Mobile Application Security

Mobile App Penetration Testing.
Your app. Under attack. By us.

iOS. Android. Hybrid. We analyze your mobile app against the OWASP Mobile Top 10, decompile the binary, instrument the runtime with Frida and uncover vulnerabilities that no automated scanner finds.

Request app pentest View OWASP Mobile Top 10

OWASP Mobile Top 10 iOS & Android ISO 27001 Fixed-price in 24h

Organizations that trust AWARE7

Pentests completed: 500+; Pentests completed
both platforms: iOS & Android; both platforms
fixed-price quote: 24h; fixed-price quote
fully covered: OWASP Mobile Top 10; fully covered

iOS & Android

Two platforms. Two security models. Equal thoroughness.

iOS and Android differ fundamentally in architecture, sandbox model and attack vectors. We know both in depth.

iOS-specific tests

Objective-C / Swift

Jailbreak-based analysis - Bypass of jailbreak detection via Frida/Objection, sandbox integrity checks, dylib injection simulation on physical devices.
Keychain dumping - Extraction of keychain entries on jailbroken devices, checking accessibility flags (kSecAttrAccessibleAlways), Secure Enclave binding.
Binary analysis (otool, class-dump) - Disassembly of ARM64 binaries, reconstructing method signatures via class-dump, extracting hardcoded strings and keys.
IPA reverse engineering - Unpacking and analyzing IPA archives, plist configurations, examining embedded frameworks and third-party SDKs.
App Transport Security - Reviewing ATS exceptions in Info.plist, NSAllowsArbitraryLoads, domain-specific exceptions and minimum TLS version auditing.
Certificate pinning bypass - SSL Kill Switch, Frida scripts and objection pinning disable for traffic interception even with pinning implemented.

Common with iOS: API communication analysis, local data storage, session management

Android-specific tests

Java / Kotlin / APK

Root-based analysis - Magisk root, su binary checks, RootBeer detection bypasses via Frida simulation and validation of protection measures.
APK decompilation (jadx) - JADX and Apktool for source code reconstruction, restoring Java/Kotlin classes, extracting resources and assets.
Smali patching - Direct manipulation of Smali code to disable anti-tamper checks, bypass license checks or set debug flags.
Intent / content provider abuse - Testing exported activities, services and broadcast receivers for unintended accessibility, intent injection and data exfiltration.
Certificate pinning bypass - Frida scripts, TrustManager hooking and Magisk modules for interception of pinned traffic.
WebView vulnerabilities - JavaScript interface injection, addJavascriptInterface, shouldOverrideUrlLoading, file access and universal XSS in embedded WebViews.

Common with Android: API communication analysis, local data storage, session management

We also fully test hybrid apps (React Native, Flutter, Xamarin). For React Native we analyze JavaScript bundles for hardcoded secrets and assess code obfuscation. Flutter apps are tested via Dart decompilation and native binary analysis. Xamarin apps receive a combined .NET and platform-native test. In all cases we conduct full OWASP MASVS-compliant testing.

OWASP Mobile Top 10:2024

All 10 categories. Fully tested.

The OWASP Mobile Top 10 is the international reference framework for mobile app security. Every finding in our report is mapped to one of these categories.

Improper Credential Usage

Hardcoded API keys, passwords and certificates in the binary and configuration files. We systematically extract all secrets from the app bundle - strings, embedded resources, configuration files and compiled code.

Inadequate Supply Chain Security

Vulnerable third-party libraries, insecure SDK integrations and compromised build pipelines. We inventory all dependencies and check them against known CVEs.

Insecure Authentication / Authorization

Weak authentication logic, missing biometric protection, client-side authorization checks and bypassable login flows. We test all auth mechanisms for circumventability via Frida and manipulated requests.

Insufficient Input / Output Validation

Missing validation of user inputs and API responses leads to injection attacks in SQLite databases, WebView XSS and content provider injections. Every input channel is tested for injection vectors.

Insecure Communication

Missing certificate pinning, insecure TLS configurations, mixed HTTP/HTTPS connections and excessive data sharing with third-party SDKs. We intercept all network traffic.

Inadequate Privacy Controls

Excessive permission requests, unjustified collection of sensitive data (location, contacts, microphone) and flawed GDPR privacy implementations. We audit the permission model and data flows.

Insufficient Binary Protections

Missing code obfuscation, disabled ASLR/PIE, missing stack canary, no tamper detection. We check all binary protections and test their actual effectiveness against Frida hooking.

Security Misconfiguration

Debug flags in production, excessive logging output, exported Android components without protection, flawed AndroidManifest configurations and insecure backup settings.

