Service A.03 · Mobile Application Penetration Testing

Mobile application penetration testing for iOS and Android, aligned with OWASP MASVS.

CyberFortify's mobile application penetration testing services assess iOS and Android apps end-to-end - client-side runtime, reverse-engineering resilience, network communication, backend API security and platform integration. Engagements are aligned with the OWASP Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), producing audit-ready reports your engineering team can ship from.

Aligned with: OWASP MASVS · MSTG · PTES Engagement: 7-14 business days Coverage: iOS · Android · backend API
iOS
Latest 2 versions
Android
API 28+
MASVS
L1 / L2 / R
Free retest
Test classes: Insecure storage · SQLite leakage · KeyChain misuse · KeyStore weakness · cert pinning bypass · jailbreak / root detection · Frida hooking · debugger attach · reverse engineering · OBFS bypass · deep-link abuse · intent injection Test classes: Insecure storage · SQLite leakage · KeyChain misuse · KeyStore weakness · cert pinning bypass · jailbreak / root detection · Frida hooking · debugger attach · reverse engineering · OBFS bypass · deep-link abuse · intent injection
// Executive summary

CyberFortify mobile penetration testing assesses iOS and Android applications end-to-end - static binary, dynamic runtime, secure storage, transport, IPC, deep links and the backend APIs the app depends on - aligned with OWASP MASVS L1, L2 and R verification levels. Engagements deliver a developer-grade technical report, MSTG test-case coverage, CVSS v3.1 scoring, attestation letter and a free remediation retest.

// 01 What is mobile application penetration testing?

// DefinitionMobile Pen Test

Mobile application penetration testing is the manual security assessment of an iOS or Android app across its entire attack surface - the binary, the runtime, on-device storage, transport security, platform integration, IPC and the backend APIs the app calls.

It is not a static scan, not a single-platform exercise, and not a binary "pass or fail." CyberFortify aligns engagements with OWASP MASVS verification levels: L1 (baseline), L2 (defence-in-depth) and R (resilience against reverse engineering).

Unlike a web application penetration test - where the attacker lives on the network and the client is a transient browser tab - a mobile penetration tester begins with the binary in their hand, on a device they fully control. Modern mobile apps are no longer thin clients. They carry significant business logic, embed cryptographic material, cache sensitive personal data on disk, integrate with platform features (biometrics, secure enclaves, push tokens, location services) and communicate with backend APIs that often expect a level of client-side trust the platform cannot guarantee.

CyberFortify's mobile application penetration testing services assess every one of those layers on a fleet of current and previous-generation iOS and Android test devices, including jailbroken and rooted units for runtime instrumentation with Frida, Objection and Burp Suite. The OWASP Mobile Security Testing Guide (MSTG) provides the test-case ledger we work through - per-control, per-platform, with reproducible evidence captured for every finding.

// 02 iOS vs Android - what changes between platforms

The MASVS controls apply to both platforms, but the implementation surface differs substantially. The same defect - "secrets retrievable from device storage" - manifests through Keychain access groups on iOS and through Keystore + SharedPreferences on Android, and the bypass techniques are entirely different. CyberFortify scopes by platform, not by abstraction.

Apple platform

iOS penetration testing

iPhone · iPad · iOS 16, 17, 18 · latest two majors

Sandboxed Objective-C / Swift binaries distributed as IPA. Testing covers Keychain access control flags, App Transport Security exemptions, App Groups, App Extensions, App Clips, universal links, custom URL schemes, biometric LocalAuthentication and Secure Enclave-backed key material.

ToolchainFrida-iOS, Objection, class-dump, Hopper, Ghidra, Cycript, idb, MobSF
StorageKeychain, NSUserDefaults, plist, Core Data, file protection classes
CryptoCommonCrypto, CryptoKit, Secure Enclave, kSecAccessControl flags
PinningURLSession delegate, AlamoFire, TrustKit, manual SecTrustEvaluate
ResilienceJailbreak detection, debugger detection (PT_DENY_ATTACH), Frida-server detection
Google platform

Android penetration testing

API level 28+ · Android 10 - 14 · Pixel + OEM coverage

Java / Kotlin / NDK binaries distributed as APK or App Bundle. Testing covers exported components (activities, services, providers, receivers), intent filters, deep links, App Links, Keystore-bound keys, biometric BiometricPrompt, EncryptedSharedPreferences and Network Security Configuration policies.

