Offensive Security — Flagship Service

Mobile Application Penetration Testing

Manual iOS and Android penetration testing — OWASP MASTG and MASVS aligned. Static decompilation, runtime instrumentation with Frida, network inspection, local-storage audit, and platform-specific attacks. Not an automated APK scanner.

AED 14,000 – 38,000 OSCP · CPTS · CEH 7 – 14 days typical
Book a 30-min Scoping Call →
Book a 30-min Scoping Call →
Jump to FAQ

What it is

A manual penetration test of your mobile app on iOS, Android, or both — executed by a credentialed offensive practitioner, not a binary-analysis SaaS tool.

We decompile your binary and inspect it for hardcoded secrets, insecure library usage, and obfuscation weaknesses. We then run the app on instrumented devices — both jailbroken/rooted and stock — and attack it at runtime: Frida method hooking, SSL pinning bypass, local-storage inspection (keychain, keystore, shared preferences, SQLite, files), deep-link and IPC abuse, WebView injection, and the API authentication and authorisation flaws the app exposes through its backend calls.

Every engagement ends with a MASVS-mapped findings report, a live remediation walkthrough, and one free re-test of critical and high findings within 30 days.

MASVS coverage — 8 control groups

We test every application against the full OWASP Mobile Application Security Verification Standard control set.

V1
Architecture, design & threat modelling — security controls mapped against the app's threat surface.
V2
Data storage & privacy — keychain/keystore misuse, sensitive data in logs, clipboard, backups, screenshots.
V3
Cryptography — weak algorithms, key management, hardcoded keys, insecure random, TLS config.
V4
Authentication & session management — bypass, brute-force protection, biometric handling, token storage.
V5
Network communication — certificate validation, pinning, MITM resilience, plaintext transmission.
V6
Platform interaction — IPC, deep links, WebView, custom URL schemes, intent hijacking.
V7
Code quality & build — debuggable flags, memory protections, third-party library vulnerabilities.
V8
Resilience & anti-tamper — root/jailbreak detection, repackaging protection, runtime integrity.

What this is not

Not an APK-scanner PDF. MobSF output is a starting point, not a deliverable.
Not a full API pen test. Light API coverage included; full API Top 10 is a separate engagement.
Not an app-store review substitute. Apple and Google store reviews don't assess security.
Not a source-code review. This is dynamic + static binary analysis; code review is separate.

Who this is for

1
You're launching a new mobile app (fintech, healthtech, e-commerce) and need a security gate before store submission.
2
Your app handles payments, health data, or personally-identifiable information and regulators or enterprise clients expect evidence.
3
You're preparing for ISO 27001, PCI DSS, ADHICS, or SOC 2 audit and the auditor asked about mobile coverage.
4
You had a responsible-disclosure report or suspicious activity tied to the mobile client.
5
You're selling B2B and an enterprise customer has asked for a mobile pen test report before contract.

What you get

  • Rules of engagement — platforms in scope, binary delivery method, test accounts, testing windows.
  • Findings report (typically 20 – 40 pages) — every finding with CVSS, MASVS control mapping, reproduction, screenshots, remediation guidance.
  • Executive summary — 1 – 2 pages, board-consumable.
  • Frida scripts + PoC artefacts delivered so your dev team can reproduce every finding locally.
  • Live remediation walkthrough — 90 minutes with your mobile dev team.
  • Free first re-test of critical and high findings within 30 days of remediation.

How we deliver

01
Scoping
2 days
60-minute call, app walkthrough, platform scope, test-account provisioning, ROE signed, binary delivery.
02
Static analysis
1 – 2 days
Decompilation (jadx, Hopper), manifest review, hardcoded secrets, library CVE sweep, obfuscation assessment.
03
Dynamic + runtime
3 – 6 days
Frida instrumentation, SSL pinning bypass, storage inspection, IPC/deep-link abuse, WebView, auth and session testing.
04
Reporting
2 – 3 days
Findings compilation, CVSS + MASVS mapping, reproduction steps, executive summary, internal review pass.
05
Walkthrough
90 minutes
Live screen-share with your mobile dev team — every critical and high finding, reproducible with scripts.
06
Re-test
Within 30 days post-remediation
Validate fixes on the patched build; issue re-test report.
Not sure of the right scope?Tell us about your app and target environments — we'll send a written scoping brief and indicative AED pricing within one working day.
Discuss scope

Pricing

Published range

AED 14k – 38k

Per engagement. Written quote within 48 hours.

