CyberFortify mobile penetration testing assesses iOS and Android applications end-to-end - static binary, dynamic runtime, secure storage, transport, IPC, deep links and the backend APIs the app depends on - aligned with OWASP MASVS L1, L2 and R verification levels. Engagements deliver a developer-grade technical report, MSTG test-case coverage, CVSS v3.1 scoring, attestation letter and a free remediation retest.
// 01 What is mobile application penetration testing?
Mobile application penetration testing is the manual security assessment of an iOS or Android app across its entire attack surface - the binary, the runtime, on-device storage, transport security, platform integration, IPC and the backend APIs the app calls.
It is not a static scan, not a single-platform exercise, and not a binary "pass or fail." CyberFortify aligns engagements with OWASP MASVS verification levels: L1 (baseline), L2 (defence-in-depth) and R (resilience against reverse engineering).
Unlike a web application penetration test - where the attacker lives on the network and the client is a transient browser tab - a mobile penetration tester begins with the binary in their hand, on a device they fully control. Modern mobile apps are no longer thin clients. They carry significant business logic, embed cryptographic material, cache sensitive personal data on disk, integrate with platform features (biometrics, secure enclaves, push tokens, location services) and communicate with backend APIs that often expect a level of client-side trust the platform cannot guarantee.
CyberFortify's mobile application penetration testing services assess every one of those layers on a fleet of current and previous-generation iOS and Android test devices, including jailbroken and rooted units for runtime instrumentation with Frida, Objection and Burp Suite. The OWASP Mobile Security Testing Guide (MSTG) provides the test-case ledger we work through - per-control, per-platform, with reproducible evidence captured for every finding.
// 02 iOS vs Android - what changes between platforms
The MASVS controls apply to both platforms, but the implementation surface differs substantially. The same defect - "secrets retrievable from device storage" - manifests through Keychain access groups on iOS and through Keystore + SharedPreferences on Android, and the bypass techniques are entirely different. CyberFortify scopes by platform, not by abstraction.
iOS penetration testing
iPhone · iPad · iOS 16, 17, 18 · latest two majorsSandboxed Objective-C / Swift binaries distributed as IPA. Testing covers Keychain access control flags, App Transport Security exemptions, App Groups, App Extensions, App Clips, universal links, custom URL schemes, biometric LocalAuthentication and Secure Enclave-backed key material.
Android penetration testing
API level 28+ · Android 10 - 14 · Pixel + OEM coverageJava / Kotlin / NDK binaries distributed as APK or App Bundle. Testing covers exported components (activities, services, providers, receivers), intent filters, deep links, App Links, Keystore-bound keys, biometric BiometricPrompt, EncryptedSharedPreferences and Network Security Configuration policies.
// 03 OWASP Mobile Top 10 - risk classes covered
The OWASP Mobile Top 10 is the canonical list of mobile-specific risk classes. CyberFortify covers every class on every engagement, with depth tuned to the agreed MASVS verification level. The Mobile Top 10 is complementary to - not replaced by - the OWASP Top 10 for web, which covers the backend APIs that mobile apps consume.
Improper credential usage
Hardcoded API keys, OAuth secrets in plaintext, weak credential storage. Tested via static binary review (jadx, class-dump) and runtime memory inspection.
Inadequate supply chain
Vulnerable third-party SDKs, malicious analytics libraries, outdated native dependencies. Inventory + CVE matching + known-bad indicator scanning.
Insecure auth/authz
Client-side trust assumptions, missing server-side authorisation, biometric replay, OAuth flow weakness, session fixation in mobile contexts.
Insufficient I/O validation
Deep-link injection, intent redirection, custom URL scheme abuse, WebView javascript-bridge attacks, file:// and content:// scheme abuse.
Insecure communication
Missing or bypassable certificate pinning, TLS misconfiguration, cleartext fallback, plaintext cookies, App Transport Security exemptions.
Inadequate privacy controls
Excessive permissions, sensitive data in logs / crash reports / screenshots, clipboard leakage, background snapshot exposure, GDPR-incompatible analytics.
Insufficient binary protections
Lack of obfuscation, missing anti-tamper, debug symbols left in release builds, weak jailbreak / root detection logic, repackaging resilience.
Security misconfiguration
Exported components without permission gates, debuggable=true in release, allowBackup=true on sensitive data, debug endpoints reachable from production.
Insecure data storage
Plaintext PII in SQLite, sensitive data in NSUserDefaults / SharedPreferences, Keychain misuse (wrong access flags), shared App Group leakage.
Insufficient cryptography
Hardcoded keys, ECB mode usage, weak IV generation, broken algorithms (DES, MD5, SHA-1), key derivation weakness, custom crypto.
