Mobile Application Security Testing
OWASP MASVS-aligned iOS and Android testing — static analysis, runtime hooking, certificate pinning review, and backend API security.
What You Receive
- MASVS-mapped findings report (L1 or L2)
- Binary static and dynamic analysis with reproduction artefacts
- Backend API security review for endpoints called by the application
- Remediation roadmap with platform-specific code-level guidance
- Free retest within 90 days
Mobile applications are increasingly the primary interface between organisations and their customers. They also operate in the most hostile environment of any client platform — running on devices the user controls, where attackers can hook the runtime, modify the binary, and inspect every API call. Mobile security testing requires a different methodology than web application testing and significantly different tooling.
Our mobile application security testing follows the OWASP MASVS standard with techniques drawn from the OWASP MASTG. We provide both standard (L1) and high-assurance (L2) assessments for iOS and Android applications, supplemented by backend API security review — the source of the majority of critical findings in modern mobile architectures.
What We Test
Static Binary Analysis
Examination of the application binary without execution. We extract and analyse:
- Application signing and code integrity verification
- Hardcoded secrets, API keys, and credentials embedded in the binary
- Cryptographic implementation — algorithms, key management, certificate handling
- Third-party SDK inventory and known vulnerability matching
- Compilation flags and security hardening (PIE, ARC, stack canaries, fortify source)
- Obfuscation effectiveness and reverse engineering resistance
- Manifest and entitlement analysis (Android permissions, iOS entitlements)
Dynamic Runtime Testing
Live testing of the application running on a controlled device:
- Local data storage — keychain, keystore, shared preferences, SQLite, application sandbox
- Inter-process communication — Intents (Android), URL schemes and Universal Links (iOS)
- Runtime hooking with Frida and Objection
- Memory analysis for sensitive data exposure
- Logging analysis — verbose logs, exception traces, debug output containing PII
- Background and lock screen behaviour — screenshots, notifications, biometric flow
Network Communication Security
- TLS configuration and cipher suite analysis
- Certificate pinning implementation and bypass resistance (see our detailed pinning bypass analysis)
- Custom certificate trust handling
- API endpoint enumeration and authorisation testing
- Request and response handling for injection vulnerabilities
Backend API Testing
The mobile binary is often the simpler half of the security review. Backend APIs called by mobile applications typically have:
- Broken object-level authorisation — accessing other users' resources by ID manipulation
- Broken function-level authorisation — admin endpoints accessible to standard users
- Excessive data exposure — APIs returning fields the application doesn't display
- Mass assignment vulnerabilities — clients setting properties the backend trusts
- Missing rate limiting — credential stuffing and enumeration enabled
- JWT implementation flaws — algorithm confusion, key disclosure, signature bypass
We test the backend API independently of the mobile binary using a custom client capable of issuing arbitrary requests — surfacing issues invisible to mobile-binary-only testing.
Anti-Tampering and Resilience (MASVS L2)
For high-assurance applications, MASVS L2 requires resilience controls evaluated under realistic attack conditions:
- Root and jailbreak detection effectiveness
- Anti-debugging and anti-hooking controls
- Code integrity verification
- Application repackaging detection
- Emulator detection
- Communication channel monitoring (proxy detection)
L2 testing assumes a determined attacker with physical device access and runtime instrumentation capability — and measures how much friction the application's defences add.
Platform-Specific Considerations
iOS
We test against current iOS versions (iOS 17 and 18) on supported devices. Common findings include insecure use of WKWebView with file access, missing App Transport Security exceptions justifying themselves, keychain attribute misconfiguration (no kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly), and URL scheme handler vulnerabilities.
Android
Testing across Android 13, 14, and 15. Common findings include exported activities receiving untrusted Intents, content provider permission misconfiguration, insufficient WebView hardening (JavaScript-enabled, file access), insecure use of SharedPreferences, and missing network security configuration.
Cross-Platform Frameworks
We test applications built with React Native, Flutter, Xamarin, and Cordova/Ionic. Cross-platform frameworks introduce specific risk patterns — JavaScript bundle inspection (React Native), Dart binary analysis (Flutter), .NET assembly analysis (Xamarin) — handled by framework-specific tooling.
Compliance Alignment
Reports support evidence requirements for:
- OWASP MASVS L1 / L2 conformance
- PCI Mobile Payment Acceptance Security Guidelines
- HIPAA technical safeguards (US healthcare apps)
- UK ICO Code of Practice for App Developers
- App Store and Play Store security review preparation
- ISO 27001 Annex A 8.25 (Secure development life cycle)
UK & USA Coverage
Mobile assessments are typically conducted remotely from our UK and US facilities. Test devices are provisioned with the appropriate development profiles or installation via TestFlight (iOS) and direct APK / Google Play internal testing (Android). For applications requiring on-site testing (kiosk applications, hardware-integrated apps), engineers travel to client locations in both jurisdictions.
Frequently Asked Questions
What's the difference between MASVS L1 and L2?
Do you test both iOS and Android?
Do you also test the backend API?
What tools do you use?
How long does a mobile app assessment take?
Do you need source code?
Can you test pre-release builds before App Store / Play Store submission?
Do you test against device-side and supply chain attacks?
Book a Mobile App Security Test
Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.