ToolchainFrida, Objection, apktool, jadx, Ghidra, drozer, MobSF, adb
StorageKeystore, SharedPreferences, EncryptedSharedPrefs, SQLite, scoped storage
Cryptojavax.crypto, AndroidKeyStore, StrongBox, BiometricPrompt-CryptoObject
PinningOkHttp CertificatePinner, TrustManager, Network Security Config, conscrypt
ResilienceRoot detection (SafetyNet, Play Integrity), Frida detection, RASP / DexGuard review

// 03 OWASP Mobile Top 10 - risk classes covered

The OWASP Mobile Top 10 is the canonical list of mobile-specific risk classes. CyberFortify covers every class on every engagement, with depth tuned to the agreed MASVS verification level. The Mobile Top 10 is complementary to - not replaced by - the OWASP Top 10 for web, which covers the backend APIs that mobile apps consume.

M1 · 2024

Improper credential usage

Hardcoded API keys, OAuth secrets in plaintext, weak credential storage. Tested via static binary review (jadx, class-dump) and runtime memory inspection.

M2 · 2024

Inadequate supply chain

Vulnerable third-party SDKs, malicious analytics libraries, outdated native dependencies. Inventory + CVE matching + known-bad indicator scanning.

M3 · 2024

Insecure auth/authz

Client-side trust assumptions, missing server-side authorisation, biometric replay, OAuth flow weakness, session fixation in mobile contexts.

M4 · 2024

Insufficient I/O validation

Deep-link injection, intent redirection, custom URL scheme abuse, WebView javascript-bridge attacks, file:// and content:// scheme abuse.

M5 · 2024

Insecure communication

Missing or bypassable certificate pinning, TLS misconfiguration, cleartext fallback, plaintext cookies, App Transport Security exemptions.

M6 · 2024

Inadequate privacy controls

Excessive permissions, sensitive data in logs / crash reports / screenshots, clipboard leakage, background snapshot exposure, GDPR-incompatible analytics.

M7 · 2024

Insufficient binary protections

Lack of obfuscation, missing anti-tamper, debug symbols left in release builds, weak jailbreak / root detection logic, repackaging resilience.

M8 · 2024

Security misconfiguration

Exported components without permission gates, debuggable=true in release, allowBackup=true on sensitive data, debug endpoints reachable from production.

M9 · 2024

Insecure data storage

Plaintext PII in SQLite, sensitive data in NSUserDefaults / SharedPreferences, Keychain misuse (wrong access flags), shared App Group leakage.

M10 · 2024

Insufficient cryptography

Hardcoded keys, ECB mode usage, weak IV generation, broken algorithms (DES, MD5, SHA-1), key derivation weakness, custom crypto.

// 04 MASVS verification levels - choose your depth

The OWASP Mobile Application Security Verification Standard (MASVS) defines three verification levels. The level is selected during scoping based on data sensitivity, threat model and regulatory pressure. MASVS replaces the older "Top 10 only" approach with a structured control set you can verify against and report on.

L1Baseline

MASVS L1 - standard security

The baseline. Every mobile app on a public store should clear MASVS L1. Covers transport, storage, authentication, code quality and platform interaction. No anti-reverse-engineering controls expected.

MASVS-STORAGEMASVS-CRYPTOMASVS-AUTHMASVS-NETWORKMASVS-PLATFORMMASVS-CODEMASVS-PRIVACY
// Recommended forBrochure apps, content readers, calculators - apps that handle no PII or payments and have no regulatory exposure.
L2Defence-in-depth

MASVS L2 - defence-in-depth

Stricter controls, mandatory secure storage of secrets, binding to platform key material (Keychain / Keystore), explicit certificate pinning, structured authentication flows, comprehensive privacy controls. The CyberFortify default for any app with personal data.

