Pentest Mobile
Find the flaws in your iOS and Android app before an attacker exploits them.
Our team tests your iOS and Android apps the way an attacker would: reversing the APK and IPA, runtime instrumentation with Frida, analysis of local storage and the backend API. You get a prioritised list of exploitable vulnerabilities and a remediation plan your developers can act on.
France Cybersecurity Label Mobile attack surface
A mobile app is a binary in the attacker's hands
Unlike a web application, your mobile app's code ships directly onto the user's device. An attacker can decompile the APK or IPA, read plaintext strings, instrument the binary at runtime and watch what it exchanges with your API. Client-side controls (root or jailbreak detection, certificate pinning, obfuscation) slow analysis down but do not prevent it. Our tests follow the OWASP MASVS standard and the MASTG methodology to cover the binary, local storage, communications and the backend.
What we test
Four families of tests, from binary to backend
Static binary analysis
Reversing the APK and IPA to hunt for hardcoded secrets and API keys, assess obfuscation quality and review the permissions declared in the manifest.
Runtime dynamic analysis
Instrumenting the app with Frida and objection: hooking functions, bypassing root or jailbreak detection and certificate pinning to intercept and replay encrypted traffic.
Local data storage
Checking for sensitive data written in clear text to SharedPreferences, UserDefaults, SQLite databases or cache files, instead of the Android Keystore or iOS Keychain meant to hold secrets.
Local surface and backend API
Testing exported components (activities, services), deeplinks and IPC channels treated as trusted input, then the authorisation and logic of the backend API (IDOR, BOLA, access control).
Frequently asked questions
What you should know before starting
How long does a mobile app pentest take?
Duration depends on scope. A single platform (iOS or Android) with its API usually takes 5 to 8 working days; both platforms together 8 to 15 days. The number of screens, functional depth and any hardening mechanisms (obfuscation, anti-tampering) drive the sizing, which we set during scoping.
What do we need to provide for the test?
At minimum the build to test (an APK for Android, an unencrypted IPA for iOS) and test accounts covering the different roles. For iOS, a development or ad hoc build avoids App Store decryption and eases instrumentation. API documentation and source code help in a grey-box or white-box approach but are not mandatory.
How is this different from an automated APK scan?
A scanner spots known patterns (broad permissions, suspicious strings, outdated libraries) but cannot chain a real attack. Our experts instrument the app at runtime, bypass client-side protections, validate the impact of an extracted secret against the backend API and confirm each vulnerability with proof of exploitation. A scan only flags indicators, with no context or demonstrated exploitability.
Other domains
Explore our other penetration tests
Pentest Web
Your web apps and APIs carry business logic that an automated scanner cannot probe.
Pentest IoT
Before you ship, find out what an attacker can do with your connected device.
Pentest Cloud
One over-permissive IAM role or an open bucket is enough to compromise your whole cloud.
Pentest LLM
Your LLM applications open an attack surface that your usual tests do not cover.
Penetration testing overviewReady to test your mobile app?
Our experts define the iOS and Android scope with you and send a tailored quote within 48h.