Static analysis
Decompile IPA or APK. Look for hardcoded secrets, insecure crypto, debug builds, exposed components, weak obfuscation.
pentest · mobile
Test the app on the device, not just the API.
Static analysis on the IPA or APK, runtime instrumentation with Frida, certificate pinning bypass, secrets in storage, sensitive data in logs, IPC abuse, jailbreak detection bypass. OWASP MASVS aligned.
01. in scope
What we test.
Coverage follows OWASP MASVS L1/L2 controls plus platform-specific checks for iOS and Android.
Dynamic analysis
Frida instrumentation on jailbroken device or emulator. Hook security-sensitive functions, bypass jailbreak detection and pinning.
Network communication
Certificate pinning checks, TLS configuration, custom protocol handlers, deeplink abuse, in-app browser security.
Local storage
Keychain (iOS) and Keystore (Android) usage, plaintext storage of secrets, sensitive data in shared preferences, backup exposure.
IPC + components
Exported activities, broadcast receivers, content providers, URL schemes, app links. Cross-app data leakage.
Authentication + biometrics
Biometric prompt implementation, fallback logic, MFA, session token lifecycle, refresh flows.
02. methodology
Methodology Methodology.
OWASP MASVS L1/L2 plus MASTG techniques. Tested on real devices for hardware-backed checks.
- Static analysisReverse engineering of the binary. Class structure, API surface, hardcoded values, weak protections.
- Dynamic instrumentationFrida hooks for runtime inspection. Bypass pinning, jailbreak detection, root checks. Live trace of sensitive operations.
- Network capture + manipulationMITM with mitmproxy after pinning bypass. Replay, modify, inject. Test the full request/response surface.
- Report + readoutFindings with severity, screenshots, Frida scripts, fix guidance. Walk-through call with mobile engineers.
03. deliverables
What you walk away with.
Mobile pentest deliverables.
Findings report
Per-finding: severity, repro steps, screenshots, Frida script if relevant, fix guidance.
MASVS coverage map
L1/L2 control coverage by category. Useful for app-store review and B2B security questionnaires.
Platform-specific remediation
iOS and Android specific guidance. Code samples in Swift/Objective-C and Kotlin/Java.
Retest within 30 days
One round of post-fix retest. Each finding re-validated on the patched build.
04. when
When teams hire us for this.
Common triggers for a mobile pentest.
Before app-store submission
Apple and Google reject for some security issues. Catch them before review.
Enterprise MDM requirement
Your customer requires a third-party security test before deploying via MDM.
Banking, healthcare, payments
Regulator expects MASVS L2 coverage. We deliver the documentation they accept.
Annual cadence
Mobile apps update fast. Annual or semi-annual testing keeps the security posture current with each major release.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
iOS, Android, or both?
Both by default. iOS-only or Android-only on request, scoped accordingly. React Native and Flutter apps tested as well — JS bundle inspection on top of platform-specific work.
Production or test build?
Test build with Frida-hooking capability is preferred. We can also test production builds with bypass techniques, but coverage is broader on debug builds.
Do we need to provide test devices?
No. We test on our lab devices (iPhone + Android with various OS versions). Specific device-only issues (e.g., a specific Samsung Galaxy model) need device shipped to us.
Test a mobile app?
30-minute scoping call covers platforms, build access, and timeline. Free, no NDA needed.