Insecure Data Storage

Auth tokens, personal data and payment information stored in cleartext in SharedPreferences, plist files, SQLite databases and app backups. We check all storage locations for encryption and access control.

M10

Insufficient Cryptography

Outdated cryptographic algorithms (MD5, SHA-1, DES), self-implemented cryptography, insecure key management and predictable IV/nonce generation. We audit all cryptographic operations.

API & Backend

Mobile API security - the underestimated attack vector

Most critical vulnerabilities in mobile apps lie not in the app itself, but in the backend. We test both - and the interaction between app and server.

REST & GraphQL API testing

Full mapping of all API endpoints directly from app analysis. We test for missing authorization, BOLA/IDOR vulnerabilities and excessive data exposure.

Authentication token security

JWT vulnerabilities (alg:none, weak secrets), OAuth flows, session invalidation, token lifetime and refresh token security in the mobile context.

Rate limiting & business logic

Brute-force protection on login and payment endpoints, quantity manipulation, price manipulation and race conditions in time-sensitive API operations.

Server-side injection

SQL injection, NoSQL injection, SSRF and XXE via mobile API parameters - particularly relevant for APIs developed primarily for mobile clients.

API Endpoint Discovery - Example

GET /api/v2/users/{id}/profile IDOR

POST /api/v2/payment/transfer No Rate Limit

PUT /api/v2/admin/users/{id} Auth missing

GET /api/v2/products/list OK

POST /api/v2/search?q= SQLi

Automatically mapped from app traffic, manually verified.

Methodology

3 phases. Systematic. Reproducible.

OWASP MASVS and OWASP MASTG-compliant methodology - transparently documented, every step traceable.

Static Analysis

Reverse engineering of the app binary or APK without execution. We reconstruct the source code, analyze configuration files, search for hardcoded secrets and audit embedded third-party libraries for known CVEs. Obfuscation is addressed through deobfuscation techniques.

JADXApktoolMobSFHopperGhidrastrings

Dynamic Analysis

The app is run on real jailbroken/rooted devices. We instrument the process with Frida at runtime, hook authentication functions, read memory regions and bypass anti-tamper mechanisms. SSL pinning bypasses enable full traffic interception.

FridaObjectionBurp SuiteCycriptmitmproxy

Backend Testing

The app backend is tested both separately and in conjunction with the app. We map all API endpoints from app traffic, check authorization at endpoint and resource level, search for IDOR/BOLA vulnerabilities and test for injection attacks and business logic flaws.

Burp Suite ProPostmanSQLMapOWASP ZAP

Typical Findings

What we regularly find

These vulnerabilities appear in the majority of apps we test - regardless of technology stack or company size.

Critical CVSS 9.1

M1 · M10 · MASVS-RESILIENCE-2

Hardcoded API Keys in Binary - Access to all user data

An admin API key is embedded in plaintext in the app binary. Through decompilation with JADX or strings analysis this key is immediately extractable. Any attacker with access to the publicly available app can use it to read the entire user database via the management API - without authentication, without knowledge of the backend.

// strings extracted from libapp.so
private static final String ADMIN_API_KEY = "sk-admin-f7x9q2mK...";

High CVSS 8.2

M5 · MASVS-NETWORK-1

Missing Certificate Pinning Allows Man-in-the-Middle

The app accepts any TLS certificate issued by an installed user CA. Attackers on the same network - public Wi-Fi, compromised router, corporate proxy - can read and manipulate all traffic including authentication tokens, personal data and payment information. Certificate pinning is not implemented.

High CVSS 7.4

M9 · MASVS-STORAGE-1

Insecure Local Storage of Auth Tokens

Authentication tokens and session cookies are stored unencrypted in SharedPreferences (Android) or UserDefaults plist (iOS). On device loss, a compromised backup or access by a malicious app with accessibility permissions, these tokens are immediately readable and allow full account takeover without a password.

Medium CVSS 6.5

M5 · MASVS-NETWORK-2

Unencrypted Data Transmission to Analytics Endpoint

Analytics data including device identifiers, usage patterns and partially personal metadata are transmitted via HTTP (without TLS) to an analytics endpoint. The data is readable in plaintext in the network traffic and, combined with other findings, enables the profiling of individual users without their knowledge.

Pricing & Packages

Transparent fixed prices

No hourly rate risk. No surprise costs. Binding fixed-price quote within 24 business hours after the free initial consultation.

