Mobile App Penetration Testing
CREST-certified engineers assess your iOS and Android applications against the OWASP Mobile Top 10: binary analysis, runtime manipulation, insecure storage, and API security. Fixed-price engagements from £4,500. Compatible with pre-release builds and staging environments.
Why automated scanners miss mobile vulnerabilities.
Mobile SAST/DAST tools scan for known patterns. They cannot bypass SSL pinning, hook runtime methods, or test whether your biometric check is implemented server-side. That requires a human with Frida.
Mobile Application Risk Profile
The vulnerabilities that matter most in production mobile applications. These are the findings that automated scanners cannot detect.
Insecure Storage
Of mobile apps fail basic data storage security checks, exposing user credentials and PII on-device (OWASP MASVS).
Hardcoded Secrets
Of mobile binaries contain hardcoded API keys, tokens, or credentials discoverable through reverse engineering.
Starting Price
Single-platform mobile app assessment with OWASP MASVS-mapped report, PoC evidence, and remediation guidance. Re-test included.
Controls
What We Find That Scanners Cannot.
Anonymised examples from recent mobile application penetration testing engagements. These are the vulnerabilities that automated SAST and DAST tools are architecturally incapable of detecting.
Hardcoded Cloud API Keys in Production APK
The production Android APK contained hardcoded AWS access keys and a Firebase service account key in plaintext strings. Both were extractable in under 30 seconds using standard decompilation tooling.
Biometric Authentication Bypass via Frida
The iOS application implemented biometric checks client-side only. A single Frida script hooked the LAContext evaluatePolicy callback and returned success without presenting the biometric prompt, bypassing Face ID entirely.
Unencrypted SQLite Database Containing User Credentials
User session tokens, email addresses, and hashed passwords were stored in an unencrypted SQLite database in the application sandbox. The data persisted after logout and was accessible on rooted/jailbroken devices.
Certificate Pinning Not Implemented on Auth Endpoints
The application did not enforce certificate pinning on any API endpoint. An attacker on the same network could intercept all API traffic, including authentication tokens, using a proxy certificate installed on the device.
Exported Android Activity Accepts Arbitrary Intent Extras
An exported Activity in the Android application accepted user-controlled Intent extras without validation. A malicious application on the same device could inject parameters that triggered privileged functionality, including payment confirmation.
Verbose Logging Active in Production Build
The production build retained debug-level logging that wrote API request bodies, authentication tokens, and user PII to the device system log, accessible to any application with log read permissions.
When Do Organisations Commission This Test?
Mobile app penetration testing is typically triggered by one of these six scenarios. If any of these apply, you are in the right place.
Pre-Launch Security Gate
New app or major release approaching go-live and your stakeholders require independent security sign-off before App Store or Google Play submission.
Compliance Audit Finding
Your ISO 27001, PCI DSS, or Cyber Essentials Plus audit has identified mobile application testing as a control gap.
Enterprise Client Mandate
A client, partner, or enterprise buyer has requested evidence of third-party mobile application security testing before contract award or renewal.
Post-Incident Assessment
A recent security incident involving credential compromise, data leakage, or API abuse from a mobile client has prompted a post-event security assessment.
Cyber Insurance Renewal
Your cyber insurance renewal requires evidence of penetration testing activity against mobile applications that process sensitive data.
DevSecOps Release Gate
You need mobile security testing that integrates with your release cycle. Pre-release builds, staging environments, and rapid turnaround for CI/CD pipelines.
Our Mobile App Penetration
Testing Services
Mobile application security testing, also known as mobile app penetration testing, evaluates your iOS and Android apps from an attacker's perspective. Our CREST-certified engineers perform both static and dynamic analysis, covering the full OWASP Mobile Top 10 across client-side binary and server-side API layers.
IPA & APK Reverse Engineering
We decompile your IPA and APK binaries to identify hardcoded API keys, secrets, and insecure configurations. No source code required: grey-box testing by default. Also available as a dedicated Android assessment or iOS assessment.
Runtime Manipulation
Using Frida and Objection, we bypass SSL pinning, root and jailbreak detection, and biometric authentication checks in real-time against a running application. We hook native methods to modify application behaviour and extract secrets from memory.
Insecure Data Storage
We audit local storage for unencrypted sensitive data: SQLite, SharedPreferences, and Keychain entries. We verify that credentials, tokens, and PII do not persist on-device after session end or application uninstall.
