Mobile pentest, MASVS-aligned.
iOS + Android testing across the full OWASP MASVS - static analysis, runtime instrumentation, reverse engineering, and the backend API the app talks to. Coverage mapped to MASVS L1 / L2 / R.
Threat landscape
What mobile attackers exploit first
The attack classes that turn a mobile app into a backdoor into your business. We test for these on every engagement.
Reverse engineering
Decompiled binaries leak business logic, hardcoded secrets and API contracts in minutes.
Runtime tampering
Frida and friends bypass auth, cheating detection, and in-app purchase gating at will.
Insecure local storage
PII, tokens and session keys cached on disk - readable on any unlocked device.
API abuse via cloned client
Once your client is reverse-engineered, your API surface becomes the new attack surface.
Cert-pinning bypass → MITM
Frida hooks defeat pinning. Without it, every coffee-shop Wi-Fi is a credential harvester.
Brand impersonation
Cloned apps on third-party stores phish your users with your own branding.
What we cover
- Android & iOS application testing
- Static (SAST) & dynamic (DAST) analysis
- Backend / API integration testing
- Root / jailbreak detection bypass
- Sensitive data storage & transport
- Reverse engineering & tamper checks
Common findings
- Insecure data storage
- Weak crypto / hardcoded secrets
- Insecure communication
- Runtime tampering / hooking
- Insufficient code obfuscation
- Mobile-API auth flaws
OWASP MASVS
Coverage by MASVS category
Eight categories, V1-V8. We test against MASVS-L2 by default; L1 + R available for regulated apps.
Platform focus
Native depth, both stores
iOS
- Keychain + data-protection class review
- URL scheme + universal-link abuse
- Jailbreak detection bypass
- Push-token / device-ID exposure
- ATS / TLS-pinning checks
- IPA static + dynamic analysis
Android
- Manifest + intent-filter audit
- WebView vulnerabilities (JS bridge)
- Root + Magisk detection bypass
- Provider / Service / Receiver abuse
- Keystore / SharedPreferences leakage
- APK static + dynamic analysis
Tools & stack
What's in the toolbox
See what a real report looks like
24 pages, redacted from a live engagement. Executive summary, technical findings with PoCs, remediation roadmap and attestation.
- Executive summary + technical report
- Reproducible PoCs with screenshots
- Remediation roadmap + retest plan
- Letter-of-attestation appendix
How we work
Methodology
A repeatable five-phase process. Same depth whether it's a focused spot test or a multi-surface engagement.
Recon & threat modeling
Asset discovery, app mapping, STRIDE/DREAD analysis to scope what matters.
Automated baseline
Tuned SAST/DAST/scanners to clear the noise. Never the primary signal.
Manual exploitation
Where the real findings live. Senior testers, real PoCs, chained attacks.
Risk assessment
CVSS scoring combined with your business context - not auto-generated severities.
Reporting
Executive summary + reproducible technical report + remediation roadmap.
Frameworks & standards
Mapped to the standards your auditors care about
Reports map findings to the frameworks your compliance team is already chasing. Drop-in evidence for ISO, SOC 2, PCI and DPDP audits.
FAQ
Common questions
If you're evaluating multiple firms, these are the questions worth asking each of us.
How long does a typical engagement take?
A focused spot test runs 5-7 business days. Multi-surface engagements typically take 2-4 weeks depending on application complexity. We agree on a written scope before the contract - no surprise extensions.
Is testing safe to run in production?
We test in production only when staging is unavailable and only with explicit written approval, an agreed test window, and a documented rollback plan. Destructive checks (DoS, data corruption) are excluded unless specifically requested.
What certifications does your team hold?
Engagements are run by senior testers and signed off by a practice lead. We test to recognised methodologies - OWASP, PTES and the OSSTMM - and map every finding to CVSS and CWE. If your procurement process needs specific individual credentials on file, we'll share them under NDA during scoping.
Do you offer retests after we patch?
Yes - retest engagements are scoped separately, focused only on the findings you've patched. Pricing is proportional to the surface area being re-verified and we send a written scope before any work starts.
What format are the deliverables in?
PDF reports (executive summary + technical), an editable findings spreadsheet, attack-path diagrams where relevant, and a letter of attestation on request. All findings include CVSS, CWE, repro steps, and remediation guidance.
How is scope determined and priced?
After a 15-minute discovery call we send a written scope inside 48 hours - fixed-price, with clearly itemized exclusions. No hourly billing surprises, no scope creep mid-engagement.
Ship your mobile app with confidence.
Send your APK / IPA build details and we'll come back with a scope in under 48 hours.