Mobile Application Security Testing
Shipped to the App Store. Let's find the flaws before someone else does.
Our Pentest Methodology
What our mobile app testing includes
We provide a thorough assessment of your mobile applications and optionally the APIs they consume, going above and beyond the OWASP Mobile Security Testing Guide to ensure coverage of a wide range of threats.
Insecure Data Storage
Mobile applications frequently write sensitive data to accessible locations - shared preferences, external storage, unprotected databases, or system logs. We identify what is persisted and whether it can be accessed by other applications or a physically compromised device.
Authentication & Session Management
We review how the application authenticates users and manages session state, including token storage, expiry enforcement, and behaviour after logout. We assess whether session material can be extracted or reused by an attacker.
Network Communication & Certificate Validation
We examine TLS handling including whether certificate validation is correctly enforced, whether certificate pinning is implemented and bypassable, and whether any traffic is transmitted over unprotected channels.
Cryptographic Implementation
We review algorithm selection, key generation, and storage practices. This includes assessing use of platform keystore APIs and identifying cases where cryptographic material is hardcoded or stored in recoverable locations.
Client-Side Logic & Trust Assumptions
We assess where the application makes trust decisions based on locally held state, device properties, or data returned from the server that could be manipulated by an attacker.
Dynamic & Static Analysis
Our testing combines dynamic and static analysis of the application along with reverse engineering where possible, providing comprehensive coverage of both runtime behaviour and code-level vulnerabilities.
Pricing
From £2,800
for mobile app penetration testing
Not sure where your application fits? A 30-minute scoping call is free and gets you a fixed written quote.
No obligation · Strictly confidential · Quote within one business day
Pricing Examples
| Basic mobile app (single platform) | £2,800 - £4,000 |
| Complex app with API (iOS or Android) | £4,000 - £6,000 |
| Both iOS and Android platforms | £6,000+ |
What's Included
- Fixed-price proposal within one business day
- Manual, consultant-led testing. Not automated scans
- Report within 2 business days of testing completion
- No obligation quote, all enquiries are fully confidential
Indicative ranges only. Your exact price is confirmed after a short scoping conversation - see full service pricing .
Key Deliverables
What's included in the assessment?
Every mobile application penetration test is delivered as a defined set of outputs supporting both technical remediation and executive decision-making.
Executive Report
A non-technical summary of findings with risk ratings and recommendations suitable for board and senior management stakeholders.
Technical Report
Detailed findings with reproduction steps, severity scoring, remediation guidance, and mappings to CVE, CVSS, and OWASP MASVS where applicable.
Debrief Session
An offer of a debrief call to walk through findings, discuss remediation priorities, and answer questions from both technical and executive stakeholders.
Attack Surface Center Access
Complimentary access to our Attack Surface Center ASM platform for collaborative tracking and remediation management throughout and beyond the engagement.
Consultant-led Testing
All testing is consultant-led by in-house staff. Your consultant works with you from scoping through to debrief - nothing is outsourced or subcontracted.
Common Questions
Mobile application security testing - frequently asked questions
Yes, we test applications on both platforms. Each has different security architectures and vulnerabilities, so we tailor our methodology accordingly. For iOS, there can be challenges with grey-box testing. Where codebases are identical between platforms, we often recommend testing on Android for simplicity and coverage.
Our testing covers insecure data storage, insecure communication, authentication and session management, client-side injection, insecure cryptography, code tampering protection, business logic flaws, and backend API security following the OWASP Mobile Security Testing Guide (MSTG).
We can test with just the compiled application file (.ipa for iOS, .apk for Android). However, source code access enables more thorough testing including static code analysis. We recommend white-box testing for applications handling sensitive data or financial transactions.
Yes. We test apps at any stage of development including beta versions, internal enterprise apps, and pre-release applications. You simply provide the installation file and we’ll install it on our testing devices.
Yes, we test applications built with any framework including React Native, Flutter, Xamarin, Ionic, and Cordova. Cross-platform frameworks can introduce unique vulnerabilities, especially when bridging native and JavaScript code.
Ready to secure your mobile application?
Get a fixed-price quote within 24 hours. Our team will review your application’s scope and provide a tailored testing proposal that fits your timeline and budget.