Mobile Application Security Black Box

The Black Box MAS Assessment uses manual, dynamic testing to assess the security of your mobile application.

SecureState’s strategy for Mobile Application Security (MAS) testing involves assuming the role of an attacker. SecureState’s methodology for assessing mobile applications is very much a manual process. While automation can be used in certain stages for repetitive tasks such as fuzzing, SecureState’s manual approach allows us to methodically analyze the application, its functions, and all of its interactions.


During a Black Box Mobile Application Security Assessment, SecureState reviews the application by identifying vulnerabilities in areas such as data storage, network communication, cryptographic usage, remote web services and business logic. These vulnerabilities are identified through manual testing techniques and are mobile platform agnostic. In this assessment, SecureState identifies vulnerabilities from the OWASP Mobile Top 10. The OWASP Mobile Top 10 is the default standard for mobile vulnerabilities when conducting mobile application security assessments.


SecureState has been on the cutting edge of developing Mobile Application Security Testing Methodologies for the last several years. SecureState has recently presented its mobile security research at many national security conferences including SANS and OWASP AppSec DC. Our experience and expertise has led us to follow a very detailed and structured methodology based on OWASP for performing MAS Assessments. SecureState uses the mindset and methodology of an attacker to attempt to exploit vulnerabilities and misconfigurations in mobile applications.

Approach and Methodology

SecureState’s Black Box Mobile Application Security (MAS) Assessment focuses on the OWASP Mobile Top 10. The test is meant to simulate an attacker downloading your application from an app store and attacking it with no prior knowledge of internal security controls.

SecureState will perform tests against any web services associated with the target application including but not limited to XML structural testing, XML content-level testing, HTTP GET parameters/REST testing, and Naughty SOAP attachments. Network traffic generated by the mobile application is monitored for sensitive information and use of cleartext protocols. Standard web application tests are also conducted including checks for SQL Injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF).

SecureState will identify weaknesses in the trust model of the application and attempt to enumerate sensitive operations that can be accessed or modified without proper authorization. All points of interaction and input are determined, at which point SecureState will attempt to exploit logic flaws.

Finally, SecureState will attempt to identify sensitive information stored locally on the device storage or external memory cards. SecureState will verify that any such information stored on the device cannot be accessed or modified outside of trusted systems and processes. Areas tested during the assessment include log files, local databases, and web history.

Get Started!