Mobile Application Penetration Test Package
Mobile Application Penetration Test Package
This package is designed to perform a thorough penetration test of a single mobile application binary (either iOS or Android) to satisfy regulatory, tender, or compliance requirements.
The test is conducted by our senior, Australian-based certified penetration testers. Our methodology is based on the OWASP Mobile Application Security Verification Standard (MASVS) and recommendations from NIST. The final report provides the assurance you need to meet regulatory obligations, tender requirements, and standards like PCI DSS or ISO 27001.
Scope: A comprehensive security assessment of one application binary (iOS or Android).
Deliverable: A detailed report with all findings, their potential impact, and a clear remediation plan, plus a Certificate of Penetration Testing.
Our Mobile Application Testing Methodology
Our testing process is a comprehensive analysis of your entire mobile ecosystem, from the application on the device to the APIs it communicates with. We follow a structured methodology aligned with the OWASP MASVS to ensure all critical areas are assessed.
1. Static Analysis (SAST)
We perform a "white-box" analysis of the application binary itself. We decompile the code to identify insecure coding practices, hardcoded secrets (like passwords or API keys), and weaknesses in how the app is built.
2. Dynamic Analysis (DAST)
We analyse the application as it runs on a live device. This "black-box" testing focuses on how the app handles and stores data, looking for:
Insecure Data Storage: Protecting sensitive data stored locally on the device.
Client-Side Vulnerabilities: Testing for flaws like SQL injection on the local database.
Business Logic Flaws: Identifying ways to abuse application features for unintended purposes.
3. Communication & API Testing
We intercept and analyse all network traffic between the mobile app and its backend servers. This is critical for finding:
Insecure Communication: Ensuring all data is encrypted in transit using strong TLS.
API Vulnerabilities: Testing the backend APIs for the full range of web service vulnerabilities, as a flaw here can compromise all users.
Session Management: Verifying that user sessions are handled securely to prevent hijacking.
Reporting & Deliverables
Following the assessment, you will receive a comprehensive and professionally written penetration testing report. Our reports are designed for both technical and management audiences, detailing each vulnerability with a clear risk rating based on its potential business impact.
We map all findings to relevant compliance frameworks (OWASP, PCI DSS, ISO 27001) and provide clear, actionable guidance to help your development team remediate the issues effectively. Along with the detailed report, you will also receive a formal Certificate of Penetration Testing to share with your clients and stakeholders.