// 04 MASVS verification levels - choose your depth
The OWASP Mobile Application Security Verification Standard (MASVS) defines three verification levels. The level is selected during scoping based on data sensitivity, threat model and regulatory pressure. MASVS replaces the older "Top 10 only" approach with a structured control set you can verify against and report on.
MASVS L1 - standard security
The baseline. Every mobile app on a public store should clear MASVS L1. Covers transport, storage, authentication, code quality and platform interaction. No anti-reverse-engineering controls expected.
MASVS L2 - defence-in-depth
Stricter controls, mandatory secure storage of secrets, binding to platform key material (Keychain / Keystore), explicit certificate pinning, structured authentication flows, comprehensive privacy controls. The CyberFortify default for any app with personal data.
MASVS L2 + R - resilience controls
L2 plus the MASVS-RESILIENCE control set: anti-debugger, anti-Frida, anti-tampering, integrity verification, root / jailbreak detection, code obfuscation. Tested adversarially - we don't ask whether the controls are present, we ask whether they hold up under instrumentation.
// 05 Static + dynamic analysis - both, always
Static analysis without dynamic analysis misses runtime trust assumptions and bypassable controls. Dynamic analysis without static analysis misses hardcoded secrets, dead-code endpoints and supply-chain risk. A complete mobile security assessment requires both, performed in alternation rather than in sequence - static findings drive runtime hypotheses, runtime observations drive deeper static review.
The binary in isolation. The IPA or APK is unpacked, decompiled, scanned for secrets and known-bad indicators, and reviewed for the platform-specific anti-patterns that are visible on disk.
- IPA / APK / AAB unpacking, decompilation (jadx, class-dump, Hopper, Ghidra)
- Hardcoded API keys, OAuth secrets, embedded JWTs, signing keys
- Embedded URLs, debug endpoints, staging API hosts in release builds
- Third-party SDK inventory + known-bad scanning + CVE matching
- Native code review (Objective-C, Swift, Java, Kotlin, NDK / C / C++)
- Manifest review - permissions, exported components, intent filters, allowBackup, debuggable
- Network Security Configuration policy review (Android), App Transport Security exemptions (iOS)
- Crypto algorithm and mode usage scan, weak random source detection
The application running on a controlled device. Tested behaviour replaces tested code - runtime trust, biometric replay, pinning bypass, IPC abuse and on-device storage of live session material.
- Frida and Objection runtime hooking on jailbroken / rooted devices
- Certificate pinning bypass (URLSession, OkHttp, TrustManager, custom)
- Biometric / LocalAuthentication / BiometricPrompt replay testing
- Memory inspection for sensitive residue (tokens, keys, PII) post-logout
- Deep link / URL scheme / intent injection (drozer, manual fuzzing)
- WebView JavaScript-bridge attack surface, file:// scheme abuse
- IPC abuse - exported activities, services, broadcast receivers, content providers
- Backend API testing in parallel via Burp Suite intercepting the device
// 06 Mobile attack surface - what's in scope
A complete iOS and Android pen test covers six concrete scope categories. The depth applied to each is tuned to the agreed MASVS verification level - an L1 engagement may sample IPC abuse, where an L2+R engagement enumerates every exported component and tests anti-tamper logic adversarially.
Binary & SDK analysis
IPA / APK / AAB review, hardcoded secrets, embedded URLs, debug endpoints, native code review (Objective-C, Swift, Java, Kotlin, NDK), third-party SDK inventory and posture.
Runtime instrumentation
Frida and Objection hooking, authentication / biometrics / pinning routine review, memory inspection for sensitive residue, deep-link / URL scheme abuse, intent redirection.
Inter-process communication
Android exported activities, services, broadcast receivers, content providers; iOS App Groups, App Extensions, App Clips, custom URL handlers, universal links, share extensions.
Secure storage & crypto
iOS Keychain access flags, Android Keystore + StrongBox, SQLite, NSUserDefaults / SharedPreferences, encryption-at-rest implementation, token / session lifecycle.
Transport & pinning
Certificate pinning robustness and bypass, TLS configuration (versions, cipher suites, downgrade resilience), backend API security testing integrated.
Anti-tamper & resilience
Jailbreak / root detection robustness, debugger / Frida-server detection, reverse-engineering resilience (obfuscation, anti-tamper, integrity checks, RASP).
// 07 CyberFortify's mobile pen testing methodology
Mobile engagements follow the same seven-phase methodology used across all CyberFortify offensive security services, grounded in PTES and aligned with OWASP MASVS verification levels. Verification level (L1 = baseline, L2 = defence-in-depth, L2+R = resilience against reverse engineering) is agreed during scoping based on the threat profile of your application.
