Mobile cloud computing (MCC) technology possess features mitigating mobile limitations and enhancing cloud services. MCC application penetration testing issues are complex and unique which make the testing difficult for junior penetration testers. It is complex as MCC applications have three intersecting vulnerability domains, namely mobile, web, and cloud. The offloading process adds uniqueness and complexity to the MCC application penetration testing in terms of generating, selecting and executing test cases. To solve these issues, this thesis constructs a model for MCC application penetration testing that reduces the complexity, tackles the uniqueness and assists junior testers in conducting penetration tests on MCC applications more effectively and efficiently. The main objectives of this thesis are to discover the issues in conducting penetration testing on MCC applications and to construct and evaluate MCC application penetration testing model. Design science research methodology is applied with four phases: (i) Theoretical framework construction phase (ii) Model construction phase entails designing the components and processes of MCC application penetration to reduce the complexity and address offloading; (iii) Model implementation phase implements the components and processes of the model into model guidelines and integrated tool called PT2-MCC. This tool manages the repositories, generates and selects test cases, and implements the mobile agent component; (iv) Model evaluation phase applies case study approach and uses an evaluation framework to evaluate the model against selected testing quality and performance attributes. In model evaluation phase, a junior penetration tester conducted two case studies on two MCC applications built by extending two open source native mobile applications
