Home / Solutions / Mobile App Pentesting
Mobile App Pentesting

Mobile Application Penetration Testing — iOS & Android

Mobile Application Penetration Testing — iOS & Android

iOS and Android, tested like an attacker.

OWASP MASVS-aligned mobile pentests covering static analysis, dynamic instrumentation, runtime tampering, and certificate pinning bypass. iOS, Android, React Native, Flutter — same depth across all.

Coverage
OWASP MASVS L1/L2 alignment
Static + dynamic + runtime testing
Certificate pinning bypass attempts
Jailbreak / root detection review
App Store privacy manifest review
01 // PLATFORM PARITY

Same depth on iOS, Android, and cross-platform.

Mobile pentest quality usually drops sharply on cross-platform stacks. We bring the same depth to React Native and Flutter as we do to native Swift and Kotlin — including reverse-engineering of bundled JavaScript and Dart code.

  • Native: Swift, Objective-C, Kotlin, Java
  • Cross-platform: React Native, Flutter, Xamarin, Ionic
  • Reverse engineering of bundled JS/Dart code
  • Native module surface analysis
Mobile findings (sanitized) 
CRITICAL  Hardcoded API key in APK
  com.example.app/BuildConfig.java
  → admin-tier key recoverable via apktool
  // MASVS-CRYPTO-1

HIGH      Certificate pinning bypass
  Frida hook on SSLContext.init
  → MITM possible w/ rooted device
  // MASVS-NETWORK-2

HIGH      Insecure deep link handling
  appname://open?url=javascript:...
  → arbitrary JS in WebView context
  // MASVS-PLATFORM-3

MEDIUM    Keychain accessibility too broad
  kSecAttrAccessibleAlways used
  → keys readable from backup
  // MASVS-STORAGE-1
02 // INSTRUMENTATION

Frida, Objection, Burp, custom tooling.

Static analysis catches the obvious bugs. The interesting findings come from runtime instrumentation — hooking method calls, intercepting traffic, tampering with stored data live. We do all of it.

  • Frida-based runtime hooking and method tracing
  • Burp Suite + custom mobile interceptors
  • Anti-tamper / anti-hook detection bypass
  • Memory analysis for sensitive data leakage
Test execution — Android 
# Static
$ apktool d app.apk
$ jadx-gui app.apk
$ semgrep --config=p/android src/

# Network
$ adb shell setprop net.https_proxy 192.168.1.5:8080
$ frida -U -f com.app -l ssl-pin-bypass.js

# Runtime
$ objection -g com.app explore
> android hooking list classes
> android keystore list
> android root simulate

# Tamper detection
$ frida -U -f com.app -l anti-debug.js
$ verify behavior with detection bypassed

What we test

MASVS-aligned mobile coverage.

Storage

Keychain / Keystore usage, file permissions, backup exposure, screenshot leakage.

Network

TLS, certificate pinning, MITM resistance, insecure protocols, traffic logging.

Cryptography

Key generation, key storage, weak ciphers, hardcoded secrets, custom crypto.

Authentication

Biometrics, MFA, session management, deep link auth, token storage.

Platform

IPC, deep links, WebView config, intent handling, URL scheme abuse.

Anti-tamper

Root / jailbreak detection, debugger detection, code obfuscation, app integrity.

Engagement Model

Same fixed-fee model. Same engineer team.

Mobile pentests are scoped per platform and complexity. Cross-platform apps (React Native, Flutter) are tested at the same depth as native with no premium charge. Typical mobile-only engagement: 2-3 weeks, scoped from $16K. Combined web + mobile engagements get a discount and run in parallel. One free retest within 90 days included.

Deliverables

Mobile-specific evidence and artifacts.

MASVS-mapped report

Full OWASP MASVS L1/L2 coverage matrix. Findings tagged with the specific MASVS category (CRYPTO, NETWORK, PLATFORM, etc.) so your team and auditors can navigate by control.

Reproducible exploitation

Frida scripts, Objection commands, modified APK / IPA where relevant. Your engineers can re-run every exploit on demand.

App store readiness review

iOS privacy manifest review, Play Console data safety form analysis, third-party SDK disclosure verification — flagged as findings if non-compliant.

Cross-platform parity report

For React Native / Flutter / Xamarin apps: separate analysis of the bundled JS/Dart layer and the native module bridge layer with parity scoring.