Single Platform

iOS or Android

from 6,000 EUR

excl. VAT

5-8 business days

Full OWASP MASVS test
Static & dynamic analysis
API communication analysis
CVSS-rated findings
Management summary
Retest of critical findings

Request quote

Recommended

Dual Platform

iOS + Android

from 10,000 EUR

excl. VAT

8-12 business days

Everything from Single Platform
Both platforms fully tested
Cross-platform comparative analysis
Shared backend API review
Prioritized overall roadmap
Retest of all High/Critical findings

Request quote

Enterprise

App + API + Backend

from 15,000 EUR

excl. VAT

12-18 business days

Everything from Dual Platform
Full REST/GraphQL API test
OWASP API Security Top 10
Server-side vulnerability testing
Combined app + API attack path
Retest of all findings

Request quote

Fixed-price commitment

No hourly rate risk. The agreed price is the final price.

Quote in 24 business hours

After the free initial consultation you receive a binding quote.

Retainer model available

Regular tests at fixed rates - ideal for continuous development.

All prices are indicative. The binding fixed-price quote is provided after the free initial consultation - within 24 business hours.

Compliance & Standards

Meet regulatory requirements with confidence

Mobile apps face growing regulatory pressure. Our pentest report is designed as evidence for audits, supervisory authorities and certifications.

App Store Security

Apple & Google Store Policies

Apple App Store Review Guidelines and Google Play Protect check for privacy and security violations. Our pentest proactively identifies store-relevant vulnerabilities before submission, reducing the risk of rejections or bans.

GDPR Art. 25

Privacy by Design

GDPR Article 25 requires data protection by design. Mobile apps process highly sensitive data - location, contacts, biometrics. Our report documents technical safeguards as evidence of appropriate technical measures for data protection audits and supervisory authorities.

ISO 27001

Vulnerability Management

ISO 27001:2022 Control A.8.8 requires active management of technical vulnerabilities. Our mobile app pentest provides structured, CVSS-rated findings that directly support vulnerability management and demonstrate compliance to certification auditors.

PSD2

Banking App Security

PSD2 requires strong customer authentication (SCA) and dynamic linking for financial apps. We test PSD2-relevant controls: biometric security, transaction binding, app integrity and anti-fraud mechanisms - following EBA guidelines on mobile security.

Why AWARE7 for your mobile app pentest

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Referenzen aus der Praxis

Pentesting & Schwachstellenscans

Sill Optics GmbH

Feststellung der Angriffsfläche bei Sill Optics GmbH

Pentesting & Schwachstellenscans

XignSys GmbH

Whitebox-Penetrationstests eines Authentifizierungsdienstes als Mobile- und Web-Anwendung

Pentesting & Schwachstellenscans

TWINSOFT GmbH & Co. KG

Externer Penetrationstest einer iOS-Applikation

How it works

From consultation to report

Three steps. No hidden effort. No surprises.

Free initial consultation

In a 30-minute call we clarify your specific use case: platforms, app complexity, special requirements (e.g. compliance, CI/CD integration). You receive a binding fixed-price quote within 24 business hours.

Duration: 30 minutes

Test execution

After contract signing and kick-off our team starts immediately. You provide build artifacts and test accounts. We test in an isolated environment and report critical findings proactively - without waiting for the final report.

Duration: 5-18 business days per package

Report & retest

You receive the complete final report with management summary, technical findings and remediation roadmap. After fixing vulnerabilities we conduct the retest and issue a verification addendum - as evidence for auditors.

Including retest certificate

FAQ

Frequently asked questions about mobile app pentests

Which platforms are tested?

We test native iOS apps (Objective-C, Swift), native Android apps (Java, Kotlin) and hybrid apps (React Native, Flutter, Xamarin, Cordova). For iOS we require IPA files or TestFlight builds; for Android APK or AAB files. Both platforms are tested on real physical devices - jailbroken iPhones and rooted Android devices of current device generations.

Do you need access to the app source code?

No, source code is not required. We conduct a black-box or grey-box test based on the compiled app as standard. On request we also accept source code for a more comprehensive white-box test - this enables deeper static analysis and reduces test duration. Both approaches deliver fully OWASP MASVS-compliant results.

How long does a mobile app penetration test take?

A focused test for a single platform (iOS or Android) typically takes 5-8 business days from kick-off to report delivery. A combined iOS and Android test requires 8-12 business days. Including a full backend API test we estimate 12-18 business days. For very complex apps with extensive features and API endpoints we discuss the exact timeline in the free initial consultation.

Which tools do you use?

