Mobile Application Pentest
Security testing of iOS and Android applications aligned with OWASP MASVS and MASTG. Combines static analysis, dynamic instrumentation, and backend API testing to cover the full mobile attack surface, from binary to backend.
How it runs
- 01
Scoping & Build Handoff
Confirm platforms, app versions, test devices, and credentials. Receive non-production builds with debug symbols where possible and agree on instrumentation and rooted/jailbroken testing.
- 02
Static Analysis
Decompile and inspect the binaries for hardcoded secrets, insecure use of cryptography, weak certificate pinning, exposed components, debug flags, and insecure deep link handling.
- 03
Dynamic Analysis
Use Frida, Objection, and platform tooling to hook the running application: bypass jailbreak and root detection, intercept TLS, manipulate runtime state, and observe sensitive operations live.
- 04
Backend & API Testing
Test the APIs the app talks to for authentication weaknesses, authorisation flaws, business logic abuse, and excessive data exposure in line with the OWASP API Security Top 10.
- 05
Data Storage & Privacy
Review local storage, keychain and keystore usage, cache, logs, and screenshots for sensitive data leakage. Validate compliance with platform privacy expectations and applicable regulations.
- 06
Reporting & Retest
Deliver a MASVS-mapped report with screenshots, code references, and platform-specific remediation. Includes a retest of high-severity findings after the development team ships fixes.
AI assist
What you receive
- Mobile pentest report mapped to OWASP MASVS
- Static analysis findings from decompiled binaries
- Dynamic instrumentation evidence and PoCs
- Backend API security findings
- Data storage and privacy assessment
- Platform-specific remediation guidance
- Retest of high and critical findings
Ready to scope this engagement?
Every engagement is scoped individually. Get a tailored quote within 24 hours.