Penetration testing services of Android and iOS based mobile applications is performed in order to identify vulnerabilities in both the mobile application client and the backend application programming interfaces (API). Utilizing highly-customized Android and iOS devices to interact with the target mobile applications, Converge consultants will intercept and manipulate inputs, find and expose logic flaws or attack vectors, and simulate many other real world attack techniques in order to identify application-layer weaknesses that might expose your company or customer data to unnecessary risk.

Converge’s penetration-testing methodology is based on components from NIST SP800-115, the Penetration Testing Execution Standard (PTES), and the Open Web Application Security Project (OWASP) Mobile Top 10. Converge maintains a separate, detailed penetration testing methodology document that is available upon request. The OWASP mobile application security verification standard (MASVS) and OWASP ASVS are leveraged as a baseline for testing the mobile client and backend application components respectively.

This penetration test will help you to identify potential security vulnerabilities, provide prioritized recommendations for remediation, and overall improve the security posture of your mobile applications.

Deliverables Converge will provide your organization with a detailed report of the high-level results, methodology used, narrative of testing, and detailed findings and recommendations. The report includes the following components:

• An Executive Summary section suitable for delivery to management that provides a high-level summary of the work performed and the key findings and recommendations.
• A mobile application technical findings section primarily categorized using the OWASP Mobile Top 10 with a narrative of the testing performed, technical testing details, vulnerabilities identified, and recommendations for remediation.
• A backend API technical findings section primarily categorized using the OWASP Top 10 with a narrative of the testing performed, technical testing details, vulnerabilities identified, and recommendations for remediation. Reports are reviewed by a technical peer reviewer and edited as part of a quality assurance (QA) process, and then delivered to the you immediately upon completion of the QA process. Retesting of remediated findings is an optional component that can be added.

The reports can be used for compliance audits that require security testing, such as PCI-DSS and HIPAA, and have been designed with compliance reporting requirements in mind.