All L1Hardware-backed cryptoPinningStrict authNo sensitive logsPrivacy by default
// Recommended forConsumer SaaS with login, e-commerce, telemedicine, B2B productivity, social, messaging - any app with PII, accounts or payments.
L2+RResilience

MASVS L2 + R - resilience controls

L2 plus the MASVS-RESILIENCE control set: anti-debugger, anti-Frida, anti-tampering, integrity verification, root / jailbreak detection, code obfuscation. Tested adversarially - we don't ask whether the controls are present, we ask whether they hold up under instrumentation.

All L2Anti-debugAnti-FridaAnti-tamperIntegrity checkJB / root detectObfuscation
// Recommended forBanking, payment processing, identity wallets, authenticator apps, DRM-bearing media apps, any app whose business model depends on the binary's integrity.

// 05 Static + dynamic analysis - both, always

Static analysis without dynamic analysis misses runtime trust assumptions and bypassable controls. Dynamic analysis without static analysis misses hardcoded secrets, dead-code endpoints and supply-chain risk. A complete mobile security assessment requires both, performed in alternation rather than in sequence - static findings drive runtime hypotheses, runtime observations drive deeper static review.

// SAST

Static analysis

Pre-runtime

The binary in isolation. The IPA or APK is unpacked, decompiled, scanned for secrets and known-bad indicators, and reviewed for the platform-specific anti-patterns that are visible on disk.

  • IPA / APK / AAB unpacking, decompilation (jadx, class-dump, Hopper, Ghidra)
  • Hardcoded API keys, OAuth secrets, embedded JWTs, signing keys
  • Embedded URLs, debug endpoints, staging API hosts in release builds
  • Third-party SDK inventory + known-bad scanning + CVE matching
  • Native code review (Objective-C, Swift, Java, Kotlin, NDK / C / C++)
  • Manifest review - permissions, exported components, intent filters, allowBackup, debuggable
  • Network Security Configuration policy review (Android), App Transport Security exemptions (iOS)
  • Crypto algorithm and mode usage scan, weak random source detection
MobSFjadxclass-dumpGhidraHopperapktoolsemgrep
// DAST

Dynamic analysis

Runtime

The application running on a controlled device. Tested behaviour replaces tested code - runtime trust, biometric replay, pinning bypass, IPC abuse and on-device storage of live session material.

  • Frida and Objection runtime hooking on jailbroken / rooted devices
  • Certificate pinning bypass (URLSession, OkHttp, TrustManager, custom)
  • Biometric / LocalAuthentication / BiometricPrompt replay testing
  • Memory inspection for sensitive residue (tokens, keys, PII) post-logout
  • Deep link / URL scheme / intent injection (drozer, manual fuzzing)
  • WebView JavaScript-bridge attack surface, file:// scheme abuse
  • IPC abuse - exported activities, services, broadcast receivers, content providers
  • Backend API testing in parallel via Burp Suite intercepting the device
FridaObjectionBurp SuitedrozeridbadbCycript

// 06 Mobile attack surface - what's in scope

A complete iOS and Android pen test covers six concrete scope categories. The depth applied to each is tuned to the agreed MASVS verification level - an L1 engagement may sample IPC abuse, where an L2+R engagement enumerates every exported component and tests anti-tamper logic adversarially.

M.01 · Static

Binary & SDK analysis

IPA / APK / AAB review, hardcoded secrets, embedded URLs, debug endpoints, native code review (Objective-C, Swift, Java, Kotlin, NDK), third-party SDK inventory and posture.

M.02 · Dynamic

Runtime instrumentation

Frida and Objection hooking, authentication / biometrics / pinning routine review, memory inspection for sensitive residue, deep-link / URL scheme abuse, intent redirection.

