We should conduct the Pen test with a purpose in mind, as we had a list of vulnerabilities last time - we should ensure that theese have been closed, and also try and ensure that there are no known new vulnerabilities.
It would be very useful if these tests could be automated - so that with each development/production build the system could be automatically tested.
IP and Ports
From nmap, we should be able to generate a list of Open Ports. From these ports we should be able to guess the services that are being run there.
We can make several educated guesses (some from prior exploitation information) about other services which may be running on the Servers.
We should attempt several fuzzer attacks on the Web Server to determin any unguarded directories.
We should attempt to verify the DNS records of the Server - and see if any information can be gleaned from this.
We should try and build up a map of where/how we think connectivity to the servers is accomplished. By looking at this map - we again should try and see if any routers/switches - or firewalls may be present.
Device Protocol Analysis
As we have access to the device we should repeat the same steps as we did for the server.
IP and Port Checks
Is the App communicating with the Server using ports we are not aware of.
Whilst we are assuning everything is Encrypted... is it really ?
What is left in Plain text ? Geo-Stuff ?
Key Certificate Pinning
Has this been undertaken ? How can we check/Verify.
We should also have a look at causing the system some real issues - by either disrupting the device/services
This to try include
Could we also not grab some packets (proper messages)
And using a loop - simply replay/flood the app with them ? If this works then could we do the same with an attachment ? We may be able to fill up the disk faster then they imagine.
Check ssl certs sslyze --regular www.example.com