Backend API Security
We intercept backend API traffic via Burp Suite to identify BOLA, broken function-level authorisation, and sensitive data exposure in transit. See also our dedicated API security testing service.
Platform Integration Testing
We test Android Intent injection and exported Activity/Service components, iOS custom URL schemes and Universal Links, and deep link hijacking to ensure third-party apps cannot trigger unauthorised actions or intercept sensitive data.
Authentication & Session Management
Testing biometric authentication implementation (client-side vs server-verified), session token lifecycle, token storage mechanism security, logout completeness, and whether session fixation or replay attacks can grant unauthorised access to another user's account.
Mapped to the OWASP Mobile Top 10
Every mobile app penetration test conducted by Precursor Security is structured against the OWASP Mobile Application Security Verification Standard (MASVS) and covers all ten OWASP Mobile Top 10 risk categories. Your report provides verifiable, framework-mapped evidence for compliance, investor due diligence, and enterprise vendor questionnaires.
Improper Platform Usage
Misuse of OS security features, permissions, and platform controls.
Insecure Data Storage
Unencrypted sensitive data in local databases, shared preferences, or the keychain.
Insecure Communication
Weak TLS, missing certificate pinning, and cleartext data in transit.
Insecure Authentication
Weak session tokens, biometric bypass, and insecure password storage.
Insufficient Cryptography
Weak encryption algorithms, insecure key management, and hardcoded keys.
Insecure Authorization
Broken access control allowing privilege escalation or IDOR vulnerabilities.
Client Code Quality
Memory corruption, code injection, and buffer overflow vulnerabilities.
Code Tampering
App modification, binary patching, and repackaged app distribution.
Reverse Engineering
Absence of binary obfuscation and anti-tampering controls.
Extraneous Functionality
Debug code, hardcoded test credentials, and hidden backend functionality.
How Our Mobile App Assessment Works
Binary-only testing by default. No source code required. Compatible with pre-release builds and staging environments.
Discovery & Scoping
We receive your IPA/APK binary and staging environment credentials. A 30-minute scoping call establishes platform count, user roles, API scope, and whether pre-release or production builds are being tested.
Static Analysis
Reviewing decompiled code, permissions, embedded secrets, and identifying insecure configurations without requiring source code. We map the application architecture and API endpoints before dynamic testing begins.
Dynamic Testing
Interacting with the running app to test runtime manipulation, authentication bypass, insecure storage, and API security against the OWASP Mobile Top 10. Criticals reported immediately via secure channel.
Report & Retest
OWASP MASVS-mapped report with PoC Frida scripts, screenshot evidence, and platform-specific remediation guidance. A free re-test of remediated critical and high findings is included within 30 days.
What You Get
Every mobile application penetration test includes the following deliverables, formatted for both technical teams and non-technical stakeholders.
Reports are delivered via our real-time penetration testing portal with role-based access. Also available in PDF and DOCX formats. Assessment window re-testing included at no additional cost.
Close the Loop.
After the Test.
Testing identifies the vulnerabilities. Monitoring ensures they stay closed. Our Managed Detection and Response service continuously monitors for credential compromise, API abuse, and mobile-backend threats, so the exposure your mobile app test reveals is defended in real time.
Scope a Combined EngagementAPI Security Testing
Dedicated API assessment covering unlinked endpoints, auth flows, and OWASP API Top 10 beyond what the mobile test covers.
Web Application Pentest
Test the web portal or admin dashboard that shares the same backend as your mobile application.
24/7 SOC Monitoring
Continuous monitoring for credential compromise, API abuse, and mobile-backend threats.
EdgeProtect ASM
Continuous attack surface monitoring of your API endpoints and mobile backend infrastructure.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Mobile app penetration testing covers five core areas: (1) Binary analysis, reverse engineering the IPA/APK to find hardcoded secrets, API keys, and insecure configurations; (2) Runtime manipulation, using Frida and Objection to bypass SSL pinning, root/jailbreak detection, and biometric authentication; (3) Insecure data storage, auditing SQLite, SharedPreferences, and Keychain for unencrypted sensitive data; (4) API security, intercepting backend API traffic to identify BOLA, broken function level authorization, and data leakage; (5) Platform integration, testing Android Intent injection and iOS URL scheme abuse. All testing is mapped to the OWASP Mobile Top 10 and OWASP MASVS (Mobile Application Security Verification Standard).
Mobile application penetration testing typically costs between £4,500 and £12,000 depending on app complexity, platform count (iOS-only, Android-only, or both), and backend API scope. A standard single-platform mobile app test (iOS or Android) averages £6,000 for 5-7 days of testing covering binary analysis, runtime manipulation, insecure storage, and backend API security. Dual-platform testing (iOS + Android + shared backend APIs) typically costs £9,000-£12,000. Complex apps with extensive features, multiple user roles, or payment processing typically cost £10,000-£12,000+. We provide fixed-price quotes after reviewing your app architecture and feature set.
While mobile developers understand app functionality and can implement security controls, they rarely have the specialized tools and adversarial mindset for security testing. Security testing requires reverse engineering skills (decompiling APK/IPA binaries, reading smali/assembly code), runtime manipulation tools (Frida, Objection for bypassing SSL pinning and root detection), and mobile-specific attack techniques (intent injection, deeplink hijacking, insecure storage exploitation) that developers don't use in normal development workflows. Moreover, developers test that features work correctly; security testers identify how features can be abused. Professional mobile testing finds vulnerabilities developers never considered.
No. Mobile app penetration testing is performed entirely offline on your provided IPA/APK binaries and in controlled test environments. We never interact with production app stores, live user accounts, or production backend servers (unless explicitly authorized for production API testing). Testing has zero impact on your App Store/Google Play listing, ratings, reviews, or live users. We can test pre-release builds before app store submission to catch security issues early, or test production builds in isolated environments. Your App Store Connect/Google Play Console accounts remain completely untouched.
We only need the compiled binary (IPA for iOS, APK for Android). Source code is optional. Our methodology uses reverse engineering to decompile the binary back to readable code (smali for Android, pseudo-code for iOS), which is sufficient for comprehensive security testing. However, if you provide source code ('white box' testing), we can identify more subtle vulnerabilities in code logic and provide more precise remediation guidance with line-by-line code fixes. Most organizations opt for binary-only ('grey box') testing which balances thoroughness with IP protection.
No. Our testing is conducted under strict NDA and confidentiality agreements with explicit scope limitations: (1) We only reverse engineer components necessary for security testing (authentication flows, data storage mechanisms, API communication), (2) We do not reverse engineer proprietary business logic, algorithms, or trade secrets unless they directly relate to identified security vulnerabilities, (3) All findings and reverse-engineered code are confidential and destroyed after testing, (4) Our ethical standards and CREST accreditation require respecting intellectual property rights, and (5) We carry professional indemnity insurance and have legal safeguards protecting your IP. We are testing security, not stealing secrets. Our reputation depends on absolute confidentiality.
Yes. We test both iOS (IPA) and Android (APK) applications. Our methodology covers platform-specific vulnerabilities: for iOS, we test jailbreak detection bypass, keychain security, certificate pinning, and iOS-specific URL scheme vulnerabilities; for Android, we test root detection bypass, SharedPreferences/SQLite storage security, intent injection, and exported component vulnerabilities. Most organisations benefit from testing both platforms as vulnerabilities often differ between iOS and Android implementations of the same app.
We work with you to obtain appropriate testing credentials: (1) Preferred approach: You provide dedicated test accounts with realistic data in a staging/UAT environment that mirrors production, (2) Alternative: We test in production using test accounts with explicit authorization and coordinated testing windows, (3) For apps requiring device binding or two-factor authentication, we coordinate to register our testing devices and obtain necessary authentication tokens. We never use real customer accounts or attempt to access customer data.
The OWASP Mobile Top 10 is the industry-standard framework for mobile application security risks, covering: M1 Improper Platform Usage (misuse of OS features or security controls), M2 Insecure Data Storage (unencrypted sensitive data in local storage), M3 Insecure Communication (weak SSL/TLS, certificate pinning bypass), M4 Insecure Authentication (weak session management, biometric bypass), M5 Insufficient Cryptography (weak encryption algorithms), M6 Insecure Authorization (broken access control), M7 Client Code Quality (memory corruption, code injection), M8 Code Tampering (app modification, repackaging), M9 Reverse Engineering (lack of obfuscation), M10 Extraneous Functionality (debug code, backdoors). Our mobile app penetration tests provide comprehensive coverage of all OWASP MASVS (Mobile Application Security Verification Standard) controls.