Australia Based · Operating Internationally · OSCE / OSCP Certified
☏ 1300 859 443
Mobile application penetration testing

Mobile Application Penetration Testing

Senior-led testing of your iOS and Android apps, aligned to OWASP MASVS. We manually exploit the insecure storage, weak crypto, authentication and API flaws that automated scanners and app-store reviews miss — across the client, the data in transit and the server-side — then hand you a prioritised, evidence-backed report and a free retest to prove every fix holds.

  • OWASP MASVS & MASTG aligned
  • iOS & Android — real-device testing
  • OSCE / OSCP-certified testers
  • Free remediation retest included
Maps to OWASP MASVS OWASP MASTG PCI-DSS SOC 2 ISO 27001
Why it matters

Your app ships the keys to your backend in every user's pocket.

A mobile app is a client you don't control — attackers decompile it, read what it stores on the device, tamper with it at runtime, and hit the APIs behind it directly. An app-store review and an automated scan won't catch insecure storage, a bypassed jailbreak check, or broken object-level authorisation. A senior tester does exactly what an attacker would, on both platforms, before they do.

MASVS OWASP
Tested against the OWASP Mobile App Security Verification Standard — client, network and server-side.
Free
Remediation retest included — we confirm each fix actually holds.
What we test

Full OWASP MASVS coverage — client, network and server-side.

Structured around the OWASP MASVS and MASTG, then extended with the manual, business-logic testing that separates a real assessment from an automated scan.

  • Insecure Data Storage

    Sensitive data in the keychain / keystore, databases, caches, logs and backups on the device.

  • Authentication & Session

    Login, biometric and MFA bypass, session handling and token weaknesses.

  • Cryptography

    Weak or misused crypto, hardcoded keys and insecure random number generation.

  • Network Communication

    TLS configuration, certificate-pinning bypass and traffic interception.

  • Platform Interaction

    Insecure IPC, deep links, WebViews, exported components and over-broad permissions.

  • Reverse Engineering & Tamper

    Decompilation, runtime instrumentation, jailbreak / root and anti-tamper resilience.

  • API & Backend

    The APIs behind the app — BOLA, mass assignment, excessive data exposure and rate-limit gaps.

  • Code Quality

    Injection, memory issues and unsafe use of platform APIs.

How an engagement runs

From scope to retest — a disciplined, four-phase engagement.

  1. 01

    Scope & rules of engagement

    We agree the iOS / Android builds, test accounts, backend environments and constraints, and set safe testing windows.

  2. 02

    Static & dynamic analysis

    We decompile and inspect the app, map its on-device storage and the APIs behind it, and instrument it at runtime on real devices.

  3. 03

    Manual exploitation

    We hand-test and safely exploit each class of flaw across both platforms, chaining issues to prove real, business-relevant impact.

  4. 04

    Report & free retest

    You get a prioritised, evidence-backed report; after you remediate, we retest to confirm every fix — at no extra cost.

What you get

A report your engineers can act on — and your auditors accept.

  • Prioritised findings

    Every issue risk-rated by real business impact and ordered so you fix what matters first.

  • Reproducible evidence

    Step-by-step proof-of-concept per finding, per platform — no vague, unverifiable claims.

  • Developer-ready remediation

    Specific, actionable fix guidance for your iOS and Android engineers, not a generic checklist.

  • Executive summary

    A plain-language overview for leadership, boards and clients requesting assurance.

  • Free remediation retest

    We re-test your fixes and confirm they hold — included with every engagement.

  • Attestation letter

    A summary letter you can share with customers, partners and app-store / enterprise reviewers on request.

Compliance mapping

Evidence that maps to the frameworks you report against.

One engagement, structured so its output slots straight into the assurance work you already have to do.

How this engagement maps to common compliance frameworks
Framework How this engagement maps
OWASP MASVS & MASTG Testing is structured directly around the OWASP Mobile AppSec Verification Standard and Testing Guide.
PCI-DSS Satisfies application penetration-testing requirements where the app handles cardholder data.
SOC 2 Provides the independent pentest evidence auditors expect for the Security trust-services criteria.
ISO 27001 (A.8.29) Supports the secure-development and technical-review controls in your ISMS.
App Store / Enterprise review Evidence of a formal security assessment for app-store, MDM and enterprise-distribution requirements.
Common questions

What teams ask before a mobile app test.

What's the difference between a mobile pen test and an app-store review or scan?

An app-store review checks policy compliance and an automated scan flags known patterns; a penetration test is a senior human decompiling, instrumenting and exploiting the app and its APIs on real devices. We never scan-and-send.

Do you test both iOS and Android?

Yes — we test both platforms as standard, since the storage, crypto and platform-interaction flaws differ between them. We can scope a single platform if you only ship one.

Do you need our source code?

No. We test the compiled app as an attacker sees it (black / grey-box). Source or a test build speeds up coverage, but it isn't required.

Do you test the APIs behind the app?

Yes. The backend APIs are where most real impact lives — we test them directly for authorisation, data-exposure and logic flaws as part of the engagement.

How long does a mobile app penetration test take?

Most engagements run one to two weeks depending on the app's size, platforms and backend complexity. We confirm timing at scoping.

Can we use the report for SOC 2, PCI-DSS or an app-store / enterprise review?

Yes. The report and optional attestation letter are written to satisfy auditor, customer and app-store / enterprise requirements.

Get a scoping call

Get a fixed-price scoping quote.

A senior tester scopes the right engagement and sends a fixed quote — no automated sales funnel, no obligation.

Core Sentinel Contact Form

A senior tester replies personally — no obligation, no automated sales funnel.