In mobile application security testing, there is a four-phase methodology which can be categorized by the following:
- Application mapping: Application mapping pertains to the application's logic and the application's business function. Think of application mapping as gathering information about the application to be used in the next phase.
- Client-side attacks: Client-side attacks pertain to data being stored in the application and how that data can be manipulated from the client side.
- Network attacks: Network attacks pertain to network layer concerns such as SSL/TLS or maybe XMPP protocol data.
- Server attacks: Server attacks apply to API vulnerabilities and backend server misconfigurations brought to light as a result of API testing.
This methodology may vary if testing is conducted via a white box or black box perspective. What is relevant from both the white and black box testing perspective is the Mobile Application Security Verification Standard (MASVS). The MASVS aimed to establish...