Detox provides application security and network security capabilities. When a company is using Fraud Solutions provider then they should implement the Application Security and Network Security solutions as well. Fraud detection can not protect a business from Hackers. Hacker can breach the application and Network as well.

Android App Pentesting Checklist: Based on Detox’s Methodology

Recon (a.k.a) Reconnaissance

The first section sets out a list of high-risk areas that need to be explored. The pentesting team therefore needs to identify the primary features and working of the application. In addition to learning the full scope of application performance, it is important to assess the flow of data to potentially vulnerable areas and libraries that do not have undocumented libraries or functions.

In addition to performing scanning, it is also important to collect important information from publicly available information, such as Google Search, WHOIS, sub-domain search / bruteforce and sources from Open-source Intelligence (OSINT)

Static Analysis

In a statistical analysis, the app source code needs to be examined so that the tester can understand whether there are static data stored in the APK that can be used to violate system security or extend the attack vector. This is done by decompiling and disassembling the binary and APK from the raw source code.

Our team analyses Code Obfuscation, JailBreak Detection and Prevention mechanism, SSL Pinning Mechanism, Levels of access to other applications, Confidentiality of sensitive and transparent application on the phone.

Dynamic Analysis

Dynamic analysis helps detect vulnerability while the app is running in real time. This often involves encountering functions / calls (via Frida or Drozer) in real-time traffic restrictions via proxies. Common runtime constraints are to check for authentication and authorization, memory leaks, insufficient transport layer protection, logic application errors, and app privacy restrictions.

Well-documented Report

Once all the risks have been identified, they should be eligible for risk with CVSS v3 and documented in the report, which will come up with corrective recommendations and clear objectives.

Identifying the results of the business and the level of risk of each risk helps the internal team to prioritize the areas and it will be addressed first.

Documentation and reporting are key to the success of the pentest mobile app. We include high-quality summaries and technical details to meet the needs of a good quality report.

Remediation:

Remediation can be made by an internal team or security vendor and will be consistent with the recommendations in the findings report. Consistent monitoring of these issues is necessary to ensure that risks are addressed.

The organization needs to be aware of the risks involved before making a decision to proceed with a major app update

Feedback of one of our Happy Customer: “We utilize Detox VAPT service in identifying vulnerabilities & their expertise has provided us with a secure environment that runs efficiently & effectively. They design custom use-cases, based on domain knowledge, in-corporating latest vulnerabilities, helps us keep up with the ever-changing challenges associated with security. I would highly recommend their services.”

We do in-depth penetration testing just like as real hackers do. And for In-depth penetration testing requires some time. Generally, we complete security testing of an app in 2 weeks – 4 weeks timeframe.

Our Managed services are specifically designed for customers as per their need basis so we do have customization possibilities.

Cost for one round of penetration testing cycle is vary from application to application. Generally cost of assessment depends on the size of application, total urls/sub urls of application. No of associated sub domains. Cost might vary from 1500 USD – 15000 USD.