Frequently Asked Questions

Common questions, answered.

Do you test on real devices or emulators?
Both. Real devices for hardware-backed key storage, biometrics, and TEE behavior. Emulators / simulators for rapid iteration. Final verification always on physical devices — typically iPhone 14/15 and a recent Pixel or Samsung.
Can you test apps that already block jailbroken / rooted devices?
Yes — bypass of these protections is part of the scope. We document both the bypass technique and the impact. If your detection holds against our team, that's a meaningful security signal that goes in the report as a positive finding.
React Native and Flutter — same coverage as native?
Yes. We unbundle the JavaScript or Dart, decompile native modules, and test both layers. Cross-platform stacks have additional attack surfaces (e.g. native module bridges, JS-to-native auth gaps) that we cover specifically.
Do you handle App Store / Play Store compliance review?
Yes. Privacy manifest review (iOS 17+ PrivacyInfo.xcprivacy), Play Console Data Safety form review, third-party SDK disclosure verification. Findings include compliance gaps, not just security ones.
How much does a mobile app pentest cost?
Single-platform engagements typically run $18k-$36k. Both iOS and Android together typically $32k-$58k. Cross-platform apps (React Native, Flutter) covering JS/Dart + native bridge typically $22k-$42k. Pricing is fixed-fee scoped after discovery.
How long does a mobile pentest take?
2-3 weeks per platform for typical apps. Larger apps with complex SDK integrations, biometrics, or extensive offline capabilities may run 3-4 weeks. Cross-platform apps add ~30% to single-platform timelines because both the cross-platform layer and native bridges must be tested.
What about jailbreak/root detection — should we even bother?
Yes — detection raises the attacker cost. It won't stop a determined adversary, but it stops casual cloning, automated abuse, and many supply-chain attacks. We test detection effectiveness and document specific bypass costs (in attacker-time) so you can make an informed decision.
Can you test our SDK or library, not just the app?
Yes. SDK pentests are a common engagement type — we test the SDK in isolation plus integrate it into a reference host app to test in-context behavior. Pricing is similar to mobile app pentests.
Do you cover wearables (Apple Watch, Wear OS)?
Yes, when in scope. Wearable companion apps share many attack surfaces with their parent mobile apps but add complexity around BLE pairing, on-device authentication, and reduced-resource cryptographic primitives. Scoping conversation needed for accurate pricing.
How do you handle apps with on-device ML / AI inference?
We treat embedded models as code: tampering tests, model extraction attempts, prompt-injection-style attacks against on-device LLMs, and local-storage exposure of model weights. If your app has substantial AI features, the AI/LLM AppSec page covers our extended methodology.
Do you provide remediation support beyond the report?
Yes — every engagement includes a 60-minute remediation walkthrough call with the assigned senior pentester. Bring your engineering team. Beyond that, async questions for the 90-day retest window are included.
What's in scope for a typical mobile pentest?
Static analysis of the bundle (decompiled native code + bundled JS/Dart for cross-platform), dynamic instrumentation with Frida/Objection, network traffic interception, certificate pinning bypass, keychain/keystore review, deep link handling, IPC/intent abuse, and runtime tampering protection. Backend API endpoints used by the mobile app are typically scoped together with web pentest if you have one.
Can you test against jailbroken / rooted detection?
Yes. We attempt to bypass jailbreak and root detection as part of every mobile engagement. The bypass technique and the impact are both documented. If your detection holds against our team, that's a meaningful security signal we report explicitly.
How do you handle React Native and Flutter?
Same depth as native. We unbundle the JS/Dart code, decompile native modules, test both the JS/Dart layer (which contains most app logic) and the native bridge layer (which is often weaker than expected). Cross-platform stacks have their own attack surfaces — native module bridges, hot updates, dependency confusion in npm/pub.dev.
Do you test offline mode and local data storage?
Yes. Local SQLite databases, encrypted preferences, file-based caches, and biometric-protected data are all part of standard scope. We look for data leakage to backups, screenshots in the app switcher, sensitive data in clipboard history, and exposure via shared file providers.
What about the App Store privacy manifests (iOS 17+)?
Reviewed as part of every iOS engagement. Privacy manifests now require accurate disclosure of "required reasons" API usage and tracking domains. We compare what your manifest declares against what the app actually does — a common source of App Store rejections and post-submission issues.

