About Mobile Application Penetration Testing

Why to do Mobile Application Penetration Testing

A mobile application penetration test is a step-by-step evaluation of a mobile application’s security. It is achieved through rigorous simulation of the conditions of an attack according to one or several established methodologies.

Mobile applications have become a primary target for cybercriminals, as mobile phones are increasingly important in the financial, educational, and public services industries worldwide. So, developers are literarily compelled to be very attentive to the level of security of their mobile applications.

To check it, the offensive way of assessing the security of all the components of mobile applications or penetration testing is usually chosen, as it is the most efficient method, as it tests resilience to real-world attacks.

To conduct efficient mobile penetration testing you need to choose a reliable provider of the respective service, possessing proven experience in mobile pentests, and having ethical hackers with respective certifications, as well as positive reviews from the clients. The provider should be covering both Android and iOS mobile application pentesting as these two operating systems account for like 99% of the total market of mobile OS, and most likely your mobile application will be targeting both Google Play and Apple Store.

Benefits of Mobile Application Penetration Testing

Mobile application penetration testing requires a certain investment of efforts and resources, however, it provides multiple benefits and prevents a lot of potential issues for the application owner and the end users.

  • Improved application security: mobile application penetration test will help discover vulnerabilities and let the developers eliminate them before they are exploited in security breaches.
  • Compliance requirements: more and more industries are creating or hardening further the security requirements for mobile (and other) applications which should be met. Penetration testing reports would usually be an essential component of those requirements.
  • Improved confidence: Having a mobile application penetration test report, and respective certificate, you prove to the partners, customers, authorities, etc, that you have taken required security precautions and your product is secure enough to be used.
  • Cost savings: the identification and elimination of vulnerabilities to avoid security breaches will save you a lot of money on damage recovery efforts, fines, etc.
  • Advanced security awareness for developers: penetration test, especially its remediation stage in coordination with the application security engineers will educate the software developers in the area of secure by-design software development.

Security and Compliance Standards

There exist dozens of industry frameworks, security standards, and compliance standards. They include OWASP MASVS, NIST 800-53, Google Play Data Safety independent security review, and many others. Experienced penetration testing companies usually develop their proprietary mobile penetration testing methodologies, uniting approaches and requirements of the numerous standards, MASVS in the first place. OWASP MASVS is an industry standard for mobile application security and provides for 7 areas in which the mobile application is to be checked:

  • Security of storage of sensitive data
  • Usage of cryptography for sensitive data
  • Authentication and authorization mechanisms
  • Data security during communication transits
  • Security of interaction with other applications
  • Best practices in coding and security updates
  • Protection against reverse engineering.

These are the most common groups of mobile application vulnerabilities, and each mobile application pentest usually covers all of them unless, of course, otherwise determined by the application functionality or architecture.


About Web Application Penetration Testing

What is web application penetration testing?

Web application penetration testing is one of the two most common types of penetration tests. The company providing reliable penetration testing services must possess expertise in web application pentesting unless it is a niche cybersecurity service provider. Read below on how to choose the appropriate provider of web application pen testing services.

Penetration testing for web applications involves well-planned, controlled attacks designed to access sensitive information within a web platform (informational website, SaaS application, e-commerce site, etc), aiming to evaluate the web application security posture. Conducted from within or outside the system, these attacks generate insights into the system’s resilience, pinpointing any security gaps and potential threats that could lead to a breach.

Scope of web application penetration testing

As a result of web application penetration testing, the testers identify the vulnerabilities on the server side and in the functionalities and components of the web application, such as front and back end, etc. The testers will measure their impact and propose remediation measures to improve the overall security posture of the web application.

  • One has to understand, that every web application penetration test is unique, and the outcomes will depend on several conditions, with the goals of the web application’s owner being nearly most important. The majority of the pen tests are carried out to find the most critical vulnerabilities as defined by OWASP and other security standards.
  • When testing the server side of the web application, ethical hackers will focus on poorly secured services, outdated software, and firmware, configuration errors.
  • With the web application itself, the focus will be such common application vulnerabilities as SQL, XSS, SSTI, etc. injections, access control flaws, possible privilege escalation, authentication, and session management issues, vulnerable third-party components, etc.
  • Special attention will be given to the vulnerabilities in the APIs, as well as to the search for logical flaws in the workflows of the applications.

The benefits of web penetration testing

By conducting web application penetration testing you will be able to achieve multiple important benefits, such as:

  • Identify vulnerabilities.Most importantly, web application pen testing will help you identify flaws in your applications or IT infrastructure. This way you will be able to eliminate these flaws before they are exploited by the attacker.
  • Meet compliance requirements.It is an explicit requirement in many countries and industries to perform the penetration testing of web applications.
  • Assess your cybersecurity systems. If you operate some cybersecurity infrastructure, such as firewalls, etc. then you need to test their efficiency and correctness of settings. Web application pen testing includes real-world attacks that will help make these assessments.
  • Assess your cybersecurity policies. Penetration testing is an excellent way to assess your cybersecurity policies.

