Mobile app penetration testing
A mobile app is three attack surfaces in one: the code on the device, the data it stores, and the APIs it calls. We test all three, on real devices, mapped to OWASP MASVS.
What we test
Assessment against the OWASP Mobile Application Security Verification Standard (MASVS), on jailbroken/rooted real devices.
- Local data storage. Credentials, tokens and personal data in plists, shared preferences, SQLite databases, caches and logs.
- Transport security. TLS configuration, certificate pinning implementation and bypass resistance, and cleartext traffic.
- Authentication and session handling. Biometric implementation, token lifetime and revocation, and device-binding assumptions.
- Code and platform protections. Reverse engineering resistance, hardcoded secrets, debuggable builds, exported components and deep-link abuse (Android), URL scheme abuse (iOS).
- Backend APIs. The same authorisation, injection and logic testing we apply in a dedicated API engagement, because the app is only as safe as the API behind it.
How we test it
We test release-candidate builds on physical devices, instrumented with tools like Frida and Objection, so findings reflect what a real attacker with a rooted phone can do rather than what an emulator suggests.
Static analysis of the binary (and source code, if you choose to share it) is combined with dynamic testing: intercepting traffic, tampering with requests, and abusing inter-process communication.
Because most mobile risk actually lives server-side, every mobile engagement includes the app's backend endpoints in scope by default.
The full process, severity ratings and reporting format are described in our methodology.
What you get
- Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
- Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
- Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
- Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.
Get a fixed quote
Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.
Related: API penetration testing if you want deeper coverage of the backend on its own.