Pitfalls of Mobile Penetration Testing Service. Part I

Mobile penetration testing is a specialized type of security assessment that aims to identify vulnerabilities in mobile applications, their backend systems, and the devices they operate on. Mobile applications surround us in nearly all essential aspects of modern life, and the majority of them handle sensitive user data. Because of this, businesses must ensure their apps are secure from cyber threats.

There are well-known methodologies for penetration testing, and the list of standard checks for mobile applications has also been established. However, there remain a lot of potential issues and obstacles faced by mobile app pentesters. A knowledgeable customer should have a notion about such potential pitfalls to maintain a productive discussion with the service provider. So, let’s talk about them and see how they can be worked around.

Static and Dynamic Analysis Pitfalls

Static Application Security Testing (SAST) provides for analyzing the source code of the application, binaries, and configuration files for security flaws. Dynamic Application Security Testing (DAST), as the name suggests, provides for assessing the application while it is running to identify runtime vulnerabilities.

Static Application Security Testing (SAST) involves analyzing an application’s source code, binaries, or decompiled files without executing it. However, many mobile applications obfuscate their code to prevent reverse engineering. This can make it difficult to analyze and extract meaningful security insights. Also, the sensitive strings (e.g., API keys) may be encrypted, preventing detection through simple string analysis.
Automated SAST tools often produce false positives, flagging non-exploitable issues that require manual review. So, some flagged vulnerabilities may not be security risks in real-world execution but appear concerning in static code analysis.

The intrinsic limitation of SAST is that it does not analyze runtime behavior, meaning that hardcoded credentials might be encrypted at runtime, rendering findings irrelevant. Because of that, some vulnerabilities only appear when data is dynamically generated during execution.

A pentester should keep in mind that third-party SDKs and libraries (e.g., Firebase, analytics tools) are often included in mobile apps but may not be fully analyzed in static assessments; also, interactions with backend APIs and dynamic content generation cannot be assessed properly.

An experienced mobile penetration testing service provider will know how to mitigate these issues. For instance, it is a must to combine SAST and DAST, as each method has strengths and weaknesses; using both ensures better vulnerability coverage. Manual code review helps reduce false positives and negatives. Anti-analysis mechanisms like Frida hooks, SSL unpinning, and dynamic instrumentation help bypass security restrictions for deeper testing and setting up a proper testbed (emulators, rooted/jailbroken devices, network proxies) improves the effectiveness of dynamic analysis.

We mentioned the combination of the DAST and SAST, however, DAST has several limitations of its own when used for mobile app penetration testing. This is primarily because DAST tools are designed for web applications and struggle with mobile-specific security aspects.

For instance, DAST focuses on runtime vulnerabilities but cannot detect many mobile-specific issues, such as: insecure local data storage (e.g., unprotected SQLite databases, insecure keychains, exposed logs); poor API security (e.g., improper authentication mechanisms, hardcoded API keys); weak cryptographic implementations (e.g., outdated encryption, improper key storage).

DAST tools can be ineffective against client-side vulnerabilities, as they interact with the application as a black-box tester, meaning they struggle with detecting issues like: code obfuscation weaknesses (e.g., poorly implemented ProGuard rules); hardcoded credentials or sensitive data within the app binary; insecure inter-process communication (IPC) risks such as exposed Android Intents or iOS URL schemes.

Many modern mobile apps use SSL/TLS certificate pinning, preventing DAST from intercepting traffic via proxies like Burp Suite or OWASP ZAP. Also, some apps encrypt API requests at the application level, making automated analysis difficult.

Mobile application pentesting specifics also might complicate the assessment, as DAST tools are optimized for web interactions and may fail to analyze: biometric authentication (e.g., Face ID, Touch ID), device permissions abuse (e.g., excessive access to location, camera, microphone), background processes or push notifications, which are crucial in mobile security. Here come potential complications with hybrid apps (e.g., React Native, Flutter, Cordova), which mix web and native elements, making it harder for DAST tools to fully analyze them. Native apps (Swift/Kotlin) often use compiled code, which DAST tools can’t easily inspect.

It's a well-known fact that DAST often fails to fully authenticate and navigate API workflows, especially in mobile apps that use OAuth 2.0 / JWT authentication mechanisms or require multi-factor authentication (MFA) or have complex session management mechanisms.