Pre-engagement
Rules of engagement, MASVS verification level selection, build provisioning - test users, dev / staging endpoints, app-store distribution, ad-hoc IPA, debug APK, app integrity exception list.
L1 / L2 / RStatic reverse engineering
IPA / APK / AAB unpacking, decompilation with jadx and Hopper, secret scanning, third-party SDK inventory, native-code review for NDK / Swift / Objective-C.
SASTThreat modelling
MASVS L1 / L2 / R control selection, attacker capability profile (passive observer, jailbroken-device attacker, repackaging adversary), data-flow trust boundaries device-to-backend.
MASVSDynamic instrumentation
Frida / Objection hooking, runtime tampering, certificate-pinning bypass, biometrics replay, memory dumping, deep-link / intent injection, IPC abuse with drozer.
DASTBackend API testing
The APIs the mobile app depends on tested in parallel - authorisation matrix, BOLA / IDOR, JWT signing, mass assignment, push notification token replay.
ParallelReporting
Findings with MASVS / MSTG references, CVSS v3.1 scoring, reproduction steps with screenshots / Frida scripts, prioritised remediation guidance for engineering.
MASVS / MSTGFree remediation retest
Every closed finding revalidated on the new build, attestation letter issued for compliance auditors and app-store submission packs.
Included// 08 Common mobile pen testing findings
The following findings appear repeatedly in real CyberFortify mobile engagements. Listed with severity and the MASVS / MSTG controls they map to. Use this as a self-audit checklist before scoping - if any of these are unverified in your current build, you have a candidate finding before testing begins.
Certificate pinning bypassable via Frida
Pinning implemented but bypassed in < 5 minutes with a generic Frida script. Backend treats device traffic as trusted, exposing every API endpoint to a man-in-the-middle on the user's network.
MASVS-NETWORK-1 / MSTG-NETWORK-4Hardcoded API key with admin scope
Static analysis revealed a backend API key in the binary granting administrative scope on the production environment. Single-key compromise of every customer record.
MASVS-CODE-4 / MSTG-CODE-4Sensitive data in NSUserDefaults / SharedPreferences
Session tokens, PII or full PAN cached in the wrong storage layer. Recoverable from an unencrypted device backup or from any process with sandbox-equivalent access.
MASVS-STORAGE-1 / MSTG-STORAGE-2Jailbreak / root detection bypassable
Single-flag detection logic patched out of the binary in seconds, or hooked away at runtime. App proceeds to provision Secure Enclave / Keystore-bound keys on a fully instrumented device.
MASVS-RESILIENCE-1 / MSTG-RESILIENCE-1Deep-link / intent injection
Custom URL scheme or universal link / Android App Link triggers state-changing operations without re-authentication. Attacker-controlled webpage sends a phishing victim straight to "transfer money to X."
MASVS-PLATFORM-3 / MSTG-PLATFORM-3WebView JavaScript bridge over-exposed
Native methods exposed to a WebView reachable through an attacker-supplied page (deep link to mobile site). Native bridge invoked with arbitrary parameters from JavaScript.
MASVS-PLATFORM-5 / MSTG-PLATFORM-7Sensitive data in screenshots / background snapshot
iOS app does not blur the background snapshot taken on backgrounding. Account dashboard / OTP / patient record is visible in the iOS app switcher and persists on disk in the snapshot cache.
MASVS-PRIVACY-2 / MSTG-STORAGE-9Vulnerable third-party SDK
Bundled analytics or advertising SDK with a known CVE. Supply-chain risk: a compromised SDK becomes a trojan inside a legitimately-published app.
MASVS-CODE-2 / MSTG-CODE-5// 09 When to commission a mobile pen test
Mobile pen testing is not an annual ritual - it is keyed to product change, threat exposure and regulatory deadline. The following triggers should each initiate a scoping conversation. Multiple triggers in a single quarter usually warrant a continuous testing arrangement rather than a discrete engagement.
Major release of a customer-facing app
Any iOS or Android release that changes authentication, payments, in-app purchase, identity verification or biometrics binding warrants pen testing pre-submission to the app store.
New SDK integration
Adding a third-party SDK - analytics, advertising, payments, video, biometrics - expands the binary's attack surface and supply-chain risk. Test before shipping, not after a security incident.
Platform major-version change
iOS 18 / Android 15 each introduced platform behaviour changes (privacy manifest, scoped storage, photo picker, BiometricPrompt-CryptoObject) that materially affect mobile security posture.
