct advanced security testing of application business logic, chained exploitation of sophisticated vulnerabilities and perform other security, privacy and integrity checks that require human intelligence. Full Coverage of SANS Top 25 and PCI DSS 6.5 vulnerabilities in compliance with the leading penetration testing standards (NIST, FedRAMP, PCI DSS and OWASP OTG).	3+ experts	2+ experts	1 expert
WAF Testing and Bypass Our penetration test includes a thorough testing and eventual bypass of a Web Application Firewall (WAF) that protects your mobile backend. Vulnerability exploitation with WAF bypass will be reflected in our threat-aware risk scoring. On top of this, our remediation guidelines provide customized WAF rulesets for the most popular WAF solutions for a comprehensive defense against sophisticated vectors of web attacks.
Zero False Positives SLA Our Terms of Services provide a contractual money-back guarantee for a single false-positive in a penetration testing report for the integrity of our customers. We never had a complaint so far.
Dark and Deep Web Reconnaissance Our security experts conduct investigation of your organization’s exposure on Dark and Deep Web to intensify and deepen penetration testing.
Code Repositories Reconnaissance Our security experts conduct analysis of your source code leaks and your organization’s exposure on Public Code Repositories (e.g. GitHub) to expand and augment penetration testing.
Unbeatable value for money	Report on — $4,995	Report on — $2,995	Report on — $995

Start Now Get a Demo

Frequently Asked Questions

Q

How can I customize testing to meet my specific needs?

A

At the first step of online project creation, you can easily configure any special requirements for testing or reporting. For example, you can select testing with 2FA authentication, or exclude any specific vulnerabilities (e.g. self-XSS) from being reported, or contrariwise spend more time on authentication bypass attacks in a specific part of the application.
Q

How are better than traditional mobile penetration testing?

A

We use our award-winning AI and Deep Learning ANN technology to intensify, augment and accelerate human testing thereby making application penetration testing scalable and cost-efficient. We deliver faster results, better vulnerability coverage and unbeatable pricing compared to traditional penetration testing services powered solely by a human.
Q

How do you outperform automated vulnerability scanning?

A

We perform in-depth security testing including business logic analysis and testing, and comprehensive coverage of SANS Top 25 vulnerabilities using globally renown penetration testing methodologies. Moreover, we provide all our customers with a zero false-positives SLA corroborated with money-back guarantee for a single false positive.

We Make Applications Secure

ImmuniWeb is an efficient and very easy-to-use solution that combines automatic and human tests. The results are complete, straightforward and easy to understand. It’s an essential tool for the development of the new digital activities

Didier Ramella
CISO

ImmuniWeb is the best and simplest way to secure your business online. It's really fantastic experience to get report with zero false positive with detailed actions how to resolve problems and remove vulnerabilities. I think ImmuniWeb is definitely the best alternative to pen testers. As well as a way to save on staff and other costs. I am glad that I can get it all without any hidden costs and without complicated licensing schemes

Nika Vachridze
Senior Information Security Officer

ImmuniWeb significantly enhanced our vulnerability assessment capacity. It's an indispensable tool for continuous auditing of web based systems

Viktor Polic
Chief Security Officer

ImmuniWeb provides accurate assessment on the security posture of our cloud-based applications. The report provided is concise and easy to read with sound advisories on the necessary steps to fix the issues. What impressed me most was that no false-positive was listed and the vulnerabilities are real. ImmuniWeb certainly gives us the right level of assurance that our cloud-based applications are safe and "good-to-go" before we deploy them out to production

Lee Chye Seng
Director, Learning Systems and Applications

ImmuniWeb is an invaluable tool for iPresent with both automated and manual penetration testing. The fantastic manual testing has found even the most hidden and complicated bugs in our security and ImmuniWeb has delivered first class knowledge. The self-service interface also gives us great control to schedule and monitor tests when we need them

Neil Bostrom
Chief Technical Officer

ImmuniWeb is a great innovative service that brings unbeatable ROI. It is undoubtedly the best way to quickly and easily guarantee your customers that their data is safe with you - and yours too by the way! Efficient and effective!

Jean-Michel Beylard-Ozeroff
Head of IT