Researcher Login
Client Login
MOBILE APPLICATION PENETRATION TESTING

CREST-Certified Mobile Application Penetration Testing for iOS and Android

Mobile app penetration testing for UK businesses — manual security assessment of iOS and Android applications against OWASP MASVS and the OWASP Mobile Top 10. Frida runtime instrumentation, SSL pinning bypass, biometric authentication bypass, insecure storage audit, and backend API testing. Fixed-price quotes within 24 hours.

CREST Member · Verify ↗
iOS & Android Penetration Testing
L1 & L2 Verification Levels
FRIDA + OBJECTION
Runtime Instrumentation Toolchain
CREST
Approved Provider
OWASP
MASVS + Mobile Top 10
FREE
Retest Included
24h
Scope to Active Test
76%
of mobile apps fail basic data storage checks, exposing user credentials and PII on-device — every one detected by manual MASVS analysis.

Static analysis cannot bypass SSL pinning. Humans can.

Mobile security testing tools (SAST/DAST) scan binaries for known patterns. They cannot bypass certificate pinning, hook runtime methods with Frida, or test whether your biometric check is implemented server-side or merely client-side.

A serious mobile vulnerability assessment goes beyond pattern-matching. Every finding we deliver is reproduced manually, validated against business risk, and shipped with production-ready remediation. Our reports satisfy ISO 27001 Annex A.12.6.1, SOC 2 CC7.1, PCI DSS Req 11.3, NHS DSPT mobile evidence, and align with NCSC mobile device guidance — without translation work.

OWASP MOBILE TOP 10

What We Test in Mobile Application Penetration Testing

Aligned to OWASP MASVS L1 (standard) and L2 (defence-in-depth) verification levels. Every category exploited manually with Frida, Objection, MobSF, and platform-native tooling.

M1Improper Credential Usage

Hardcoded API keys, tokens, and secrets extracted from the app binary. Static credentials shared across users or environments.

M2Inadequate Supply Chain Security

Vulnerabilities in third-party SDKs, outdated libraries, and compromised CI/CD pipelines that ship malicious code into your app.

M3Insecure Authentication / Authorization

Client-side-only auth checks, weak session tokens, missing role enforcement, JWT signature flaws, biometric bypass via Frida.

M4Insufficient Input/Output Validation

SQL injection in local databases, command injection through deep links, XSS in WebViews, intent redirection abuse.

M5Insecure Communication

Missing TLS, weak cipher suites, lack of certificate pinning, ability to intercept and modify traffic in transit.

M6Inadequate Privacy Controls

Excessive permissions, third-party tracker leakage, PII written to logs, GDPR Article 32 violations on device.

M7Insufficient Binary Protections

No anti-tampering, no obfuscation, easily reversed business logic, missing runtime application self-protection (RASP).

M8Security Misconfiguration

Debug flags shipped to production, exposed admin functions, allowBackup enabled on Android, weak iOS entitlements.

M9Insecure Data Storage

Credentials in SharedPreferences/Keychain in clear text, sensitive data in SQLite without encryption, screenshots cache PII.

M10Insufficient Cryptography

Custom crypto, weak key derivation, ECB mode encryption, hardcoded encryption keys, certificate validation flaws.

FOUR-PHASE METHODOLOGY

Mobile Application Penetration Testing — From Recon to Backend

iOS penetration testing and Android penetration testing share methodology but each has unique attack surfaces. Mobile pen testing requires a full kill-chain perspective. We assess the binary, the runtime, the device storage, and the backend API as one connected attack surface.

1

Recon & Scoping

Threat model, MASVS verification level, platform list, build channel, device matrix, MDM rules of engagement.
2

Static + Binary

Reverse engineering, hardcoded secret extraction, third-party SDK audit, MobSF scan, decompilation review (Hopper/Ghidra/jadx).
3

Runtime + Dynamic

Frida instrumentation, SSL pinning bypass, biometric/jailbreak/root detection bypass, IPC abuse, deep-link fuzzing, Objection enumeration.
4

Backend API + Report

BOLA, broken authentication, mass assignment, server-side validation gaps. Final report with CVSS, MASVS mapping, free retest within 30 days.