Compliance & audit requirements
PCI DSS 6.2.4, HIPAA Security Rule, SOC 2 CC4.1, EBA / DORA, and various national banking regulators require an annual mobile pen test on customer-facing apps.
App-store / app-review escalation
Apple App Review or Google Play Protect rejection, or a security finding flagged by Play Integrity / Apple's privacy nutrition label review, often requires evidence of independent assessment.
Known incident or threat report
A reported repackaging campaign, a compromised SDK supplier, or a fraud signal that may originate on the mobile channel. Pen testing scopes the actual exposure rather than guessing at it.
// 10 Mobile pen test vs MAST tools and app-store reviews
"Why do we need a mobile pen test if we already run MobSF / a MAST tool / submit to the app store?" The most common scoping question. The honest answer: automated MAST tools and app-store reviews each verify different and narrower properties, and both are necessary but neither is sufficient.
The right operating model is: MAST in CI on every build, app-store review for distribution gating, mobile pen test annually and on major change. Each catches a different class of defect.
// 11 Engagement timeline - what to expect
A typical CyberFortify mobile engagement covers seven to fourteen business days of active testing. Total elapsed time from scoping call to clean attestation usually runs four to six weeks. Single-platform engagements compress to roughly two-thirds of dual-platform timing.
Scoping & build provisioning
Free 30-minute scoping call, MASVS verification level selection, NDA, statement of work, ad-hoc / TestFlight / internal track distribution, debug APK, test users for both platforms.
Static + dynamic testing
Active testing - binary review, runtime instrumentation, IPC abuse, pinning bypass, backend API alongside. Daily Slack / email channel for clarifications and live-feed of critical findings.
Reporting
Draft technical report, executive summary, MASVS coverage matrix, MSTG control mapping, CVSS scoring, walk-through call with engineering for findings prioritisation.
Remediation retest & attestation
Engineering fixes findings on its own clock; CyberFortify revalidates each closed finding on the new build at no charge and issues an attestation letter for auditors and app-store submission.
// 12 Mobile testing toolchain
Tools instrument the work; judgement does the work. The CyberFortify mobile toolchain is open about what it uses so customers can verify methodology grounding and reproduce findings in-house.
Static analysis
jadx, apktool, class-dump, Hopper, Ghidra, MobSF, semgrep, custom secret scanners, dex2jar, otool, plutil.
Dynamic instrumentation
Frida, Frida-iOS, Objection, Cycript, idb, drozer, FriDA-DEXDump, fpicker, brida.
Network & API
Burp Suite Pro, Burp Mobile Assistant, mitmproxy, Charles, Wireshark, Postman, Frida proxy bridges.
Device tooling
checkra1n, Palera1n, Magisk, LSPosed, Xposed, ADB, libimobiledevice, AltStore, Sideloadly, Apple Configurator.
Resilience testing
Frida hook libraries for jailbreak / root detection bypass, custom anti-anti-Frida tooling, repackaging chains, integrity-check probe scripts.
Reporting & PoC
Custom reporting templates, scripted Frida PoCs delivered with reports, video capture of dynamic findings, MASVS / MSTG cross-reference automation.
// 13 Standards & compliance mapping
Findings are scored, written and cross-referenced against the standards your auditors and engineering teams already work with. Use this table when scoping with a compliance or audit lead - it is the same table that ships in the deliverable.
| Standard | Reference | What our test covers |
|---|---|---|
| OWASP MASVS | L1 / L2 / R verification levels | Coverage depth statement - the per-control checklist |
| OWASP MSTG | Test cases per category | Methodology grounding - per-test reproducibility |
| OWASP Mobile Top 10 | M1-M10 (2024) | Risk-class coverage independent of MASVS depth |
| PCI DSS v4.0 | Req 6.2.4, 11.4, 8.3, 4.2.1.2 | Mobile payment apps in cardholder data environments |
| HIPAA Security Rule | 164.308(a)(8), 164.312(a)(2)(iv), 164.312(e)(1) | ePHI on mobile, evaluation evidence, encryption |
| GDPR | Article 32(1)(d), Article 25 | Personal data on device, privacy-by-design verification |
| ISO/IEC 27001:2022 | A.8.25, A.8.28, A.8.29 | Secure development lifecycle, secure coding, security testing |
| SOC 2 | CC4.1, CC7.1 | Independent third-party security assessment for SaaS apps with mobile clients |
| NIST CSF 2.0 | ID.RA-1, PR.IP-12, DE.CM-8 | Mobile risk identification, vulnerability management, continuous detection |
| NIST SP 800-163 r1 | Vetting the Security of Mobile Apps | Federal mobile-app vetting alignment |
// 14 Why teams choose CyberFortify for mobile pen testing
Manual, MASVS-graded testing
Every engagement is delivered by a senior mobile pen tester - no off-shore juniors, no auto-generated reports. Findings are MASVS / MSTG-mapped with reproducible Frida scripts and screenshots.