While DAST is useful for basic runtime security testing, it should be complemented with SAST, API testing, and manual penetration testing for a thorough security assessment of mobile applications. To combine DAST with mobile SAST & manual testing, you can use MobSF, Frida, and Objection; among API security testing tools, there can be recommended Postman, Burp Suite, or MITM Proxy. The assessment of local storage security can be carried out using tools like MobSF and manual testing on rooted/jailbroken devices.

The pitfalls of mobile application penetration testing service is a sophisticated subject, so we decided to split it into three parts.


Penetration Testing Methodologies

Each penetration testing methodology has its specific use cases and benefits. Organizations should select among penetration testing methodologies based on their security goals, technical environment, and compliance requirements.

Different methodologies exist for penetration testing different digital assets. In the brief overview below, we will discuss their focus, strengths, and weaknesses.

 

OWASP Penetration Testing Methodology

The OWASP (Open Web Application Security Project) Penetration Testing Methodology is one of the most well-known methodologies for pen testing. It provides a structured framework for assessing the security of web applications (there are other methodologies for, say, mobile application pentests). OWASP is widely used for identifying vulnerabilities and ensuring the reliability of web software. The OWASP Web Security Testing Guide (WSTG) is central to this methodology, outlining specific tests and tools for detecting security issues in web applications.

This methodology mostly focuses on a black-box approach, simulating an external attack without prior knowledge of the internal structure of the application. It emphasizes the use of practical tools and techniques, covering areas like input validation, authentication, session management, and business logic testing. It is instrumental in strengthening the application’s security posture against modern cyber threats.

OWASP does provide comprehensive coverage, as it Includes all major aspects of web application security, from technical vulnerabilities to business logic issues. It is freely available, making it accessible to organizations of all sizes and there are regular updates to it that ensure it reflects the latest in web application security.

However, OWASP utilization depends heavily on the tester's expertise and experience in applying the framework effectively. Also, it is less suited for testing other domains.

 

NIST SP 800-115 Penetration Testing Methodology

NIST SP 800-115, titled "Technical Guide to Information Security Testing and Assessment," provides a structured framework for conducting penetration testing and other security assessments. It is aimed at helping organizations evaluate the effectiveness of their security controls by simulating real-world attacks. The methodology covers three phases, such as 1) Planning, which accounts for defining objectives and scope; establishing roles, responsibilities, and rules of engagement; and identifying targets and constraints. 2) Execution, which accounts for performing information gathering and vulnerability identification; exploiting vulnerabilities to demonstrate their potential impact; and documenting findings in real-time for accuracy. 3) Post-Execution, which accounts for analyzing results to prioritize remediation efforts and delivering a comprehensive report with detailed findings, risks, and mitigation strategies.

NIST SP 800-115 is characterized by a comprehensive scope as it addresses various testing techniques, including network, application, and physical security assessment guidelines. It promotes consistency across testing teams and environments as well as clear remediation steps and prioritization of risks.

However, while detailed, it may lack specific technical steps for unique environments. Also, it’s quite resource-intensive: requires skilled personnel and significant time investment for effective execution.

 

SANS Penetration Testing Framework

SANS Penetration Testing Methodology is derived from best practices taught by the SANS Institute, a leader in cybersecurity training and certifications. This methodology provides a structured approach to ethical hacking and is widely used for identifying vulnerabilities and simulating real-world attacks. It is often paired with SANS courses like SEC560 (Network Penetration Testing and Ethical Hacking) and SEC542 (Web App Penetration Testing and Ethical Hacking).

The methodology includes such steps as: 1) Reconnaissance: gathering open-source intelligence (OSINT) to understand the target environment; 2) Scanning: identifying live hosts, open ports, and services through tools like Nmap; 3) Exploitation: using vulnerabilities found during scanning to gain unauthorized access; 4) Post-Exploitation: maintaining access, escalating privileges, and pivoting to other systems. 5) Reporting: documenting findings, risks, and mitigation strategies.

This penetration testing framework is distinguished by its practicality. It focuses on real-world scenarios and hands-on techniques. Also, it covers all major aspects of penetration testing, from reconnaissance to reporting, and is supported by extensive SANS training programs and certifications. On the other hand, it requires skilled testers and extensive time investment. Also, it relies heavily on tools like Metasploit and Burp Suite, which may limit creativity in certain scenarios.

 

CREST Penetration Testing Methodology

CREST (Council of Registered Ethical Security Testers) penetration testing is a standardized and globally recognized methodology for conducting penetration tests. It ensures that tests are performed by certified professionals who follow consistent, detailed, and ethical procedures to evaluate an organization's cybersecurity posture. CREST accreditation guarantees high-quality, precise, and trustworthy testing.

