Mobile application penetration testing is a security assessment that examines mobile apps (iOS and Android), their backend APIs, the data they store on the device, and the trust boundaries between them. The aim is to discover and demonstrate flaws that an attacker could exploit to harvest credentials, leak personal data, manipulate transactions, or compromise the user device.
What gets tested
The compiled app is reviewed for insecure storage of sensitive data (keychains, shared preferences, internal databases), insecure communications (broken TLS, certificate pinning bypass), reverse-engineering exposure (debug symbols, missing obfuscation, hard-coded secrets), and platform-specific risks such as exported activities on Android or URL scheme handling on iOS. The backend APIs are tested as a web service in their own right, covering authentication, authorisation, input validation, and business-logic flaws.
Methodology and frameworks
The OWASP Mobile Application Security Verification Standard (MASVS) and its companion Mobile Security Testing Guide (MSTG) are the dominant frameworks. They define verification levels (L1 for general use, L2 for sensitive applications, R for resilience against reverse engineering and tampering) and provide test cases organised by topic (storage, cryptography, authentication, network, platform interaction, code quality, resilience).
Common tools
Static analysis: MobSF for an automated baseline, jadx and Apktool for Android reverse engineering, class-dump and Ghidra for iOS binaries. Dynamic analysis: Burp Suite with mobile-friendly proxy configuration, Frida for runtime instrumentation, Objection for ready-made iOS and Android automation, Drozer for Android attack surface analysis. Device setup typically involves a rooted Android or jailbroken iOS device for the testing environment.
Common findings
Sensitive data stored unencrypted in app sandboxes, hard-coded API keys recoverable from the binary, weak or missing certificate pinning, backend APIs that trust client-supplied user IDs without authorisation checks, debug logging that exposes session tokens, and excessive permissions that make a compromised app dangerous beyond its stated purpose.
When to test
Before public launch, after significant feature releases, on a recurring annual basis for apps in regulated sectors, and whenever the backend or authentication model changes. Many UK financial services and healthcare clients also test mobile apps as part of their wider compliance programme (FCA expectations, NHS DSPT, PCI DSS where payment data is in scope).
Related terms
See also: penetration testing, web application penetration testing, and Burp Suite.
Leave a Reply