How to choose a web application penetration testing company?

There are several things to look at when choosing a cybersecurity partner to conduct a web application penetration test:

  • Make sure the cybersecurity company provides web application penetration testing services. Checking the relevant web page on the website will be sufficient in most cases
  • Check the experience of the company, number of projects, and customer reviews. The latter can be done at clutch.co.
  • Ask the potential service provider for a quote accompanied by references, a sample of a penetration test report, and any other relevant information
  • Ask specifically what would be the qualifications of the pentesters to work on your project, such as professional certification of OSCP, OSCE, eWPTX type.
  • Ask if there will be at least two ethical hackers to work on your project, which is a recommended practice.
  • Ask for a call with a potential service provider to get a first-hand impression of the company and its employees. Though subjective, this is often an important step to making a decision.
  • Check for the price. There is no need to overpay to get quality penetration testing services. You can have a small web penetration testing for a simple application starting from 1800 USD.

Types of Penetration Testing

Different approaches and types of penetration testing exist. One can find around different typologies and nearly any of them will include the following:

It is worth noting that all the above types of pentest require special skills and knowledge, so when choosing a supplier of pentesting services, you have to ask questions about a specific experience. Typically, a well-established penetration testing services company will provide at least a golden trio of penetesting types: network, web, and mobile.

Network Pentesting is one of the most common types of such security assessments, and it serves to identify vulnerabilities and weaknesses in the networked IT infrastructure, which includes not only firewalls, switches, and routers, but also servers, storages, workstations, printers, and so on. Such type of pentesting helps assess the level of preparedness for such attacks, as firewall bypass, router attacks, proxy server attacks, database attacks, and so on.

Wireless Network Pentesting is a specific type of network penetration testing, and focuses on connections between wireless devices and home or office wi-fi networks. One of the peculiarities of wireless pentests is that they are performed onsite because they need to be in the signal range. However, certain devices can be connected to a wireless network and allow a remote pentester to run the checks. Wireless networks should be pentested, as they are among the most common sources of data leakage due to their users’ relatively more random nature.

Web Application Pentesting serves to identify vulnerabilities and weaknesses in web applications. This could be quite a sophisticated type of pentesting, because its scope can include font-end, database, back-end, and other varieties of web application pentesting. The scope should include every endpoint of every web application interacting with the user. Some of the tests, that might be a part of such security assessment include (for the front-end): Cross-Site scripting attacks, clickjacking attacks, form hijacking, HTML injection, Open Redirection, and others.

Mobile Application Pentesting is one more type of penetration testing, that is extremely popular today, as more and more businesses and public services start using mobile applications. Such pentests include searching for various vulnerabilities in mobile applications, such as insecure data storage, insufficient encryption, or data authentication mechanisms, input validation flaws, exposed APIs, and dozens more.

Social Engineering Pentesting stands a bit aside from other types of penttesting, as it relies more on social, communications, and, to some extent, design skills, in addition to the technical. When attempting a social engineering attack, a cybercriminal tries to lure the victim into disclosing very sensitive information, such as credentials, for instance. There exists a wide variety of social engineering techniques, such as phishing, vishing, smishing, imposter attacks, and dozens more.

Despite the seemingly less offensive nature of social engineering, it’s a dangerous illusion. A staggering 98% of all cyberattacks rely now on some elements of social engineering. Such attacks prove successful far too often, as the human remains the weakest link in the sophisticated system of cybersecurity.

So, social engineering pentesting, combined with cybersecurity awareness training, has become a cornerstone of today’s cybersecurity posture for any organization.

Physical Penetesting is another specific type of penetration testing, as it necessarily involves attempts to compromise some physical barriers, such as locks, cameras, fencing, different sensors, etc, safeguarding some infrastructure, systems, etc.

Such a type of security assessment might look somewhat too straightforward, but, upon consideration, it proves to be the easiest way to compromise in certain cases. If a criminal gets physical access to your networking equipment, that will be by far the easiest way into your network.

There are other types of penetration testing, as well, and we will talk about them in one of our coming articles.


Manifest Logo

We Are Named Among Most Reviewed IT Services Companies in Estonia

In early August, The Manifest released a list of the most reviewed B2B service providers in Estonia for the year 2023. The companies included in this list have successfully completed the platform's rigorous evaluation process. Trilight Security OÜ was specifically recognized among the highly reviewed IT services firms from Estonia.

Despite the country facing certain economic challenges, there is a positive outlook for the upcoming years. Notably, key players in various high-tech industries like IT services, cybersecurity, software development, and others are actively contributing to bolster the nation's resilience.

