CREST-Certified Mobile Application Penetration Testing for iOS and Android

A single-platform mobile app pen test typically takes 5-8 working days. iOS + Android together takes 10-14 days. MASVS L2 (defence-in-depth) engagements run 15+ days. Test duration is determined during scoping based on app complexity, screen count, business logic depth, and backend API breadth.

Single-platform mobile app penetration testing engagements (iOS or Android only) range from £4,500 to £8,500. Both platforms together range £8,500 to £18,000. Enterprise mobile applications with MASVS L2 controls (banking, healthcare, payments) start at £18,000. All quotes are fixed-price after scoping; no day-rate surprises.

Yes. Every mobile engagement is delivered to OWASP MASVS L1 (standard) by default, with MASVS L2 (defence-in-depth) available for high-assurance applications. Findings are tagged to specific MASVS verification IDs (V1-V8) so your audit team can submit evidence directly without translation.

We test both. iOS and Android share the same test methodology and tooling stack (Frida, Objection, MobSF, Burp Suite Pro) but each platform has unique attack surfaces (Keychain vs SharedPreferences, certificate pinning implementations, biometric APIs). We always recommend testing both if the app supports both, since regressions and inconsistencies between platforms are common.

Yes. We use Frida, Objection, and platform-specific bypass methods to defeat certificate pinning, including Network Security Config bypass on Android and Trust Anchor manipulation on iOS. SSL pinning bypass is required for proxy-based dynamic testing of any pinned mobile app and is included in every engagement.

Yes. We test whether biometric checks (Face ID, Touch ID, Android BiometricPrompt) are server-side validated or client-side only, and whether jailbreak/root detection routines can be bypassed via Frida hooks. Biometric bypass is one of the most common high-severity findings in financial mobile applications.

The recognised stages are scoping, reconnaissance, static analysis, dynamic and runtime testing, backend and API testing, exploitation, and reporting with a retest. For a mobile application we run all seven against the OWASP MASVS, combining automated tooling with manual exploitation on a real device.

SAST (static application security testing) analyses the code or binary at rest; DAST (dynamic) tests the running app and its traffic; SCA (software composition analysis) checks third-party libraries for known vulnerabilities. A full mobile penetration test combines all three with manual exploitation.

We use Burp Suite for traffic interception, Frida and Objection for runtime instrumentation and SSL-pinning bypass, MobSF for static analysis, and the OWASP MASTG as the testing standard. Tooling supports, but never replaces, manual testing by a CREST-certified consultant.

Yes. The backend API is part of the mobile attack surface. We test BOLA (broken object-level authorisation), mass assignment, IDOR, server-side validation gaps, and authentication flaws as part of every mobile engagement. We do not require a separate API pen test contract for mobile-served APIs.

Mobile Top 10 lists the most critical risk categories (M1-M10). MASVS (Mobile Application Security Verification Standard) is the structured testing framework with verification controls (V1-V8) and two assurance levels (L1 standard, L2 defence-in-depth). We map findings to both: Top 10 for executive/board reports, MASVS for engineering and audit-team evidence.

Yes. Pre-release testing is preferred. We accept staging IPAs (TestFlight or enterprise distribution), Android APKs (debug or release-signed), and direct Xcode/Android Studio builds. Testing pre-release allows fixes before App Store / Play Store submission and avoids the need for emergency patches.

Yes. MDM-distributed mobile applications often have stricter compliance requirements (DLP, conditional access, certificate-based auth). We test how the app behaves under managed-device policies, evaluate MDM-specific bypass attacks, and validate that compliance posture controls are enforced.

All mobile testers are vetted UK or international engineers matched to your engagement based on platform expertise, sector specialism, and clearance requirements. Mobile-relevant certifications held across the team include CREST CRT, OSCP, GMOB (GIAC Mobile), and platform-specific specialisms (eMAPT).

Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.

We scope the app and its backend, decompile and statically analyse the binary, then run dynamic tests on a real device: intercepting traffic, bypassing certificate pinning, and probing storage, authentication and the API. Findings are exploited to confirm impact, then reported with a prioritised remediation plan.

Mobile application security testing assesses an iOS or Android app for weaknesses across its code, runtime behaviour and backend. A penetration test is the manual, exploitation-led form of it, going beyond automated scanning to prove what an attacker could actually reach.

Mobile app testing focuses on the iOS or Android application, its data storage and its API. IoT testing also covers device firmware, hardware interfaces and radio protocols. They overlap where a mobile app controls an IoT device; we scope each engagement to the attack surface that matters.