CREST-certified penetration testing involves simulated cyberattacks authorized by the client to assess vulnerabilities in IT systems, networks, and applications. The methodology emphasizes robust documentation, pre-engagement planning, and adherence to ethical and professional standards.

It is a credible methodology: CREST-certified testers and organizations ensure globally recognized standards of professionalism and expertise. It covers various areas including network, application, and infrastructure testing; ensures detailed and actionable reporting, aiding stakeholders in implementing corrective measures.

It should be noted that CREST-certified services can be expensive due to rigorous certification and resource requirements. The certification process and execution can take longer compared to non-standardized methodologies.

The above methodologies can be used for different types of penetration testing, such as web or mobile. A professional penetration testing company can follow these standards when working with end clients or its white-label partners, leveraging its expertise for the benefit of general cybersecurity.

 


Trilight Security Recognized Among Top 5 Penetration Testing Service Providers in 2025

Trilight Security has been recognized among the top 5 penetration testing service providers to watch for in 2025 by a popular digital high-tech edition TechTimes.com. Our company has been marked in the rating for the expert penetration testing services provided by a highly trained team; white label penetration testing services offered for MSSPs and MSPs; and holistic, cost-efficient solutions tailored to the needs of global clients. We thank our customers, partners, and team, who let us achieve this international recognition!

Read the full article with the rating here.


Trilight Security Named Among Top Cybersecurity Consulting Companies 2025 by Superbcompanies.com

Trilight Security is proud to announce that we were ranked in the list of top Cybersecurity Consulting Companies.

Superbcompanies.com is a global portal that helps companies looking for IT, Cybersecurity, Software Development service providers find reliable partner. To achieve this goal companies featured on Superbcompanies.com undergo thorough assessment based on such criteria as industry presence, expertise level, quality and reliability of services, and more.

Superbcompanies.com has more than 15 years of experience analyzing businesses and their qualification worldwide. Trilight Security was featured among Cybersecurity Consulting Companies due to recognition by existing customers and demonstrated ability to provide high-quality cybersecurity services such as Managed Security and more:

  • Penetration Testing
  • Vulnerability Analysis
  • Compromise Assessments
  • Digital Forensics
  • SOC-as-a-Service
  • Dark Web Monitoring
  • Incident Response
  • ISO 27001 Compliance consulting
  • SOC 2 Compliance consulting
  • Cybersecurity Outsourcing & Outstaffing

Trilight Security is a Managed Security Service Provider (MSSP) with focus on customers from small and medium businesses. We also have a strong focus on white-labeling our services to other MSSPs and MSPs in the North America, the EU, and beyond.

Thank you to the Superbcompanies team.


Trilight Security Recognized by GoodFirms as the Best Company to Work With

In an era when every business, whether big or small, is investing in digital technologies and tools, keeping the security in place is challenging for firms. Not only implementation, but the management of these technologies with efficiency and consistency is also critical to get desired results. Even the slightest ignorance could hugely cost businesses in terms of service downtime, customer dissatisfaction, poor user experience, reduced sales, etc. Top IT services Companies with relevant experience in cyber security, development, testing, deployment, and platform migration can give the estimated RoI, data privacy, proactive monitoring capabilities and improved uptime, while maintaining consistent flow of operations and functions.

GoodFirms has recognized Trilight Security for its experience and specialized skills that put the Company as one of the business leaders through the Leaders Matrix program, and was identified as the “Best Company to Work With.” Headquartered in Estonia, Trilight Security is a leading provider of cutting edge cyber security solutions such as SOC design, implementation, and operation; cloud security; pentesting; cloud migration, endpoint protection, identity and access management, vulnerability assessment, network security, IT consultation, and many more at affordable prices.

In recent days, Trilight Security has been focusing on managed IT security services and outsourcing to rapidly expand their client portfolio.

For the year 2024, GoodFirms named Trilight Security as the “Best Company to Work With.”

If you are looking for the Top IT Services Companies to work for, Trilight Security is the best one out there recognized by GoodFirms Leaders Matrix. Right from its inception in 2020, Trilight Security is driven by the vision of providing quality and affordable cybersecurity services to clients in the EU and North American region. With highly skilled employees, sophisticated technologies, best practices and agile methodologies, the company aims to bring the same value to customers in a fraction of in-house cybersecurity costs. GoodFirms recently recognized Trilight Security as the “Best Company to work with” in 2024. 

