MOBILE APP PENETRATION TESTING
Methodology
How we test mobile apps
Every mobile engagement runs through three analysis phases, on both iOS and Android — from the shipped binary, to the app at runtime, to the traffic it sends.
Static Analysis
iOS
Android
Conduct binary analysis
- List all libraries
- Reverse engineer by disassembling the package
- Analyze the components
Perform reverse engineering
- Decompile
- Patch
- Analyze the components
- Access the decompiled Java source
Dynamic Analysis
iOS
Android
Hook the application process
- Intercept and modify function calls
- Explore the file system
- Inspect memory and logs
Network Analysis
iOS
Android
Intercept network communication
- Intercept HTTP/SSL/HTTPS/TLS
- Tamper with the traffic
Every assessment is shaped around your systems, goals, and constraints — nothing here is fixed.
Talk to us →Your mobile app ships to devices you do not control, over networks you cannot trust, carrying logic and secrets an attacker can pull apart at their own pace. We test iOS and Android applications the way a real attacker would — from the binary on the device, to the app while it runs, to the traffic it sends — and hand you findings your developers can reproduce and fix.
Why mobile needs its own test
A web pentest and a mobile pentest are not the same engagement. A mobile app is distributed as a binary that lives on a device in the user's hands, so an attacker can decompile it, tamper with it at runtime, and inspect everything it stores locally — attack surface a server-side test never touches. Hard-coded keys, weak certificate pinning, insecure local storage, and logic that trusts the client are the issues we find again and again, and none of them show up if you only test the API from the outside.
Mobile testing also pairs with the backend the app talks to. Many of the highest-impact findings — broken authorization, weak session handling, leaked API keys — only become exploitable when the client and the server are examined together, so our mobile engagement can extend into the APIs and backend services the app depends on. We recommend a test before any major release, and again after changes that touch authentication, payments, or the data the app keeps on the device. Because app stores push frequent updates, mobile security is rarely a one-off — the versions your users run drift away from the one you last assessed.
How we test
Every engagement runs through three analysis phases on both iOS and Android — the same methodology shown above:
- Static analysis — We work from the shipped package (IPA and APK). On iOS we run binary analysis: listing linked libraries, disassembling the package, and analysing the components. On Android we reverse-engineer the app: decompiling, patching, and reading the recovered Java source to understand how it really behaves.
- Dynamic analysis — We hook the running application to intercept and modify function calls, explore the file system, and inspect memory and logs. This is where client-side trust assumptions, insecure storage, and bypassable controls surface.
- Network analysis — We intercept the app's HTTP/SSL/HTTPS/TLS traffic and tamper with it, testing certificate validation, transport security, and whether the backend re-checks everything the client claims.
The tools shift with the target — Frida, Objection, Burp Suite, jadx, Drozer, and platform SDKs among them — but the tooling serves the method, never the other way around. Every reported issue is validated by hand.
The engagement, end to end
Around that technical methodology sits the same five-step process we run on every penetration test:
- Scoping — We agree on the apps, platforms (iOS, Android, or both), and build variants in scope, and you get a proposal with a fixed timeline and no open-ended billing.
- Rules of engagement — Test accounts, backend environments, and data-handling rules are agreed before testing starts.
- Testing — Static, dynamic, and network analysis, performed manually against the agreed scope.
- Reporting — An executive summary for management and reproducible technical findings for your engineers.
- Retest & debrief — After your team fixes the issues, we verify each one and close the engagement with a debrief.
What you get
- Executive summary — the business-level risk picture, suitable for management and auditors.
- Findings with severity ratings — each issue scored with CVSS and mapped to the affected platform, so remediation can be prioritised.
- Reproduction steps — exact tooling, commands, and screenshots; your developers should never have to guess how we got in.
- Remediation guidance — practical, platform-specific fixes for iOS and Android, not generic advice.
- Retest verification — findings are re-checked after your fixes and the report is updated to reflect closed items.
Consistent with our track record across the practice, we have delivered zero blank pentest reports — every engagement so far has surfaced real, validated findings.
Team credentials
Mobile testing is performed by our in-house team holding industry certifications including OSCP, OSCE, CREST CRT, CREST CPSA, and GIAC GREM, alongside mobile-specific credentials such as the eLearnSecurity Mobile Application Penetration Tester (eMAPT) and GIAC Mobile Device Security Analyst (GMOB). See the full list of certifications the team holds.
Standards
Our testing follows the NIST SP800-115 methodology and is guided by the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG) — the recognised references for what a thorough mobile assessment should cover. When your compliance or app-store requirements call for it, we can align the engagement to a specific MASVS verification level rather than a one-size-fits-all checklist. If your app handles card data, mobile testing folds into the wider PCI DSS scope; if it processes personal data, it feeds the privacy controls our consulting team helps you build.
Last reviewed: 11 Jul 2026
Request a sample reportFrequently asked questions
Why does a mobile app need its own test, separate from the web or API test?
A mobile app ships as a binary that lives on a device in the user's hands, so an attacker can decompile it, tamper with it at runtime, and inspect everything it stores locally — attack surface a server-side test never touches. Hard-coded keys, weak certificate pinning, insecure local storage, and logic that trusts the client are the issues we find again and again, and none of them show up if you only test the API from the outside.
How do you test a mobile app?
Three analysis phases on both iOS and Android: static analysis (working from the shipped IPA/APK — binary analysis on iOS, decompiling and reverse-engineering on Android), dynamic analysis (hooking the running app to intercept function calls, inspect storage, and bypass controls), and network analysis (intercepting and tampering with HTTP/TLS traffic to test certificate validation and transport security). Every issue is validated by hand.
Do you test the backend and APIs the app talks to?
Yes, when in scope. Many of the highest-impact findings — broken authorization, weak session handling, leaked API keys — only become exploitable when the client and server are examined together, so our mobile engagement can extend into the APIs and backend services the app depends on.
Which platforms and standards do you cover?
iOS and Android. Testing follows the NIST SP800-115 methodology and is guided by the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Application Security Testing Guide (MASTG). When your requirements call for it, we can align the engagement to a specific MASVS verification level rather than a one-size-fits-all checklist.