M.03 · IPC

Inter-process communication

Android exported activities, services, broadcast receivers, content providers; iOS App Groups, App Extensions, App Clips, custom URL handlers, universal links, share extensions.

M.04 · Storage

Secure storage & crypto

iOS Keychain access flags, Android Keystore + StrongBox, SQLite, NSUserDefaults / SharedPreferences, encryption-at-rest implementation, token / session lifecycle.

M.05 · Network

Transport & pinning

Certificate pinning robustness and bypass, TLS configuration (versions, cipher suites, downgrade resilience), backend API security testing integrated.

M.06 · Platform

Anti-tamper & resilience

Jailbreak / root detection robustness, debugger / Frida-server detection, reverse-engineering resilience (obfuscation, anti-tamper, integrity checks, RASP).

// 07 CyberFortify's mobile pen testing methodology

Mobile engagements follow the same seven-phase methodology used across all CyberFortify offensive security services, grounded in PTES and aligned with OWASP MASVS verification levels. Verification level (L1 = baseline, L2 = defence-in-depth, L2+R = resilience against reverse engineering) is agreed during scoping based on the threat profile of your application.

01

Pre-engagement

Rules of engagement, MASVS verification level selection, build provisioning - test users, dev / staging endpoints, app-store distribution, ad-hoc IPA, debug APK, app integrity exception list.

L1 / L2 / R
02

Static reverse engineering

IPA / APK / AAB unpacking, decompilation with jadx and Hopper, secret scanning, third-party SDK inventory, native-code review for NDK / Swift / Objective-C.

SAST
03

Threat modelling

MASVS L1 / L2 / R control selection, attacker capability profile (passive observer, jailbroken-device attacker, repackaging adversary), data-flow trust boundaries device-to-backend.

MASVS
04

Dynamic instrumentation

Frida / Objection hooking, runtime tampering, certificate-pinning bypass, biometrics replay, memory dumping, deep-link / intent injection, IPC abuse with drozer.

DAST
05

Backend API testing

The APIs the mobile app depends on tested in parallel - authorisation matrix, BOLA / IDOR, JWT signing, mass assignment, push notification token replay.

Parallel
06

Reporting

Findings with MASVS / MSTG references, CVSS v3.1 scoring, reproduction steps with screenshots / Frida scripts, prioritised remediation guidance for engineering.

MASVS / MSTG
07

Free remediation retest

Every closed finding revalidated on the new build, attestation letter issued for compliance auditors and app-store submission packs.

Included

// 08 Common mobile pen testing findings

The following findings appear repeatedly in real CyberFortify mobile engagements. Listed with severity and the MASVS / MSTG controls they map to. Use this as a self-audit checklist before scoping - if any of these are unverified in your current build, you have a candidate finding before testing begins.

CriticalF.M01

Certificate pinning bypassable via Frida

Pinning implemented but bypassed in < 5 minutes with a generic Frida script. Backend treats device traffic as trusted, exposing every API endpoint to a man-in-the-middle on the user's network.

MASVS-NETWORK-1 / MSTG-NETWORK-4
CriticalF.M02

Hardcoded API key with admin scope

Static analysis revealed a backend API key in the binary granting administrative scope on the production environment. Single-key compromise of every customer record.

MASVS-CODE-4 / MSTG-CODE-4
HighF.M03

Sensitive data in NSUserDefaults / SharedPreferences

Session tokens, PII or full PAN cached in the wrong storage layer. Recoverable from an unencrypted device backup or from any process with sandbox-equivalent access.

MASVS-STORAGE-1 / MSTG-STORAGE-2
HighF.M04

Jailbreak / root detection bypassable

Single-flag detection logic patched out of the binary in seconds, or hooked away at runtime. App proceeds to provision Secure Enclave / Keystore-bound keys on a fully instrumented device.

MASVS-RESILIENCE-1 / MSTG-RESILIENCE-1
HighF.M05

Deep-link / intent injection

Custom URL scheme or universal link / Android App Link triggers state-changing operations without re-authentication. Attacker-controlled webpage sends a phishing victim straight to "transfer money to X."

