Home Cyber Security Penetration Testing Mobile Pentest
Mobile Pentest

Mobile Application Penetration Testing Service

Digital Roxy runs manual mobile application penetration tests against iOS and Android apps to the OWASP MASVS standard. Every engagement covers client-side, backend API, and the trust boundary between them. We test on real devices, against real backends, and deliver findings your mobile team can action.

Get a Scoped Quote Full Pentest Service

Mobile app pentest tests client, API, and the trust boundary between them.

A mobile application penetration test is a manual security assessment of an iOS or Android app plus the backend API the app consumes plus the trust relationship between the two. Most mobile app breaches happen in the trust boundary, not in the client. The app sends a request with a user ID parameter. The backend trusts the client-supplied ID. Horizontal access across user accounts in five minutes.

Digital Roxy mobile app pentests cover both the mobile client (insecure storage, cert pinning bypass, IPC exposure, reverse engineering resistance) and the backend API the client talks to (OWASP API Top 10, authentication, authorization, rate limiting). OWASP MASVS Level 1 and Level 2 checks on the client, OWASP API Top 10 checks on the backend, and dedicated trust boundary testing on the communication channel between them. Every finding is reproduced on a real device against a real backend. Emulator-only exploitation is noted as such in the report.

Mobile Pentest Findings

Mobile Vulnerability Classes We Exploit

These show up in most mobile pentest engagements. They span the client code, the stored data, the communication channel, and the backend API.

High

Insecure Local Data Storage

Authentication tokens in UserDefaults/SharedPreferences instead of Keychain/Keystore. Sensitive customer data in plain-text SQLite. Cached API responses containing PII that survive logout. OWASP MASVS-STORAGE violations are present in most apps we test.

Medium

Certificate Pinning Bypass

Apps without cert pinning let any MitM attacker with control of the network read and modify all traffic. Apps with cert pinning often have the pinning bypassed through Frida or Objection in minutes. We test both the presence and the resilience of the pinning implementation.

Critical

Broken Object-Level Authorization in Mobile API

Mobile backend APIs are the single worst offenders for BOLA. The mobile client sends /api/users/12345/orders and the backend returns orders without validating that the authenticated user owns user ID 12345. This is the breach chain in most mobile-app data exposures.

High

Insecure IPC (Android)

Exported activities, services, and content providers that accept data from other installed apps without validation. Intent redirection that leads to arbitrary file read or write. A malicious app on the same device becoming an attack vector against your app.

High

Deep Link Hijacking

Universal Links (iOS) and App Links (Android) that do not verify domain ownership on every request. Deep links that accept arbitrary URLs and redirect without validation. These lead to phishing, credential theft, and account takeover chains.

High

Hardcoded Secrets in Binary

API keys, signing secrets, third-party tokens, and sometimes customer data hardcoded in the compiled binary. Static analysis of the decompiled APK or IPA finds them in minutes. Rotating after discovery is necessary but not sufficient; the architecture needs change.

Medium

Weak Biometric Authentication Implementation

Biometric checks that only gate UI navigation without cryptographic enforcement. Face ID/Touch ID bypass through app state manipulation. Biometric lockout bypass through token reuse from before lockout.

Low

Reverse Engineering Resistance

Apps without obfuscation, without Frida detection, without jailbreak/root detection. For apps handling financial or health data, the absence of these controls is a MASVS-RESILIENCE gap that auditors flag.

Methodology

Our Mobile App Pentest Methodology

Methodology follows OWASP Mobile Application Security Verification Standard (MASVS) 2.0 for the client and OWASP API Security Top 10 for the backend API.

STATIC

Static Analysis

Decompilation of IPA (iOS) and APK (Android). Review of smali/Java/Kotlin (Android) and Objective-C/Swift (iOS). Identification of hardcoded secrets, insecure APIs, and framework-specific weaknesses. MobSF as the automated baseline, plus manual review.

DYNAMIC

Dynamic Analysis on Real Devices

Testing on jailbroken iPhones and rooted Android devices. Runtime instrumentation with Frida and Objection. Observation of network traffic, file writes, keychain/keystore access, and IPC behavior during live app use. Emulator testing as a supplement, not a substitute.

NETWORK

Network Traffic Testing

Intercepting app traffic through Burp Suite with installed CA or bypassed pinning. Full OWASP API Top 10 testing against every endpoint the app calls. This is where the most critical findings almost always live.

IPC

Inter-Process Communication Testing (Android)

Testing exported components: activities, services, broadcast receivers, and content providers. Building malicious companion apps to test cross-app attack paths. Android-specific and critical for any app that registers Intent handlers.

PLAT

Platform-Specific Testing

iOS: URL scheme handling, Universal Link verification, keychain access group review, App Transport Security configuration. Android: App Links verification, Intent filter validation, permissions review, WebView configuration.

AUTHN

Authentication & Session Testing

OAuth implementation review. Biometric integration testing. Session token handling. Jailbreak/root detection bypass. Multi-factor auth flow testing specific to mobile factors (push-based MFA, phone-based MFA).