What drives the price:

  • Single platform (iOS or Android) vs. both
  • Native vs. cross-platform build (React Native, Flutter)
  • App complexity — number of screens, roles, flows
  • Payment, health data, or PII in scope
  • Obfuscation and anti-tamper protections present
  • Timeline (standard vs. expedited)

Commercial terms

  • Deposit: 50% at signing; balance on final report
  • Net terms: Net-30
  • Quote validity: 30 days
  • Re-test: 1 × critical/high re-test included
  • Scope changes: written change request required

Your cert-backed team

Lead Tester

Nelson Durairaj

OSCP · eJPT · CEH · BlackHat Linux · HTB Omniscient

Focus: Mobile runtime instrumentation, SSL pinning bypass, authentication flaws, API abuse from mobile clients.

Supervising Practitioner

Manoj Prabhakaran

CPTS · CDSA · Security+ · ISO 27001 Lead Auditor

Focus: Engagement oversight, MASVS evidence mapping, audit alignment, report quality.

Frequently asked questions

Do you test iOS, Android, or both?

Both. We test native iOS (Swift/Objective-C), native Android (Kotlin/Java), and cross-platform builds (React Native, Flutter, Xamarin). Per-platform pricing is per binary — one iOS build and one Android build of the same app are two scopes.

What methodology do you follow?

OWASP MASTG (Mobile Application Security Testing Guide) and OWASP MASVS (Mobile Application Security Verification Standard), aligned to NIST SP 800-115. Our test plan covers all 8 MASVS control groups: architecture, data storage, cryptography, authentication, network, platform interaction, code quality, and resilience.

Do I need to give you a jailbroken / rooted device?

No — we provide our own instrumented test devices (both jailbroken iOS and rooted Android) plus non-rooted devices to test both attack paths. You provide the app binary (IPA/APK) and test credentials.

What do you actually test?

Static analysis of the binary (decompilation, hardcoded secrets, insecure libraries, obfuscation quality), dynamic analysis (runtime inspection, method hooking with Frida, SSL pinning bypass, local storage inspection), network traffic analysis (API calls, TLS config, certificate validation), platform-specific attacks (deep links, IPC, keychain/keystore misuse, WebView issues), and authentication/authorization flaws against the backing API.

Will this also test the backing API?

Light API testing is included (authentication bypass, authorization, mass-assignment against endpoints the app calls). For full API pen testing — every endpoint, all HTTP verbs, full OWASP API Top 10 — add a separate Web App / API pen test engagement.

How long does a typical engagement take?

Single platform (iOS or Android), standard complexity: 7–10 days end-to-end. Both platforms of the same app: 10–14 days. Add 2–3 days for heavily obfuscated binaries or anti-tamper-protected apps.

Will this satisfy compliance requirements?

Yes. Our reports are audit-grade for ISO 27001, SOC 2, PCI DSS (if card data is handled in-app), HIPAA, ADHICS (healthcare apps in UAE), and UAE IA V2. We include CVSS-scored findings, MASVS control mapping, and remediation guidance.

Is the re-test included?

Yes — one re-test of critical and high findings within 30 days of remediation is included. We re-verify on both the original platform build and any patched build you ship.

You might also need

Web Application Penetration Testing

If your mobile app shares a backend with a web app, test the full API surface end-to-end.

Read full details

Network Penetration Testing

Mobile app plus infrastructure exposure — pair both for full-stack assurance.

Read full details

Vulnerability Assessment (VA only)

Lower-fee option for SMEs not yet ready for a full mobile pen test.

Read full details

ISO 27001 Implementation

Mobile app pen testing is audit evidence for ISO 27001 Annex A 8.8 — we can include it in a broader program.

Read full details

Shipping a mobile app that handles payments, health data, or PII?

Book a 30-minute scoping call. Written quote within 48 hours. We can start testing inside 1 – 2 weeks.

Book a Scoping Call →
Book a Scoping Call →