📱

Mobile Application Security Testing

OWASP MASVS-aligned iOS and Android testing — static analysis, runtime hooking, certificate pinning review, and backend API security.

iOSAndroidMASVSMASTGFridaObjection
Serving clients across the United Kingdom & United States of America

What You Receive

  • MASVS-mapped findings report (L1 or L2)
  • Binary static and dynamic analysis with reproduction artefacts
  • Backend API security review for endpoints called by the application
  • Remediation roadmap with platform-specific code-level guidance
  • Free retest within 90 days

Mobile applications are increasingly the primary interface between organisations and their customers. They also operate in the most hostile environment of any client platform — running on devices the user controls, where attackers can hook the runtime, modify the binary, and inspect every API call. Mobile security testing requires a different methodology than web application testing and significantly different tooling.

Our mobile application security testing follows the OWASP MASVS standard with techniques drawn from the OWASP MASTG. We provide both standard (L1) and high-assurance (L2) assessments for iOS and Android applications, supplemented by backend API security review — the source of the majority of critical findings in modern mobile architectures.

What We Test

Static Binary Analysis

Examination of the application binary without execution. We extract and analyse:

  • Application signing and code integrity verification
  • Hardcoded secrets, API keys, and credentials embedded in the binary
  • Cryptographic implementation — algorithms, key management, certificate handling
  • Third-party SDK inventory and known vulnerability matching
  • Compilation flags and security hardening (PIE, ARC, stack canaries, fortify source)
  • Obfuscation effectiveness and reverse engineering resistance
  • Manifest and entitlement analysis (Android permissions, iOS entitlements)

Dynamic Runtime Testing

Live testing of the application running on a controlled device:

  • Local data storage — keychain, keystore, shared preferences, SQLite, application sandbox
  • Inter-process communication — Intents (Android), URL schemes and Universal Links (iOS)
  • Runtime hooking with Frida and Objection
  • Memory analysis for sensitive data exposure
  • Logging analysis — verbose logs, exception traces, debug output containing PII
  • Background and lock screen behaviour — screenshots, notifications, biometric flow

Network Communication Security

  • TLS configuration and cipher suite analysis
  • Certificate pinning implementation and bypass resistance (see our detailed pinning bypass analysis)
  • Custom certificate trust handling
  • API endpoint enumeration and authorisation testing
  • Request and response handling for injection vulnerabilities

Backend API Testing

The mobile binary is often the simpler half of the security review. Backend APIs called by mobile applications typically have:

  • Broken object-level authorisation — accessing other users' resources by ID manipulation
  • Broken function-level authorisation — admin endpoints accessible to standard users
  • Excessive data exposure — APIs returning fields the application doesn't display
  • Mass assignment vulnerabilities — clients setting properties the backend trusts
  • Missing rate limiting — credential stuffing and enumeration enabled
  • JWT implementation flaws — algorithm confusion, key disclosure, signature bypass

We test the backend API independently of the mobile binary using a custom client capable of issuing arbitrary requests — surfacing issues invisible to mobile-binary-only testing.

Anti-Tampering and Resilience (MASVS L2)

For high-assurance applications, MASVS L2 requires resilience controls evaluated under realistic attack conditions:

  • Root and jailbreak detection effectiveness
  • Anti-debugging and anti-hooking controls
  • Code integrity verification
  • Application repackaging detection
  • Emulator detection
  • Communication channel monitoring (proxy detection)

L2 testing assumes a determined attacker with physical device access and runtime instrumentation capability — and measures how much friction the application's defences add.

Platform-Specific Considerations

iOS

We test against current iOS versions (iOS 17 and 18) on supported devices. Common findings include insecure use of WKWebView with file access, missing App Transport Security exceptions justifying themselves, keychain attribute misconfiguration (no kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly), and URL scheme handler vulnerabilities.

Android

Testing across Android 13, 14, and 15. Common findings include exported activities receiving untrusted Intents, content provider permission misconfiguration, insufficient WebView hardening (JavaScript-enabled, file access), insecure use of SharedPreferences, and missing network security configuration.

Cross-Platform Frameworks

We test applications built with React Native, Flutter, Xamarin, and Cordova/Ionic. Cross-platform frameworks introduce specific risk patterns — JavaScript bundle inspection (React Native), Dart binary analysis (Flutter), .NET assembly analysis (Xamarin) — handled by framework-specific tooling.

Compliance Alignment

Reports support evidence requirements for:

  • OWASP MASVS L1 / L2 conformance
  • PCI Mobile Payment Acceptance Security Guidelines
  • HIPAA technical safeguards (US healthcare apps)
  • UK ICO Code of Practice for App Developers
  • App Store and Play Store security review preparation
  • ISO 27001 Annex A 8.25 (Secure development life cycle)

UK & USA Coverage

Mobile assessments are typically conducted remotely from our UK and US facilities. Test devices are provisioned with the appropriate development profiles or installation via TestFlight (iOS) and direct APK / Google Play internal testing (Android). For applications requiring on-site testing (kiosk applications, hardware-integrated apps), engineers travel to client locations in both jurisdictions.

Frequently Asked Questions

What's the difference between MASVS L1 and L2?
MASVS L1 is the baseline standard — appropriate for most consumer applications, covering authentication, data storage, cryptography, network communication, code quality, and resilience. MASVS L2 adds defence-in-depth requirements (certificate pinning, anti-tampering, root/jailbreak detection) for high-assurance applications such as banking, healthcare, and government.
Do you test both iOS and Android?
Yes. Most clients book both platforms simultaneously. The platforms share architectural concepts but differ substantially in technical implementation — separate testing produces complete findings. We provide consolidated reports for both platforms with per-platform technical detail.
Do you also test the backend API?
Yes — the backend API is the most common source of critical findings in mobile assessments. Broken object-level authorisation (BOLA), broken function-level authorisation, excessive data exposure, and mass assignment are routinely found in APIs that the mobile app itself cannot exploit but a custom client easily can.
What tools do you use?
Static analysis: MobSF, jadx (Android), ghidra/IDA, class-dump (iOS), Hopper. Dynamic analysis: Frida, Objection, Burp Suite, mitmproxy, custom Frida scripts. Platform-specific: APKTool, AndroGuard for Android; class-dump, plutil, codesign for iOS. We maintain custom scripts for OWASP MASTG coverage.
How long does a mobile app assessment take?
MASVS L1 single platform: 5-8 working days. MASVS L1 both platforms: 8-12 working days. MASVS L2 single platform: 10-15 working days. MASVS L2 both platforms: 15-25 working days. Backend API testing typically adds 5-10 days depending on API complexity.
Do you need source code?
Not required, but useful. Black-box mobile testing using only the published binary is realistic and produces findings reflecting what an attacker can discover. Source-assisted testing (white-box) achieves higher coverage and identifies issues that are difficult to surface from binary analysis alone. We offer both.
Can you test pre-release builds before App Store / Play Store submission?
Yes — and we recommend it. Pre-release testing on debug builds is faster than post-release testing because we can use the development team's debug tooling, source maps, and unobfuscated code. Findings can be remediated before submission rather than after launch.
Do you test against device-side and supply chain attacks?
Yes for in-scope items. Device-side: rooted/jailbroken device detection, runtime hooking resistance, anti-tampering. Supply chain: third-party SDK analysis, dependency vulnerability scanning, signing certificate management. Specific scope agreed during scoping call.

Book a Mobile App Security Test

Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.

By submitting this form you agree to our privacy policy. We will only use your details to respond to this enquiry.