REPORT

Report & Retest

Separate sections for client-side, backend API, and trust boundary findings. MASVS and OWASP API Top 10 control mapping. CVSS-scored findings. Free retest after your mobile team ships the fix.

Toolset

Our Mobile Pentest Toolset

Mobile pentest requires a different toolset than web or network pentesting. Reverse engineering tooling, device instrumentation, and API proxy capability on mobile traffic.

Frida + Objection

Runtime instrumentation for iOS and Android. Bypass cert pinning, hook sensitive methods, dump memory, and observe live app behavior.

MobSF

Automated mobile app static analysis framework. Baseline coverage for obvious issues; manual review for everything else.

Jadx + Hopper

Java/Kotlin decompilation (Jadx for Android) and iOS binary analysis (Hopper for Objective-C/Swift). Source-level review of compiled apps.

Burp Suite Professional

Mobile traffic interception with installed CA or pinning bypass. Same tool as web pentest, different target surface.

apktool + class-dump

APK disassembly and reassembly for Android. class-dump for iOS binary header extraction. Deep binary analysis when decompilation is not enough.

Jailbroken iPhone & Rooted Android

Real test devices, kept current on iOS and Android versions. Emulator supplements exist but never replace real-device testing.

Pricing

Mobile Pentest Engagement Tiers

Three engagement sizes. Every quote is fixed-price after a 15-minute scoping call. No hourly billing.

Single Platform

iOS-only or Android-only app. Client-side testing plus backend API review for the endpoints the app calls.

From $5,500 · flat fee
  • Single platform (iOS or Android)
  • OWASP MASVS Level 1 coverage
  • Backend API testing
  • 1-2 week engagement
  • Technical + executive report
  • One free retest
  • Compliance attestation
Get Scoped Quote
Most Popular

Dual Platform

iOS + Android apps sharing a backend. Most common scope for consumer and enterprise mobile apps.

From $9,500 · flat fee
  • Both iOS and Android
  • OWASP MASVS Level 2 where applicable
  • Shared backend API deep testing
  • Cross-platform consistency review
  • 2-3 week engagement
  • Two testers (one iOS, one Android)
  • Two free retests
  • Developer debrief call
Get Scoped Quote

Regulated App

Healthcare, finance, or other regulated mobile apps. HIPAA, PCI, or SOC 2 reporting package.

From $14,500 · flat fee
  • Everything in Dual Platform
  • MASVS Level 2 full coverage
  • Jailbreak/root detection testing
  • Anti-reverse-engineering review
  • HIPAA/PCI/SOC 2 attestation package
  • Secure coding guidance by framework
  • 90-day Slack support
Get Scoped Quote
FAQ

Mobile Pentest Questions, Answered Directly

Real devices primarily. Emulators are useful for static analysis and some dynamic analysis, but certificate pinning, biometric integration, hardware-backed keystore, and jailbreak/root detection only behave correctly on real devices. We maintain a current fleet of jailbroken iPhones and rooted Android phones across multiple OS versions. Any findings reproducible only in emulators are flagged as such in the report.
Yes. Cert pinning is expected on serious apps. We bypass pinning through Frida or Objection hooks on jailbroken/rooted devices to test backend API traffic. The pinning implementation itself is also reviewed: apps with easy-to-bypass pinning get a finding, because a determined attacker will bypass it. Pinning adds defense-in-depth but does not replace proper API security.
Yes, by default. The backend API the app consumes is in scope for every mobile pentest engagement. Most critical findings in mobile pentests are actually backend API findings exposed through the mobile client. OWASP API Top 10 coverage is part of the standard mobile engagement.
No, black-box testing is the default scope. We decompile the IPA or APK and work from that. Source code access elevates the engagement to gray-box or white-box, which typically finds 20-30% more issues in the same time. For regulated apps (healthcare, finance), gray-box is usually the right balance.
You provide us with the IPA or APK directly, through a secure file transfer. For iOS apps, TestFlight distribution to a tester Apple ID also works. We do not need App Store Connect or Google Play Console access. Binaries are destroyed at engagement end along with all other collected evidence.
We test against the two most recent major versions of iOS and the three most recent of Android, matching current App Store and Play Store guidelines. Older OS versions are tested on request if your user base still runs them. Test coverage targets whatever OS versions your analytics show as representative.
Yes. React Native and Flutter are standard mobile pentest targets. React Native apps have a JavaScript bundle that decompiles cleanly and is often a source of findings (API keys, business logic, insecure storage patterns). Flutter apps are harder to decompile but still testable. We adjust tooling based on the framework detected.
Every finding in the report includes reproduction steps that a developer can follow using Frida, Objection, Charles Proxy, or Burp Suite. We include the exact commands, scripts, and payloads used to reproduce each issue. The live debrief call walks your mobile team through the most important chains in detail.
Other Testing Types

Explore Related Penetration Tests

Web Application Penetration Testing Web App Pentest Network Penetration Testing Network Pentest API Penetration Testing API Pentest Cloud Penetration Testing Cloud Pentest Penetration Testing as a Service (PTaaS) PTaaS

Ready to scope your Mobile Pentest?

Book a 15-minute scoping call. You get a fixed-price quote within one business day.

Book Scoping Call See Full Pentest Service