As a leading IT services company, Trilight Security needs a goal to be told; rest, the company will put forth all its expertise to transform the idea into a working solution.

The company has highly experienced, knowledgeable and skilled teams of security analysts, SOC architects, penetration testers, incident responders, digital forensic experts, etc., to cater to the needs of SMBs and large enterprises. Additionally, the company partnered with a vast partner network of the US and EU-based IT service providers. 

“We would like to stress our capabilities in provision of white label cybersecurity services, first of all penetration testing and SOCaaS,” added Trilight Security.

Why is Trilight Security the Best Company to Work With?

For any business, responding to the growing demands and opportunities of technological advancement starts by moving out of conventional thinking or outdated business models. Similarly, Trilight Security seems to be following the same direction. The company has been on a mission to serve value-added and cost-effective cybersecurity services to clients by being creative and experimenting with innovative models to deliver its total value.

“We believe Trilight Security’s positioning in GoodFirms’ Leaders Matrix report reflects the company’s ability to help its clients with cyber security services that can deliver total reinvention, including helping them that best meets their digital needs,” said GoodFirms. 

Trilight Security had to undergo an assessment under the GoodFirms Leaders Matrix program. The evaluation covered the service landscape, verified client reviews, experience in the domain, market, competitive positioning, and much more. Such analysis helped in bringing out strategic information about Trilight Security’s capabilities, competitive differentiation, and market position. 

A few reviews of Trilight Security:

Trilight Security is Trusted by the Companies Around the World

About the “Best Company to Work With” Badge

“Best Company To Work With” is an exclusive program run by GoodFirms where the Leaders Matrix companies are recognized with a Badge, an exclusive article about the Company, and a supporting PR. Such recognition stands as a support to developing trust and authenticity within the B2B community. It also allows the participating companies to improve their ranking – rank higher in the Leaders Matrix categories, receive inbound backlinks from GoodFirms LeadersRoundtable podcast campaign, and get a certified Badge saying, “Best Company to work with.”

About GoodFirms

GoodFirms is a B2B research, review, and listing platform helping businesses accelerate their digital journey and to maximize the value of modern technology. The company connects service providers with service seekers through a comprehensive and thoroughly researched fact-based list of the best services and solutions. Recognized as the most reliable source for the B2B market, GoodFirms has world-class experience with partners across the globe.


Trilight Security - a Top Staff Augmentation Company in 2023

Trilight Security is thrilled to announce that TrueFirms has recognised us a top Staff Augmentation Company in 2023. Years of efforts and excellence in providing top cybersecurity and IT talents to hi-tech companies in the EU, the U.S., and other regions of the world have led to this new recognition of Trilight Security by the industry community. 

TrueFirms is a online platform that helps connect businesses to a trusted and verified service provider. Through data-driven recommendations, and artificial intelligence, TrueFirms allows to quickly find the supplier that best suits the needs of any kind.

Trilight Security, among other services, specialises in providing different types of cybersecurity, IT infrastructure, and software development professionals to companies wishing to augment their internal teams, or struggling with service delivery to their end clients.

Send your personnel requests to connect@trilightsecurity.com and we will definitely help you!


Manifest Logo

We Are Named Among Most Reviewed IT Services Companies in Estonia

In early August, The Manifest released a list of the most reviewed B2B service providers in Estonia for the year 2023. The companies included in this list have successfully completed the platform's rigorous evaluation process. Trilight Security OÜ was specifically recognized among the highly reviewed IT services firms from Estonia.

Despite the country facing certain economic challenges, there is a positive outlook for the upcoming years. Notably, key players in various high-tech industries like IT services, cybersecurity, software development, and others are actively contributing to bolster the nation's resilience.

The "Most Reviewed Company" award by The Manifest emphasises the importance of cultivating strong relationships between service providers and their clients. The entities featured in this list were chosen based on the quantity of testimonials and endorsements they garnered over the past twelve months.

Yan Shmyhol, CEO of Trilight Security, commented: "We are delighted to have received this award, which attests to our position as significant players in Estonia's IT services market. Furthermore, it motivates us to set new objectives for the upcoming assessment period."


Lazarus is Back

Lazarus is Back. $35 million Stolen from Atomic Wallet

Hackers from North Korea are causing trouble again, and this time they targeted Atomic Wallet. They managed to steal a whopping $35 million in crypto.

