// Service

Mobile app penetration testing

A mobile app is three attack surfaces in one: the code on the device, the data it stores, and the APIs it calls. We test all three, on real devices, mapped to OWASP MASVS.

Illustration of a smartphone with a biometric lock screen
// Coverage

What we test

Assessment against the OWASP Mobile Application Security Verification Standard (MASVS), on jailbroken/rooted real devices.

  • Local data storage. Credentials, tokens and personal data in plists, shared preferences, SQLite databases, caches and logs.
  • Transport security. TLS configuration, certificate pinning implementation and bypass resistance, and cleartext traffic.
  • Authentication and session handling. Biometric implementation, token lifetime and revocation, and device-binding assumptions.
  • Code and platform protections. Reverse engineering resistance, hardcoded secrets, debuggable builds, exported components and deep-link abuse (Android), URL scheme abuse (iOS).
  • Backend APIs. The same authorisation, injection and logic testing we apply in a dedicated API engagement, because the app is only as safe as the API behind it.
// Approach

How we test it

We test release-candidate builds on physical devices, instrumented with tools like Frida and Objection, so findings reflect what a real attacker with a rooted phone can do rather than what an emulator suggests.

Static analysis of the binary (and source code, if you choose to share it) is combined with dynamic testing: intercepting traffic, tampering with requests, and abusing inter-process communication.

Because most mobile risk actually lives server-side, every mobile engagement includes the app's backend endpoints in scope by default.

The full process, severity ratings and reporting format are described in our methodology.

// Deliverables

What you get

  • Executive summary. Risk posture and priorities in plain English, readable by non-technical stakeholders.
  • Technical findings. Every issue with a CVSS rating, evidence, exact reproduction steps and a concrete remediation.
  • Immediate alerts. Anything critical is raised with you the day we find it, not held back for the report.
  • Free retest. Once you've fixed the findings, we verify the fixes and issue an updated report and attestation letter.

Get a fixed quote

Send us a rough description of the target and we'll come back with a sensible scope and a fixed price, usually within two business days.

Related: API penetration testing if you want deeper coverage of the backend on its own.