How Do Pentesters Document and Remediate Vulnerabilities in Android?

Pentesting applications for Android requires many different levels of skills, knowledge and patience. Patience is especially important, because there are so many details that need to be documented and looked into during this process. This is especially true with regard to the documenting portion of this exercise.

We will take a brief look at the most common methods that pentesters use when trying to document and remediate vulnerabilities in Android and how these operations are generally carried out and recorded during a pentest.

What Do Companies Expect to Find in Pentesting Reports on Android Vulnerabilities?

The general content of each report will vary according to the application being tested and the faults that are found. The standard format contains an introduction, which explains the overall nature of the report and what and who it is intended for. Next there should be a scope that reveals what items are to be tested and reported on in the document.

Some reports will go into some detail about the threat rating scale that is used in the report and what each different level of severity means to the reader. The threat types are normally named Low, Medium and High, or something similar.  

After that comes the list of discovered vulnerabilities, all of which pertain to the main objectives in the scope of the report. Each of the items that is discovered in the Android pentest should be accompanied by a reference number, the type of vulnerability that it relates to and a severity rating.

Miscellaneous items are sometimes also noted in the report. These are issues that are not serious enough to warrant an immediate response but have the potential to become problems if not eventually remediated.

Each item that is listed as a vulnerability must have a corresponding solution attached to (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/GF-5b4yQgo0/