MASVS-PLATFORM-3 / MSTG-PLATFORM-3
MediumF.M06

WebView JavaScript bridge over-exposed

Native methods exposed to a WebView reachable through an attacker-supplied page (deep link to mobile site). Native bridge invoked with arbitrary parameters from JavaScript.

MASVS-PLATFORM-5 / MSTG-PLATFORM-7
MediumF.M07

Sensitive data in screenshots / background snapshot

iOS app does not blur the background snapshot taken on backgrounding. Account dashboard / OTP / patient record is visible in the iOS app switcher and persists on disk in the snapshot cache.

MASVS-PRIVACY-2 / MSTG-STORAGE-9
MediumF.M08

Vulnerable third-party SDK

Bundled analytics or advertising SDK with a known CVE. Supply-chain risk: a compromised SDK becomes a trojan inside a legitimately-published app.

MASVS-CODE-2 / MSTG-CODE-5

// 09 When to commission a mobile pen test

Mobile pen testing is not an annual ritual - it is keyed to product change, threat exposure and regulatory deadline. The following triggers should each initiate a scoping conversation. Multiple triggers in a single quarter usually warrant a continuous testing arrangement rather than a discrete engagement.

01

Major release of a customer-facing app

Any iOS or Android release that changes authentication, payments, in-app purchase, identity verification or biometrics binding warrants pen testing pre-submission to the app store.

02

New SDK integration

Adding a third-party SDK - analytics, advertising, payments, video, biometrics - expands the binary's attack surface and supply-chain risk. Test before shipping, not after a security incident.

03

Platform major-version change

iOS 18 / Android 15 each introduced platform behaviour changes (privacy manifest, scoped storage, photo picker, BiometricPrompt-CryptoObject) that materially affect mobile security posture.

04

Compliance & audit requirements

PCI DSS 6.2.4, HIPAA Security Rule, SOC 2 CC4.1, EBA / DORA, and various national banking regulators require an annual mobile pen test on customer-facing apps.

05

App-store / app-review escalation

Apple App Review or Google Play Protect rejection, or a security finding flagged by Play Integrity / Apple's privacy nutrition label review, often requires evidence of independent assessment.

06

Known incident or threat report

A reported repackaging campaign, a compromised SDK supplier, or a fraud signal that may originate on the mobile channel. Pen testing scopes the actual exposure rather than guessing at it.

// 10 Mobile pen test vs MAST tools and app-store reviews

"Why do we need a mobile pen test if we already run MobSF / a MAST tool / submit to the app store?" The most common scoping question. The honest answer: automated MAST tools and app-store reviews each verify different and narrower properties, and both are necessary but neither is sufficient.

Capability
Mobile pen test
MAST / SAST tool
App-store review
Hardcoded secret detection
Manual + scanner
Pattern-based
No
Certificate pinning bypass
Adversarial Frida
Detect presence only
No
Runtime instrumentation
Frida / Objection
Limited emulator
No
Anti-tamper / RE resilience
Adversarial
Cannot test
No
Deep-link / intent injection
Manual + drozer
Surface only
No
Backend API authorisation
Manual chained
Out of scope
No
Privacy / permission misuse
Behavioural
Manifest only
Privacy nutrition label
Compliance evidence
PCI / HIPAA / SOC 2
Partial
No

The right operating model is: MAST in CI on every build, app-store review for distribution gating, mobile pen test annually and on major change. Each catches a different class of defect.

// 11 Engagement timeline - what to expect

A typical CyberFortify mobile engagement covers seven to fourteen business days of active testing. Total elapsed time from scoping call to clean attestation usually runs four to six weeks. Single-platform engagements compress to roughly two-thirds of dual-platform timing.

Week 1

Scoping & build provisioning

Free 30-minute scoping call, MASVS verification level selection, NDA, statement of work, ad-hoc / TestFlight / internal track distribution, debug APK, test users for both platforms.