Verified Accreditations Auditors Accept

Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.

ISO 9001
ISO 27001
UK Cyber Security Council
Crown Commercial Service Supplier
COMPLIANCE READY

Mobile Reports Mapped to Every Framework

Findings tagged to MASVS verification IDs and your specific compliance framework. Audit teams submit directly without translation.

OWASP MASVS L1 + L2

Verification controls 1-8 covering architecture, data, crypto, auth, network, platform, code quality, and resilience.

OWASP Mobile Top 10

2024-edition risk categorisation with proof-of-exploit, business impact analysis, and patch-validation evidence.

ISO 27001

Annex A.12.6.1 vulnerability management plus A.14.2 secure development for mobile applications.

SOC 2 Type I & II

CC7.1 vulnerability identification evidence; mobile testing accepted by auditors as production assurance.

PCI DSS

Req 11.3 application-layer testing for mobile payment apps. Aligned to PA-DSS where applicable.

NHS DSPT

Mobile testing evidence for healthcare apps, NHS-supplier mobile clients, and patient-facing portals.

TRANSPARENT PRICING

Transparent Mobile Application Penetration Testing Pricing

All tiers include the same depth of testing. Price varies by app complexity, platform count, and backend API surface area.

SMALL / SMB
£4,500 – £7,500
Depends on app complexity

Single platform, basic auth flow, lightweight CRUD client, marketing-style mobile app. Typically 5-day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
MOST COMMISSIONED
GROWTH / MID-MARKET
£7,500 – £14,000
Depends on app complexity

Both iOS + Android, biometric or payment SDK, multi-role mobile client, MDM-distributed app. Typically 8-10 day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation
ENTERPRISE
£14,000+
Depends on app complexity

Complex business logic, multiple platforms + tablet, MASVS L2 controls, banking-grade app, deep backend API surface. Typically 12-15 day engagement.

  • Free retests included
  • Free rescheduling
  • No cancellation fees
  • 24-hour scope to active testing
  • Live findings to client portal
  • Executive + technical report
  • 60-min walkthrough call
  • Letter of attestation

Mobile Application Penetration Testing for Your Sector

Mobile threat models vary by sector. We test the controls your auditors and regulators specifically demand.

FINTECH

Fintech

Mobile banking apps, PSD2 SCA, payment SDK, biometric auth, FCA SYSC alignment.
SAAS

SaaS

B2B mobile clients, SSO/SAML/OIDC flows, multi-tenant isolation, SOC 2 evidence.
HEALTHCARE

Healthcare

Patient-facing apps, NHS DTAC mobile, telehealth, EHR integration, medical device pairing.
INSURANCE

Insurance

Claims-capture mobile, broker portals, KYC/AML mobile flows, FCA / PRA alignment.
LAW FIRMS

Law

Privileged-data mobile clients, partner-tier MDM scrutiny, SRA Cyber Standard alignment.
PUBLIC SECTOR

Public Sector

Citizen-facing mobile, CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.

What You Actually Get

Five things that distinguish our mobile testing from automated scans and one-platform-only competitors.

🎯

What You Get From Mobile Application Penetration Testing

Manual exploitation across iOS and Android, MASVS-aligned reporting, and free retests of every fix until validated.
🔬

Frida-First Runtime Approach

Every test includes runtime instrumentation. Static-only mobile assessments miss 60-80% of high-impact findings.
📱

Both Platforms in One Engagement

iOS and Android tested side-by-side, sharing one threat model and one report. Saves 30% versus separate engagements.
🔐

Backend API Tested Same Engagement

Mobile attack surface includes server-side. We exploit BOLA, mass assignment, and broken auth without a separate API contract.
🇬🇧

UK CREST + IASME + ISO 27001 + ISO 9001

Independently accredited. Verifiable on the CREST marketplace. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers.

Frequently Asked

How long does a mobile application penetration test take?

A single-platform mobile app pen test typically takes 5-8 working days. iOS + Android together takes 10-14 days. MASVS L2 (defence-in-depth) engagements run 15+ days. Test duration is determined during scoping based on app complexity, screen count, business logic depth, and backend API breadth.