Both platforms, one engagement
iOS and Android tested in parallel by the same lead. Cross-platform consistency findings (e.g. "pinning enforced on iOS, missing on Android") surface naturally rather than being missed across separate engagements.
Backend API tested alongside
The APIs the mobile app depends on are tested in parallel. Mobile-only or API-only engagements miss the chained findings that matter operationally.
Adversarial resilience testing
For MASVS L2+R, anti-tamper, jailbreak detection and obfuscation are tested adversarially - we do not check whether the controls are present, we measure how long they survive contact with an instrumented device.
Free remediation retest
After your engineering team closes findings, CyberFortify revalidates each one on the new build at no extra cost. The attestation letter only ships when the build is clean.
Audit-ready deliverable
The report is the deliverable auditors and app-store submission teams expect - CVSS scoring, MASVS coverage matrix, executive summary, technical detail, attestation letter signed by the lead tester.
// 15 Frequently asked questions about mobile pen testing
What is mobile application penetration testing?
Mobile application penetration testing is the manual security assessment of an iOS or Android application across its entire attack surface - static binary analysis, dynamic runtime instrumentation, secure storage, transport security, platform integration, IPC and the backend APIs the app depends on. CyberFortify aligns engagements with OWASP MASVS L1, L2 or R verification levels and follows the OWASP Mobile Security Testing Guide (MSTG).
What is the difference between MASVS L1, L2 and R?
MASVS L1 is the baseline standard for any application handling sensitive data. MASVS L2 adds defence-in-depth controls and is the recommended floor for any app handling personal data, payments or authentication. MASVS R adds resilience controls against reverse engineering and runtime tampering, and is recommended for banking apps, identity wallets, authenticator apps and apps with a strong intellectual-property concern.
Do you test against jailbroken / rooted devices?
Yes. CyberFortify maintains a fleet of test devices spanning current and previous-generation iOS and Android, including jailbroken and rooted units used for runtime instrumentation with Frida, Objection and Burp Suite. Where the application implements jailbreak / root detection, we test the robustness of that detection logic explicitly under MASVS-RESILIENCE-1.
How is certificate pinning bypass tested?
Certificate pinning bypass is tested across multiple vectors - Frida hooks against URLSession, NSURLSession, OkHttp, TrustManager and HostnameVerifier; static patching of pinning logic in the binary; runtime tampering with custom CA installation. The test verifies whether traffic remains protected when an attacker controls the device, not whether pinning is implemented at all.
What about apps using React Native, Flutter or Xamarin?
All cross-platform frameworks are in scope. JavaScript bundles for React Native are unpacked and reviewed; Flutter snapshot data and flutter_assets are decompiled where feasible; Xamarin / .NET MAUI assemblies are decompiled. The same MASVS verification levels apply regardless of underlying framework.
Do you test the backend APIs at the same time?
Yes by default. Mobile engagements include the backend APIs the app depends on - covered in detail by our API penetration testing service. Mobile-specific findings frequently chain through backend authorisation gaps, so combined testing surfaces issues neither layer would catch alone.
How long does a typical mobile pen test take?
Seven to fourteen business days of active testing, depending on whether it is single-platform or both, MASVS verification level and backend API complexity. Total elapsed time including scoping, reporting and the free remediation retest typically spans four to six weeks.
How much does a mobile pen test cost?
Fixed-price engagements scoped during a free 30-minute call. Cost is driven by platform count (single vs both), MASVS verification level (L1 / L2 / L2+R) and backend API surface. Typical engagements range from mid-five-figures for an L1 single-platform app to six figures for L2+R dual-platform with extensive backend.
Does mobile pen testing satisfy PCI DSS Requirement 6.2.4?
Yes. Mobile applications that capture, store or transmit cardholder data fall within PCI DSS scope, and the CyberFortify mobile pen test produces the evidence required for Requirement 6.2.4 (software attack defences). For mobile payment apps that integrate with PIN entry or biometrics, additional MASVS L2+R resilience testing is recommended.
Will the test crash production users or trigger fraud rules?
No. Mobile testing is performed against staging or pre-production builds where possible, with dedicated test accounts and ad-hoc / TestFlight / internal-track distribution. Where production endpoints must be touched, tests are coordinated with on-call engineering and constrained to non-destructive vectors. Rate-limit / fraud rule handling is agreed during scoping.