Week 2-3

Static + dynamic testing

Active testing - binary review, runtime instrumentation, IPC abuse, pinning bypass, backend API alongside. Daily Slack / email channel for clarifications and live-feed of critical findings.

Week 4

Reporting

Draft technical report, executive summary, MASVS coverage matrix, MSTG control mapping, CVSS scoring, walk-through call with engineering for findings prioritisation.

Week 5-6

Remediation retest & attestation

Engineering fixes findings on its own clock; CyberFortify revalidates each closed finding on the new build at no charge and issues an attestation letter for auditors and app-store submission.

// 12 Mobile testing toolchain

Tools instrument the work; judgement does the work. The CyberFortify mobile toolchain is open about what it uses so customers can verify methodology grounding and reproduce findings in-house.

Static analysis

jadx, apktool, class-dump, Hopper, Ghidra, MobSF, semgrep, custom secret scanners, dex2jar, otool, plutil.

Dynamic instrumentation

Frida, Frida-iOS, Objection, Cycript, idb, drozer, FriDA-DEXDump, fpicker, brida.

Network & API

Burp Suite Pro, Burp Mobile Assistant, mitmproxy, Charles, Wireshark, Postman, Frida proxy bridges.

Device tooling

checkra1n, Palera1n, Magisk, LSPosed, Xposed, ADB, libimobiledevice, AltStore, Sideloadly, Apple Configurator.

Resilience testing

Frida hook libraries for jailbreak / root detection bypass, custom anti-anti-Frida tooling, repackaging chains, integrity-check probe scripts.

Reporting & PoC

Custom reporting templates, scripted Frida PoCs delivered with reports, video capture of dynamic findings, MASVS / MSTG cross-reference automation.

// 13 Standards & compliance mapping

Findings are scored, written and cross-referenced against the standards your auditors and engineering teams already work with. Use this table when scoping with a compliance or audit lead - it is the same table that ships in the deliverable.

StandardReferenceWhat our test covers
OWASP MASVSL1 / L2 / R verification levelsCoverage depth statement - the per-control checklist
OWASP MSTGTest cases per categoryMethodology grounding - per-test reproducibility
OWASP Mobile Top 10M1-M10 (2024)Risk-class coverage independent of MASVS depth
PCI DSS v4.0Req 6.2.4, 11.4, 8.3, 4.2.1.2Mobile payment apps in cardholder data environments
HIPAA Security Rule164.308(a)(8), 164.312(a)(2)(iv), 164.312(e)(1)ePHI on mobile, evaluation evidence, encryption
GDPRArticle 32(1)(d), Article 25Personal data on device, privacy-by-design verification
ISO/IEC 27001:2022A.8.25, A.8.28, A.8.29Secure development lifecycle, secure coding, security testing
SOC 2CC4.1, CC7.1Independent third-party security assessment for SaaS apps with mobile clients
NIST CSF 2.0ID.RA-1, PR.IP-12, DE.CM-8Mobile risk identification, vulnerability management, continuous detection
NIST SP 800-163 r1Vetting the Security of Mobile AppsFederal mobile-app vetting alignment

// 14 Why teams choose CyberFortify for mobile pen testing

Manual, MASVS-graded testing

Every engagement is delivered by a senior mobile pen tester - no off-shore juniors, no auto-generated reports. Findings are MASVS / MSTG-mapped with reproducible Frida scripts and screenshots.

Both platforms, one engagement

iOS and Android tested in parallel by the same lead. Cross-platform consistency findings (e.g. "pinning enforced on iOS, missing on Android") surface naturally rather than being missed across separate engagements.

Backend API tested alongside

The APIs the mobile app depends on are tested in parallel. Mobile-only or API-only engagements miss the chained findings that matter operationally.

Adversarial resilience testing

For MASVS L2+R, anti-tamper, jailbreak detection and obfuscation are tested adversarially - we do not check whether the controls are present, we measure how long they survive contact with an instrumented device.