For dynamic analysis we use Frida (runtime instrumentation), Objection (Frida-based framework), Burp Suite Pro (traffic interception), mitmproxy and Wireshark. For static analysis: JADX and Apktool (Android), Hopper and Ghidra (iOS), MobSF (automated pre-analysis). All tools are deployed manually by experienced penetration testers - not as a substitute for expertise, but as a support.

Is CI/CD integration possible?

Yes. We offer retainer models where each major release automatically triggers a defined delta test. We exclusively check the changed areas - new features, modified API endpoints, updated authentication flows. Results are delivered as structured JSON that can be integrated into your issue tracking (Jira, GitHub Issues, GitLab).

Does the pentest help with app store compliance?

Directly and indirectly. Apple App Store Review and Google Play Protect check for certain security criteria. Our pentest identifies vulnerabilities that can lead to store rejections - such as data storage outside the app sandbox, use of private APIs, insecure network communication. Additionally, a solid security posture improves the risk profile in compliance audits (GDPR, ISO 27001).

Is there a retest after vulnerabilities are fixed?

Yes. All our packages include a retest of critical and high-severity findings after remediation by your team. This verification test confirms that vulnerabilities have been correctly fixed and no regression has occurred. The retest results are integrated as an addendum into the final report - as evidence for auditors and compliance requirements.

How is the report structured?

The report includes: (1) Management Summary for executive stakeholders - non-technical, with risk overview and recommendations. (2) Executive dashboard with CVSS score distribution by severity and OWASP MASVS category. (3) Complete technical findings with screenshot evidence, reproducible proof-of-concept steps, and platform-specific remediation guidance including code examples. On request we provide an anonymized sample report in advance.

How do I prepare for the test?

For preparation we need: the current build (IPA or APK/AAB), valid test accounts with different permission levels (standard user, admin, premium user if applicable), API documentation if available (optional but helpful), and a signed engagement authorization (Rules of Engagement). Everything is coordinated together in the kick-off meeting. The effort for you is typically 1-2 hours.

How much does a mobile app penetration test cost?

Costs depend on the number of platforms, app complexity and desired scope. As guidance: single platform (iOS or Android) from EUR 6,000, dual platform (iOS + Android) from EUR 10,000, enterprise package (app + API + backend) from EUR 15,000. All prices are fixed - no hourly rate risk, no additional charges. Binding quote within 24 business hours after the free initial consultation.

Aus dem Blog

Alle Artikel

Security Awareness

Ready for an honest look at your app security?

We analyze your iOS or Android app and deliver clear, reproducible findings. Fixed-price quote within 24 business hours after the initial consultation.

Request app pentest

Kostenlos · 30 Minuten · Unverbindlich

Certifications & Standards

OWASP Mobile Top 10 OWASP MASVS OWASP MASTG OSCP-Certified ISO 27001 CVSS 3.1

Two platforms. Two security models. Equal thoroughness.

iOS-specific tests

Android-specific tests

All 10 categories. Fully tested.

Improper Credential Usage

Inadequate Supply Chain Security

Insecure Authentication / Authorization

Insufficient Input / Output Validation

Insecure Communication

Inadequate Privacy Controls

Insufficient Binary Protections

Security Misconfiguration

Insecure Data Storage

Insufficient Cryptography

Mobile API security - the underestimated attack vector

3 phases. Systematic. Reproducible.

Static Analysis

Dynamic Analysis

Backend Testing

What we regularly find

Hardcoded API Keys in Binary - Access to all user data

Missing Certificate Pinning Allows Man-in-the-Middle

Insecure Local Storage of Auth Tokens

Unencrypted Data Transmission to Analytics Endpoint

Transparent fixed prices

Meet regulatory requirements with confidence

Apple & Google Store Policies

Privacy by Design

Vulnerability Management

Banking App Security

Was uns von anderen Anbietern unterscheidet

Forschung und Lehre als Fundament

Digitale Souveränität - keine Kompromisse

Festpreis in 24h - planbare Projektzeiträume

Ihr fester Ansprechpartner - jederzeit erreichbar

OWASP Top 10 for Large Language Models

Management von Cyber-Risiken

Referenzen aus der Praxis

From consultation to report

Free initial consultation

Test execution

Report & retest

Frequently asked questions about mobile app pentests

Weiterführende Artikel

Antivirensoftware auf dem Smartphone - Brauche ich sie wirklich?

CVE-2025-43579: Vincent Heinen entdeckt Schwachstelle in Adobe Acrobat

Entdeckung und Meldung der Schwachstelle CVE-2024-4187 durch Dima Pravytskyi

Ready for an honest look at your app security?