Mobile App Pentest

What is a mobile app pentest?

A mobile app pentest is a security assessment of your iOS and/or Android application. We analyse the full attack chain: from the binary on the device to the communication with the backend API and the server-side logic. Mobile apps often store sensitive data locally, communicate with multiple backend services and process authentication credentials - each component can be vulnerable.

We combine static analysis (decompilation, source code review) with dynamic analysis (runtime hooking, traffic interception). With Frida we hook security-critical functions, with Objection we bypass root detection and certificate pinning, with Jadx we decompile the APK. We understand how mobile apps are built - from native to Flutter and React Native.

iOS versus Android

• Android: easier to decompile (APK to Java/Kotlin), root detection often bypassable, local storage (SharedPreferences, SQLite) frequently unencrypted.
• iOS: stricter sandboxing but vulnerable to jailbreak bypass, Keychain misconfigurations, unsafe use of URL schemes and universal links.

Why should you get a mobile app pentest?

Users trust mobile apps with sensitive actions: banking, medical data, corporate systems. The risks:

• Insecure local storage: credentials or tokens stored unencrypted on the device.
• Missing certificate pinning: man-in-the-middle attacks possible.
• Reverse engineering: an attacker decompiles your app and finds hardcoded API keys or backend URLs.
• Authentication bypass: weak biometric implementation, session management or token handling.
• Business logic flaws: manipulating prices or bypassing purchases via the app.

Our approach

We follow the OWASP MASVS and MSTG, but go beyond the checklist. We share findings with you directly:

• Static analysis - decompilation, source code review for hardcoded secrets, insecure API calls, weak cryptography, debug functions in production.
• Dynamic analysis - runtime analysis with Frida: hooking, root/jailbreak bypass, certificate pinning bypass.
• Network communication - traffic interception with Burp Suite: TLS configuration, API authentication, data in transit.
• Local storage - databases, Keychain/Keystore, SharedPreferences, cache data for sensitive information.
• Authentication & session - biometric bypass, token handling, session fixation, account enumeration.
• Backend API - the app is just a frontend. The real vulnerabilities are often in the API. We include it in our test.
• Reporting - report conforming to MASVS with reproduction steps per platform. Retest available on request.

What does a mobile app pentest cost?

Our hourly rate is €175 per hour. Indications:

• One platform (iOS or Android) including backend API: €8,000 - €18,000
• Both platforms including backend API: €14,000 - €28,000

Costs depend on complexity, authentication methods and whether the backend API is included. Fixed quote after a scoping call - with the pentester who will perform the test.