How much does mobile penetration testing cost in the UK?

Single-platform mobile app penetration testing engagements (iOS or Android only) range from £4,500 to £8,500. Both platforms together range £8,500 to £18,000. Enterprise mobile applications with MASVS L2 controls (banking, healthcare, payments) start at £18,000. All quotes are fixed-price after scoping; no day-rate surprises.

Do you test against OWASP MASVS?

Yes. Every mobile engagement is delivered to OWASP MASVS L1 (standard) by default, with MASVS L2 (defence-in-depth) available for high-assurance applications. Findings are tagged to specific MASVS verification IDs (V1-V8) so your audit team can submit evidence directly without translation.

Do you test iOS, Android, or both?

We test both. iOS and Android share the same test methodology and tooling stack — Frida, Objection, MobSF, Burp Suite Pro — but each platform has unique attack surfaces (Keychain vs SharedPreferences, certificate pinning implementations, biometric APIs). We always recommend testing both if the app supports both, since regressions and inconsistencies between platforms are common.

Can you bypass SSL certificate pinning?

Yes. We use Frida, Objection, and platform-specific bypass methods to defeat certificate pinning, including Network Security Config bypass on Android and Trust Anchor manipulation on iOS. SSL pinning bypass is required for proxy-based dynamic testing of any pinned mobile app and is included in every engagement.

Do you test biometric and jailbreak/root detection?

Yes. We test whether biometric checks (Face ID, Touch ID, Android BiometricPrompt) are server-side validated or client-side only, and whether jailbreak/root detection routines can be bypassed via Frida hooks. Biometric bypass is one of the most common high-severity findings in financial mobile applications.

Do you test the backend API as part of mobile testing?

Yes. The backend API is part of the mobile attack surface. We test BOLA (broken object-level authorisation), mass assignment, IDOR, server-side validation gaps, and authentication flaws as part of every mobile engagement. We do not require a separate API pen test contract for mobile-served APIs.

What’s the difference between OWASP Mobile Top 10 and OWASP MASVS?

Mobile Top 10 lists the most critical risk categories (M1-M10). MASVS (Mobile Application Security Verification Standard) is the structured testing framework with verification controls (V1-V8) and two assurance levels (L1 standard, L2 defence-in-depth). We map findings to both: Top 10 for executive/board reports, MASVS for engineering and audit-team evidence.

Can you test pre-release builds and staging APKs/IPAs?

Yes. Pre-release testing is preferred. We accept staging IPAs (TestFlight or enterprise distribution), Android APKs (debug or release-signed), and direct Xcode/Android Studio builds. Testing pre-release allows fixes before App Store / Play Store submission and avoids the need for emergency patches.

Do you test apps distributed via MDM (e.g. Intune, Workspace ONE)?

Yes. MDM-distributed mobile applications often have stricter compliance requirements (DLP, conditional access, certificate-based auth). We test how the app behaves under managed-device policies, evaluate MDM-specific bypass attacks, and validate that compliance posture controls are enforced.

Are your testers UK-based and what certifications do they hold?

All mobile testers are vetted UK or international engineers matched to your engagement based on platform expertise, sector specialism, and clearance requirements. Mobile-relevant certifications held across the team include CREST CRT, OSCP, GMOB (GIAC Mobile), and platform-specific specialisms (eMAPT).

Do you sign NDAs?

Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.

READY TO SCOPE

Book a Mobile Pen Test Scoping Call

30 minutes with a CREST-certified mobile tester. Fixed-price quote within 24 hours. No sales pipeline.

Book a Scoping Call → View Pricing Guide
EJN Labs

EJN Labs

We are an CREST certified, AI led threat research and cyber security services company based in Canary Wharf, London, UK. Schedule a call to find out more!

Company

Services

Contact Us

Location
  • 44-45 Beaufort Court Admirals Way London E14 9XL
Phone
  • 02045771740
Email
Office hours
  • Monday – Friday : 8:00 AM – 5:00 PM
Scroll to Top