The "Most Reviewed Company" award by The Manifest emphasises the importance of cultivating strong relationships between service providers and their clients. The entities featured in this list were chosen based on the quantity of testimonials and endorsements they garnered over the past twelve months.

Yan Shmyhol, CEO of Trilight Security, commented: "We are delighted to have received this award, which attests to our position as significant players in Estonia's IT services market. Furthermore, it motivates us to set new objectives for the upcoming assessment period."


Lazarus is Back

Lazarus is Back. $35 million Stolen from Atomic Wallet

Hackers from North Korea are causing trouble again, and this time they targeted Atomic Wallet. They managed to steal a whopping $35 million in crypto.

The experts at Elliptic, who know their way around blockchain, have connected the dots and linked the theft to the Lazarus group. They've been busy tracking the stolen funds as they were moved around different wallets and mixers, in attempts to cover the tracks.

This attack on Atomic Wallet happened just last weekend, and it left a lot of innocent wallets compromised and their funds snatched away. The total haul reached over $35 million. According to Elliptic, this is the first big crypto heist of the year for Lazarus. Don’t forget, they've already blown through $100 million from the Harmony Horizon Bridge hack in June 2022, and a mind-boggling $620 million from Axie Infinity in March 2022. Who knows what they're spending it on? Maybe North Korean rockets or their nuclear program?

You might be wondering how Elliptic can be so confident in their attribution. Well, it turns out that the laundering strategy used in this attack was the same as in their previous heists. They also used the Sinbad mixer again, and a good chunk of the stolen funds ended up in the same wallets that were linked to Lazarus before.

Even though laundering stolen cryptocurrency has become trickier lately, there are still some less scrupulous exchanges out there where these things can happen. That's why wallet developers and operators need to step up their cybersecurity efforts and seriously audit and test their code. Unless they want to unknowingly contribute to funding some dictator's science projects, right?

But here's the big question that keeps bugging some experts: Who the heck is behind the Lazarus group? The world is a curious place, so maybe there are some folks pretending to be North Koreans, flaunting their top-notch computer skills. Who knows, right?


Global Phishing Attacks Spawn Three New Malware Strains

The Threat Post reported on large scale phishing attack.

Two waves of global financial phishing attacks that swamped at least 50 organizations in December have delivered three new malware families, according to a report from FireEye's Mandiant cybersecurity team.

On Tuesday, the team said that they've dubbed the hitherto-unseen malware strains:  Doubledrag, Doubledrop, and Doubleback. What Mandiant called the trifecta spear-phishing campaign twice hit a wide swath of industries worldwide: first on Dec. 2, 2020, with a second wave launched between Dec. 11 and Dec. 18, 2020.

Read further on The Threat Post


Microsoft says it identified 40+ victims of the SolarWinds hack

The Security Magazine reports on notorious SolarWinds disaster.

Microsoft said it identified more than 40 of its customers that installed trojanized versions of the SolarWinds Orion platform and where hackers escalated intrusions with additional, second-stage payloads.

The OS maker said it was able to discover these intrusions using data collected by Microsoft Defender antivirus product, a free antivirus product built into all Windows installations.

Read more on the Security Magazine


Google Warns of Zero-Click Bluetooth Flaws in Linux-based Devices

The Hacker News reported on a new set of vulnerabilities in the Linux Bluetooth Software set.

Google security researchers are warning of a new set of zero-click vulnerabilities in the Linux Bluetooth software stack that can allow a nearby unauthenticated, remote attacker to execute arbitrary code with kernel privileges on vulnerable devices.

According to security engineer Andy Nguyen, the three flaws — collectively called BleedingTooth — reside in the open-source BlueZ protocol stack that offers support for many of the core Bluetooth layers and protocols for Linux-based systems such as laptops and IoT devices.

Read further on The Hacker News


Active Malware Campaign Using HTML Smuggling

The Threatpost reported on ongoing malware campaign based on HTML smuggling.

Krishnan Subramanian, security researcher with Menlo Security, told Threatpost that the campaign uncovered on Tuesday, dubbed “Duri,” has been ongoing since July.

It works like this: The attackers send victims a malicious link. Once they click on that link, a JavaScript blob technique is being used to smuggle malicious files via the browser to the user’s endpoint (i.e., HTML smuggling). Blobs, which mean “Binary Large Objects” and are responsible for holding data, are implemented by web browsers.

Read more on the Threatpost


Corporate VPNs in danger as vishing attacks target home workers

SC Media published a report on current situation with cyberattack on remote workers using VPNs to connect to corporate networks.

Multiple hacking gangs are preying on remote workforces and corporate VPNs through vishing attacks that are more efficient, dangerous and ubiquitous than ever, prompting the U.S. government to issue both a warning and advice on how to thwart them.

“The news has spread throughout the hacker community and multiple groups are now doing this,” said Allison Nixon, chief research officer at Unit 221b.

Read more on SC Media