The experts at Elliptic, who know their way around blockchain, have connected the dots and linked the theft to the Lazarus group. They've been busy tracking the stolen funds as they were moved around different wallets and mixers, in attempts to cover the tracks.

This attack on Atomic Wallet happened just last weekend, and it left a lot of innocent wallets compromised and their funds snatched away. The total haul reached over $35 million. According to Elliptic, this is the first big crypto heist of the year for Lazarus. Don’t forget, they've already blown through $100 million from the Harmony Horizon Bridge hack in June 2022, and a mind-boggling $620 million from Axie Infinity in March 2022. Who knows what they're spending it on? Maybe North Korean rockets or their nuclear program?

You might be wondering how Elliptic can be so confident in their attribution. Well, it turns out that the laundering strategy used in this attack was the same as in their previous heists. They also used the Sinbad mixer again, and a good chunk of the stolen funds ended up in the same wallets that were linked to Lazarus before.

Even though laundering stolen cryptocurrency has become trickier lately, there are still some less scrupulous exchanges out there where these things can happen. That's why wallet developers and operators need to step up their cybersecurity efforts and seriously audit and test their code. Unless they want to unknowingly contribute to funding some dictator's science projects, right?

But here's the big question that keeps bugging some experts: Who the heck is behind the Lazarus group? The world is a curious place, so maybe there are some folks pretending to be North Koreans, flaunting their top-notch computer skills. Who knows, right?


Emotet

Emotet: Look, Who's Back

The #emotet malware operation re-started its activity this Tuesday morning. It resumed sending out spam emails after a three-month break.

Emotet malware is distributed through emails containing malicious Microsoft Word and Excel document attachments. The user needs to open the document and activate macroses, so the Emotet DLL will be downloaded and loaded into memory.

One of the peculiar features of Emotet is that, initially, it is not active and waits until instructions are received from a remote command and control server. Then several options are possible, for instance, the victims’ emails and contacts will be stolen to be included in subsequent Emotet campaigns, or an additional payload will be downloaded to run a ransomware attack against the infected computer.

Back then, Emotet was one of the most widely distributed malware. Now it is less active, but there are still some evolutions, as the latest developments have shown.

This time spam includes docs using Red Dawn templates, and they are huge indeed, with sizes over 500MB. Previously spam messages used to be reply chains, now they pretend to be invoices. These ZIP archives contain inflated Word documents containing the data mostly used to make the files harder for being scanned and detected by antiviruses as malicious.

After downloading, Emotet will be saved to a random-named folder under %LocalAppData% and launched using regsvr32.exe. This is an evasion technique that proved to be quite successful. VirusTotal scan showed that only one out of 64 security vendors would detect this malware.

However, with recent changes by Microsoft, when it finally disabled macros by default, the current campaign might not be a success. At least additional payloads are not yet observed in action. We might expect that Emotet will move to exploit other files than .doc and .xls, such as ISO, JS, etc.

For a reliable protection against malware, leverage reliable endpoint protection, vulnerability management, managed security, and data backup services, such as provided by #TrilightSecurity


Trilight Security at the VІ Inter-Institutional Seminar: Cyber Socialization in the Conditions of Increased Uncertainty. An After-Taste

On August 26, 2022, the VI Inter-Institutional Seminar titled "Cybersocialization in Conditions of Increased Uncertainty" was held. This event was organized by the Laboratory of Psychology of Mass Communication and Media Education of the Institute of Social and Political Psychology of the National Academy of Educational Sciences of Ukraine, in collaboration with the Department of Cognitive Science and Artificial Intelligence at Tilburg School of Humanities and Digital Sciences.

The seminar attracted approximately 50 participants from various countries, including the Netherlands, Ukraine, Spain, Hungary, Colombia, Belgium, and Kosovo. The primary objective was to enhance international cooperation among scientific institutions in the fields of cyberpsychology and cyber technologies. It provided a platform for experience exchange, dissemination of research findings, discussions on media and digital literacy, and media psychological challenges. The seminar facilitated high-level scientific discussions on cyber and media psychology topics, uniting scholars and practitioners from diverse disciplines and countries, and laying the groundwork for future scientific collaboration.

Trilight Security experts became active participants in the event, providing valuable insights regarding modern cybersecurity technologies and solutions, and guidance as to potentially merging areas of social psychology and modern IT. Over the months that passed since the event, our team has provided numerous consultations and advice to researchers from different countries regarding the technological aspects of cyber socialization. We are proud to have made an impact on scientific research programs in different regions of the world.

More on the event can be found here.