Related

Continue exploring

Companion
Web App Pentesting

OWASP ASVS L2/L3 web pentests by the same team.

Read more →
Backend
API Security Testing

The APIs your mobile app calls.

Read more →
Continuous
Continuous AppSec

Mobile coverage every release.

Read more →
Audits
Compliance Readiness

Mobile findings mapped to SOC 2 / HIPAA / PCI.

Read more →
Ready to ship secure?
Talk to a senior engineer. No SDR script, no slide deck — just a working session about your stack.

What is mobile app penetration testing

Mobile pentesting that goes beyond static analysis.

Mobile application penetration testing is the security assessment of an iOS or Android app — including its native and cross-platform code, runtime behavior, network communications, local storage, and platform integrations — to identify vulnerabilities specific to the mobile attack surface. It's the workstream where keychain misuse, certificate-pinning bypass, deep-link abuse, IPC vulnerabilities, and runtime tampering get found.

Mobile testing has different attack surfaces than web pentesting. The same OWASP MASVS verification standard governs the work, but the techniques are different: static analysis with apktool and jadx, dynamic instrumentation with Frida and Objection, network interception through Burp with custom certificate handling, and runtime tampering tests against jailbreak/root detection. A senior mobile pentester typically uses 15-20 distinct tools across an engagement.

Cross-platform stacks like React Native, Flutter, Xamarin, and Ionic introduce additional attack surfaces — bundled JavaScript or Dart code that decompiles to readable form, native module bridges with auth gaps, and hybrid WebView contexts where mobile and web vulnerabilities intersect. We bring the same depth to these stacks as to native Swift/Kotlin code.

  • Aligned to OWASP MASVS L1 / L2 verification standard
  • iOS, Android, React Native, Flutter, Xamarin, Ionic — same depth across all
  • Tested on real devices for hardware-backed key storage and TEE behavior
  • App Store / Play Store privacy manifest review included

Pricing & timeline

Per-platform fixed-fee, scoped before signing.

Mobile pentests are priced per platform (iOS or Android) with a small discount for both. Cross-platform apps (React Native, Flutter) are priced as a single platform with the cross-platform layer included. Engagements typically complete in 2-3 weeks per platform.

Single platform engagement
$18k - $36k
Both iOS and Android
$32k - $58k (10-15% bundle savings)
Cross-platform (RN/Flutter)
$22k - $42k (covers JS/Dart + native bridge)
Typical timeline per platform
2-3 weeks
Re-tests included
One free retest within 90 days
App store compliance review
Included — privacy manifest, data safety form

Deliverables

What you get from a CredShields mobile pentest.

MASVS
MASVS coverage matrix

Pass/fail evidence against every applicable MASVS verification requirement. Reusable for app store reviews and enterprise app distribution.

STATIC
Static analysis findings

Decompiled source review, hardcoded secret detection, dependency CVE scan, manifest configuration review.

DYNAMIC
Dynamic analysis findings

Runtime behavior, IPC abuse, deep-link handling, clipboard leakage, screenshot/screenshare exposure.

NETWORK
Network analysis

TLS configuration, certificate pinning effectiveness, MITM resistance, traffic logging exposure.

TAMPER
Cert pinning bypass attempts

Frida-based hooks, repackaging, runtime-tamper detection bypass — documented even when our attempts fail (which is itself a positive signal).

STORE-READY
App store compliance review

iOS Privacy Manifest review (PrivacyInfo.xcprivacy), Play Console Data Safety form review, third-party SDK disclosure verification.

Related

Related services

API Security Testing

Mobile apps live or die by their backend APIs — test both.
Web Application Pentesting

Add web testing if your mobile app has a web counterpart.
Continuous AppSec

Mobile pentest on every release, not once a year.
Compliance Readiness

Mobile-specific HIPAA, PCI, GDPR evidence.
AI / LLM AppSec

Mobile AI features (on-device inference, RAG) need extra review.
Sample Pentest Report

Preview a sanitized mobile pentest report.
Ready When You Are

The pentest your auditor will accept.
The findings your engineers will fix.

Continuous AppSec for SaaS, fintech, and regulated industries. Talk to a senior engineer — no SDR script, no slide deck, just a working session about your stack.

Fixed-Fee Pricing
No engineer-hour billing
Audit-Ready by Default
SOC 2, ISO, PCI, HIPAA
Engineer-Validated
Not scanner output