What questions are useful to scope a mobile app pen test?


When arranging a pen test it’s common practice to ask the client a set of questions, and use the answers either as the basis for further discussions, or to directly provide a test plan and quotation.

For a mobile app specifically, what questions are helpful to include? For example:

  • What platforms does the app support? e.g. iOS, Android
  • Was the app developed using a cross-platform framework? e.g. PhoneGap, Kivy
  • Does the app connect to it’s own back-end service? e.g. bespoke REST, Firebase
    • Do these connections use SSL pinning?
  • Does the app provide additional UI secuity? e.g. PIN, FLAG_SECURE
  • Does the app provide IPC interfaces? e.g. URL handler, intent
  • Does the app interface with hardware? e.g. bluetooth card reader
  • Is the app obfuscated?
  • How is the app delivered? e.g. public store, private app in store, alternate store, sideloading
  • What authentication is used? e.g. pairing, user name & password, connect with Facebook
  • How many views/pages does the app have?
  • What permissions does the app request?
  • Does the app make arbitrary network connections or listen on ports?

If you have any other ideas, please let me know!