Free remediation retest

After your engineering team closes findings, CyberFortify revalidates each one on the new build at no extra cost. The attestation letter only ships when the build is clean.

Audit-ready deliverable

The report is the deliverable auditors and app-store submission teams expect - CVSS scoring, MASVS coverage matrix, executive summary, technical detail, attestation letter signed by the lead tester.

// 15 Frequently asked questions about mobile pen testing

What is mobile application penetration testing?

Mobile application penetration testing is the manual security assessment of an iOS or Android application across its entire attack surface - static binary analysis, dynamic runtime instrumentation, secure storage, transport security, platform integration, IPC and the backend APIs the app depends on. CyberFortify aligns engagements with OWASP MASVS L1, L2 or R verification levels and follows the OWASP Mobile Security Testing Guide (MSTG).

What is the difference between MASVS L1, L2 and R?

MASVS L1 is the baseline standard for any application handling sensitive data. MASVS L2 adds defence-in-depth controls and is the recommended floor for any app handling personal data, payments or authentication. MASVS R adds resilience controls against reverse engineering and runtime tampering, and is recommended for banking apps, identity wallets, authenticator apps and apps with a strong intellectual-property concern.

Do you test against jailbroken / rooted devices?

Yes. CyberFortify maintains a fleet of test devices spanning current and previous-generation iOS and Android, including jailbroken and rooted units used for runtime instrumentation with Frida, Objection and Burp Suite. Where the application implements jailbreak / root detection, we test the robustness of that detection logic explicitly under MASVS-RESILIENCE-1.

How is certificate pinning bypass tested?

Certificate pinning bypass is tested across multiple vectors - Frida hooks against URLSession, NSURLSession, OkHttp, TrustManager and HostnameVerifier; static patching of pinning logic in the binary; runtime tampering with custom CA installation. The test verifies whether traffic remains protected when an attacker controls the device, not whether pinning is implemented at all.

What about apps using React Native, Flutter or Xamarin?

All cross-platform frameworks are in scope. JavaScript bundles for React Native are unpacked and reviewed; Flutter snapshot data and flutter_assets are decompiled where feasible; Xamarin / .NET MAUI assemblies are decompiled. The same MASVS verification levels apply regardless of underlying framework.

Do you test the backend APIs at the same time?

Yes by default. Mobile engagements include the backend APIs the app depends on - covered in detail by our API penetration testing service. Mobile-specific findings frequently chain through backend authorisation gaps, so combined testing surfaces issues neither layer would catch alone.

How long does a typical mobile pen test take?

Seven to fourteen business days of active testing, depending on whether it is single-platform or both, MASVS verification level and backend API complexity. Total elapsed time including scoping, reporting and the free remediation retest typically spans four to six weeks.

How much does a mobile pen test cost?

Fixed-price engagements scoped during a free 30-minute call. Cost is driven by platform count (single vs both), MASVS verification level (L1 / L2 / L2+R) and backend API surface. Typical engagements range from mid-five-figures for an L1 single-platform app to six figures for L2+R dual-platform with extensive backend.

Does mobile pen testing satisfy PCI DSS Requirement 6.2.4?

Yes. Mobile applications that capture, store or transmit cardholder data fall within PCI DSS scope, and the CyberFortify mobile pen test produces the evidence required for Requirement 6.2.4 (software attack defences). For mobile payment apps that integrate with PIN entry or biometrics, additional MASVS L2+R resilience testing is recommended.

Will the test crash production users or trigger fraud rules?

No. Mobile testing is performed against staging or pre-production builds where possible, with dedicated test accounts and ad-hoc / TestFlight / internal-track distribution. Where production endpoints must be touched, tests are coordinated with on-call engineering and constrained to non-destructive vectors. Rate-limit / fraud rule handling is agreed during scoping.

Ready for a manual mobile pen test?

Schedule a free 30-minute scoping call. CyberFortify will recommend an iOS / Android scope, MASVS verification level and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →