Strengthening Cyber Resilience through Comprehensive Penetration Testing

Strengthening Cyber Feature
Strengthening Cyber Resilience through Comprehensive Penetration Testing
Zeeshan Mukhtar Global Head
Zeeshan Mukhtar
Global Head

April 18, 2025

AI-Driven Enterprise Chatbot Implementation
Abstract

Cyber security has become an essential part of application development with growth in technology and complexity as computer networks, websites and application has become prone to cyber-attacks and unauthorized access and security threats which would result in loss of customer data confidentiality, reputation, integrity there by end up in losing to the competition, legal issues and loss of business.  The cost of legal issues, loss of business and trends and levels of disruption is increasing every year. These worrying facts have given rise to the need for Cyber Security as a critical and must for networks, web applications and mobile apps to safeguard and defend them against any external attacks.

Introduction

As a prominent player in the financial services domain, Client is entrusted with sensitive customer data and critical financial operations. In light of escalating cyber threats and regulatory expectations, the organization initiated a proactive penetration testing engagement to:

  • Identify security vulnerabilities before adversaries could exploit them
  • Validate the effectiveness of existing defenses
  • Meet regulatory compliance requirements (ISO 27001, PCI DSS, etc.)
  • Enhance customer trust and brand resilience

This white paper highlights how penetration testing was strategically designed and executed, resulting in a measurable improvement in client’s cybersecurity maturity.

Problem Statement/Objective

The primary objective was to conduct comprehensive penetration testing for both Android and iOS mobile applications. The goals of the penetration testing engagement were:

  • Uncovering vulnerabilities across internal and external assets
  • Simulate real-world attack vectors (internal threats, phishing, application exploits)
  • Assess endpoint and perimeter security resilience
  • Validate employee security awareness and response (social engineering)
  • Provide actionable remediation recommendations

Testing Scope Included:

  • External Web Applications
  • Internal Network Infrastructure
  • APIs and Databases
  • Mobile Applications (iOS and Android)
  • Phishing Campaign Simulation
  • Security Configuration Reviews (e.g., Firewalls, IAM)

Planning Phase

The planning stage drives on selecting the right tools for static analysis and code review. We ensued a structured approach which aligned with industry frameworks like OWASP, PTES, and NIST 800-115:

  • Static Analysis: MobSF (Mobile Security Framework) was used for performing static analysis on the Android and iOS packages
    1. MobSF: MobSF is an open-source automated framework designed for penetration testing, malware analysis, and security assessment of Android and iOS mobile applications. It is capable of doing static analysis of Source code, dynamic analysis (emulator/device), API testing, and malware scanning.
  • Code Analysis Tool: SonarCloud was selected for the static analysis as the SAST tool. It evaluate the application source code for potential security flaws, bugs, and code smells.
    1. SonarCloud: SonarCloud integrates into the developer workflow, CI/CD, delivering integrated code quality and code security through SAST, SCA, IaC scanning and detection. It ensures comprehensive coverage for source code. By automatically detecting issues early, SonarCloud helps teams fix problems faster, reduce rework, and ship secure, reliable software with confidence.

Implementation Phase

The implementation involved setting up the testing environment and executing the analysis:

1. Penetration Testing Lab Setup:

  • A virtual machine environment was prepared using VMware.
  • Kali Linux was installed as the operating system within the VM.
  • Docker was installed on the Kali Linux machine to facilitate running containerized tools.

2. MobSF Tool Setup:

  • MobSF was run using Docker on the Kali Linux machine via specific commands (Note: the exact commands were mentioned as used but not listed in the source document text provided).
  • The MobSF web interface was accessed via a browser at http://0.0.0.0:8000.
  • Login credentials used were mobsf/mobsf.

3. SonarCloud Configuration:

  • Specific configuration steps for SonarCloud, like repository linking were taken.

Penetration Testing Approach

The project followed a structured and phased approach aligned with industry frameworks like OWASP, PTES, and NIST 800-115.

Pre-Engagement Preparation

  • Asset discovery and scoping workshops
  • Rules of Engagement (RoE) documentation
  • Clear definition of “in-scope” and “out-of-scope” targets

Reconnaissance & Enumeration

  • OSINT gathering (WHOIS, Shodan, Subdomain Enumeration)
  • Service and port scanning
  • Network mapping for attack surface identification

Vulnerability Identification

  • Use of automated scanners (Nessus, Burp Suite) and manual verification
  • Authentication and session management flaw analysis
  • CMS vulnerability detection (WordPress, Joomla security assessments)

Exploitation

  • Attempting to exploit discovered vulnerabilities (SQL Injection, XSS, SSRF)
  • Lateral movement within the internal network
  • Privilege escalation attempts

Post-Exploitation and Risk Assessment

  • Data exfiltration simulation
  • Persistence mechanisms deployment (controlled environment)
  • Business impact mapping

Reporting

  • Executive summary reports
  • Detailed technical findings with CVSS scoring
  • Risk-based remediation recommendations
  • Proof-of-Concept (PoC) documentation for critical exploits

Testing Methodologies and Tools

Phase Tools Used Methodologies Followed
Reconnaissance Maltego, Shodan, Amass OSINT, Passive Recon
Vulnerability Scanning Nessus, OpenVAS, Burp Suite, Nikto OWASP Top 10, SANS 25
Exploitation Metasploit, SQLMap, Hydra CVE Exploitation, Manual Attacks
Post-Exploitation BloodHound, CrackMapExec Lateral Movement, Persistence
Social Engineering Simulation GoPhish, Custom Phishing Kits Email-based Attack Scenarios

Development Steps

The core development/analysis steps focused on using MobSF for static analysis:

  1. File Upload: The Android .apk and iOS .ipa application files were uploaded directly to the running MobSF instance via its web interface.
  2. Static Analysis Execution: MobSF performed automated static analysis on the uploaded application packages. This process examines the application’s code, configuration files, and structure without executing the app.
  3. Report Generation: MobSF generated a detailed report for static analysis consisting of potential vulnerabilities, insecure configurations, hardcoded secrets, permission issues, and other security findings based on its assessment rules.
  4. Report Analysis and Sharing: The report generated by MobSF was completely evaluated by the security team to validate findings and categorize their severity.
  • Remediation: All vulnerabilities found and categorized during analysis were documented and shared with the development team for necessary fixes and remediation.

High-Level Solution Design or Architecture

A typical multi-AI agent system architecture includes:

  • Agent Layer: Contains the individual AI agents, each with its own internal logic (perception, decision-making, action). Agents can have different roles (e.g., planner, executor, monitor, communicator).
  • Communication Layer: The infrastructure enabling inter-agent communication. This could be a message bus (e.g., MQTT, RabbitMQ), a set of APIs, or a shared data store.
  • Coordination Layer: Implements the strategy for how agents coordinate. This might be a dedicated orchestrator agent (centralized), embedded rules within each agent for peer-to-peer coordination (decentralized), or specific consensus algorithms.
  • Environment Interface Layer: Allows agents to perceive and act upon the external environment (e.g., sensors, databases, external APIs, user interfaces).
  • (Optional) Shared Knowledge/State Layer: A common repository (e.g., database, distributed cache) where agents can access or update shared information or context.
Overall Architecture

Key Challenges & Resolutions

Challenges

  • Training: Lack of initial familiarity or in-depth knowledge regarding the specific tools (MobSF, SonarCloud) and penetration testing methodologies.
  • Expertise: Requirement for specialized expertise in mobile application security and vulnerability analysis to effectively interpret tool outputs and perform manual verification where needed.

Resolutions

  • Training: Developed training programs focused on mobile application security, penetration testing techniques, and the learning of MobSF and SonarCloud.
  • Knowledge Exploration: Developed training for exploring other knowledge sources, such as documentation, security forums, and best practice guides.

Key Takeaways

  • Misconfigured access control policies on certain internal applications
  • Outdated libraries exposing APIs to known vulnerabilities
  • Weak email security (SPF/DKIM misconfigurations)
  • Password policies insufficient for modern attack vectors (password spraying, credential stuffing)
  • Immediate patching of critical vulnerabilities
  • Hardening of perimeter defenses (firewalls, VPN gateways)
  • Improvement of IAM practices (multi-factor authentication rollout)
Final Words

Implementing penetration testing process using tools like MobSF and SonarCloud, we were able to proactively identify and fix security issues in mobile applications. This approach improved efficiency and compliance also helped close critical vulnerabilities and improved customer trust. These continued efforts ensure Client remains resilient in an ever-changing threat landscape.

Author

Srinivas Reddy Naini

Talk With Our Expert

    [recaptcha]

    Recent Blogs
    • MQ and Kafka Integration: Three Coexistence Patterns That Work
      Websites used to be something you built once and basically forgot about. That doesn’t work …
      Read More »
    • Upgrading to Optimizely CMS 13: What Your Team Actually Needs to Decide Before Writing a Line of Code
      Learn how to plan an Optimizely CMS 13 upgrade with .NET 10, Optimizely Graph, Visual …
      Read More »
    • AI Meeting Notes: Automating Summaries and Action Items from Video Content
      Learn how AI meeting notes automate summaries, action items, and insights from video meetings using …
      Read More »