Web & Mobility Testing

Penetration Test Mobile Devices and Applications to Protect Your Most Sensitive Data

When pen testing your network, do you currently test for mobile application vulnerabilities?
Have mobile devices and their applications changed your corporate IT structure?
How long has it been since your mobile applications were pen tested by a third party?

Penetration testing for mobile device applications

Penetration testing, commonly called pen testing, is necessary on a regular basis for your corporate network; and, if your company accepts credit card payments over the Web, PCI requires pen testing of your system. Most companies do not have pen testers on staff. As a best practice, it is preferred that a third party executes the testing.

Since the addition of a bevy of mobile devices and their applications to most enterprises, it becomes critically important that pen testing is also performed to test mobile components for vulnerabilities. In reality, mobile devices that are removed from the corporate premises and used on a home or other outside networks are more liable for malicious penetration than your static corporate network.

Like most mobile IT concerns, pen testing of mobile applications requires specialized knowledge and experience. The Enet 1 Group has tested mobile applications for over 12 years. We understand the process and what is required.

While the techniques differ, our process remains similar to that used testing network systems.

The process of penetration testing

There are 4 phases of testing:

» Phase 1: Passive Data Collection — This is the information gathering phase and test application as well as networks, both traditional and wireless*:

Web searches and newsgroup browsing
IP scanning and SNMP sweeps
Initial target identification
Ethical hacking of key communications services, operating systems, and network equipment
Social Engineering (if allowed)**

» Phase 2: Active Intrusion — This phase analyzes the information gathered in Phase 1 and the early stages of Phase 2:

Vulnerability scanning
Port scanning

» Phase 3: Report Vulnerabilities and Steps to Mitigate — After evaluation, detailed reports are prepared and sorted by risk, usually color-coded by priority. These reports include the steps required to mitigate risks.

» Phase 4: Aggressive Penetration — Used only when our clients needs to show actual data or system weaknesses:

Gain access through known weaknesses
Utilizes the public domain and tools actually used by intruders
This test is extremely sensitive and requires tight controls identified in the penetration agreement and extensive logging

*Wireless Assessments

Most companies have not kept up with the rapid changes in mobile networks and devices. This provides a prime area for intrusion and requires specific tools and measurements.

**Social Engineering

Perhaps the least known of hacker strategies. Key passwords and other information can lead a creative hacker straight into your network. This information can be gathered by asking someone in the company simple questions that appear to be from a trusted source. Those people who think they can’t be fooled are the most vulnerable.

Make Social Engineering part of your defense strategy. We will train executives and employees to identify a social engineer at work and proactively prevent the intrusion.

The Enet 1 Group Mobile Experience

No company has more experience than our specialists at the Enet 1 Group. We are leaders in penetration testing and in all things connected to mobility. We want to help your network stay secure — on corporate campuses, at employees’ homes, and as they travel with their mobile devices.