Mobile & Backend Security Testing 
Our Company 
Blog
Contact us
eShard
/
Pentesting Mobileapp

Mobile App PTaaS for full coverage & cost-effective testing

Penetration Testing as a Service (PTaaS) helps address the challenges organizations face in effectively performing comprehensive security testing due to limitations around cost, frequency, and coverage of traditional outsourced pen tests or point-in-time assessments. esChecker Mobile PTaaS bridges this gap by providing periodic expert manual penetration tests and continuous automated security testing through its MAST, integrated into the development, CI/CD pipelines through APIs.

esChecker PTaaS offering

esChecker PTaaS offering include:

  • esChecker Mobile Application Security Testing (MAST) subscription for continuous automated security testing integrated into the development pipeline.
  • Credits for expert manual penetration tests to be used periodically throughout the year according to your own schedule.
  • Consultation from security experts to help with vulnerability remediation. Their insights optimize issue resolution.
  • Around-the-clock monitoring and alerts on new vulnerabilities discovered through testing. This facilitates prompt remediation.
  • Generation of tickets containing found issues and contextual resources for fixing them (provided you did the proper integrations). This streamlines the remediation process.

The top 3 benefits of esChecker PTaaS model are:

  1. Increased frequency of testing at a lower cost compared to traditional penetration testing alone. This results in stronger, continuously improving security.
  2. Shortened time-to-results and more efficient triage of issues through closer engagement with testers. Vulnerabilities can be addressed rapidly.
  3. Combined advantage of automated and manual workflows for comprehensive yet cost-effective coverage of an application. Studies show PTaaS can increase ROI by nearly 75% when accounting for hidden costs like process inefficiencies and delays with traditional pen testing engagements.

Elite Manual Pentest Team

We perform manual penetration tests and consider the specific threats to mobile apps on iOS or Android platforms, such as:

  • Data stealing (at rest and/or at runtime) from a malicious apps on the mobile device;
  • Application tampering, eased by a tampered device (rooted/jailbroken);
  • Mobile app cloning (binary and data);
  • Code and data lifting, i.e. extract, copy and run/use of MA parts;
  • Tampering network communication, connecting to and interfacing with internal APIs, i.e. Man-in-the-Middle, disabling certificate pinning etc;
  • Gaining access to a MA on a lost or stolen device.

We have been working for more than 8 years, pentesting mobile apps and RASP of all kinds, for financial services, health, telecommunication & defense companies, as well as governmental agencies across more than 10 countries.

State-of-the-art Techniques

For that, we use advanced tools and apply state-of-the-art techniques to gain access to the assets, e.g. personal data, banking account and payment data, health data, cryptographic keys, tokens, code etc. Depending on the objectives, we consider solely the mobile app binary (black box) or the binary in combination with its security design (gray box) and/or source code (white box).

A penetration test typically includes Reverse Engineering techniques such as:

  • Debugging, disassembly, decompilation
  • Deobfuscation and cryptanalysis
  • Emulation, tracing and control flow analysis
  • And code patching and dynamic binary instrumentation

to analyze the code and tamper with the mobile app, at rest and at runtime.

Think Like a Hacker

Like real attackers, to disable the various security protections and gaining access to the assets, we use an arsenal of tools like Apktool, JADX, JEB, QEMU, Unicorn, Ghidra, Frida, IDA Pro, angr, etc.

To analyze the resilience of a mobile app or a component (SDK or software protection tool) against an advanced attacker, we perform a penetration test in a team: depending on the specific skills required, the pentesters are supported by a team of experts in other subject matters.

Track Record

We have a proven track record in Security Testing and Reverse Engineering of:

Mobile apps and Handsets

IoT devices

Healthcare Devices

SmartCards

POIs, ICs and SOCs

Cryptography

Interested?

Contact us

Blog Articles

Mobile App & Software

How can OWASP help you define your mobile app security policy?

11 min read
Edit by Rémy Balangué • Apr 13, 2022
CopyRights eShard 2024.
All rights reserved
Privacy policy | Legal Notice
SECURITY TESTING SOLUTIONS
Pentest-as-a-ServiceMAST: Mobile Application Security Testing