1
Critical API Auth
Bypass Found
iOS and Android
Both platforms tested
OWASP Mobile
Top 10 coverage
API backend
Tested alongside the app
Static and dynamic
Analysis performed
Insecure Data Storage
Mobile apps frequently store sensitive data: credentials, tokens, PII, session cookies: in locations accessible to other apps or recoverable after device loss. We examine local databases, shared preferences, keychain entries, temp files, and log files for sensitive data that should not persist on the device.
Authentication & Session Management
We test login flows, session token generation and expiration, biometric bypass paths, remember-me functionality, and account lockout behavior. We also test for insecure credential transmission and improper session invalidation on logout.
API & Network Communication
Mobile apps communicate with backend APIs that often have weaker controls than web-facing equivalents. We intercept and analyze all API traffic for certificate pinning bypass opportunities, cleartext transmission, overprivileged endpoints, and authorization flaws specific to how the mobile app interacts with the backend.
Binary Analysis & Reverse Engineering
We analyze the compiled application binary for hardcoded credentials and API keys, sensitive strings, debug flags left in production builds, obfuscation weaknesses, and exported components that could be abused by other apps on the device.
Authentication Bypass & Runtime Manipulation
We use dynamic analysis techniques including runtime hooking and method swapping to bypass authentication controls, tamper with application logic, and test the robustness of security controls under adversarial conditions. This simulates what an attacker with a rooted or jailbroken device could do with your application.
OWASP Mobile Top 10 Report
All findings are mapped to the OWASP Mobile Security Testing Guide and Mobile Top 10. Reports include device-specific reproduction steps, the risk rating, business impact, and specific remediation guidance for your iOS and Android development teams.
What Makes Us Different From Others
- iOS and Android Coverage We test native iOS, native Android, and cross-platform apps built with React Native, Flutter, and Xamarin on both platforms.
- OWASP Mobile Top 10 Methodology All testing is structured around the OWASP Mobile Application Security Verification Standard and Mobile Top 10.
- Dynamic and Static Analysis We combine static binary analysis with dynamic runtime testing for the most complete coverage. Runtime hooking and traffic interception reveal vulnerabilities that static analysis alone cannot find.
- API Backend Testing Included Mobile apps are only as secure as the APIs they communicate with. We test the mobile-specific API endpoints as part of every mobile application engagement.
- Developer-Specific Remediation We provide platform-specific remediation guidance: Swift/Objective-C for iOS, Kotlin/Java for Android: so developers can fix findings without translation.
- Retesting Included We verify that client-side fixes, API changes, and binary hardening measures are effective before the engagement closes.
Our iOS app was processing payments and we had never had it formally tested. garrisonOne found our payment API accepted requests from any authenticated user for any other user's account: the mobile UI just never showed you the other account, but the API had no server-side authorization check. Fixed before our PCI assessment. Would have been catastrophic.
Client results
See how we have helped
Retail
E-Commerce — PCI DSS Penetration Test
Pre-PCI DSS audit penetration test uncovered critical vulnerabilities in the payment processing environment. All findings remediated before the QSA assessment.
Critical
Findings remediated
PCI DSS
Audit passed
0
Post-test failures
Industry focus
Industries we serve
Related Services: Penetration Testing | Web App Penetration Testing | API Security Testing | Vulnerability Assessment
Frequently asked questions
What does mobile application penetration testing cover?
Mobile penetration testing covers insecure data storage, weak authentication and session management, improper platform usage, insecure communication, insufficient cryptography, insecure authorization, poor code quality, code tampering, reverse engineering, and extraneous functionality: the full OWASP Mobile Top 10 for both iOS and Android.
Do you test both iOS and Android?
Yes. We test native iOS apps, native Android apps, and cross-platform apps built with React Native, Flutter, and Xamarin. The test methodology differs between platforms because iOS and Android have different security architectures, storage mechanisms, and permission models.
Do we need to provide the source code?
No. We perform grey-box or black-box testing without source code access. However, having source code enables white-box testing which provides the most thorough coverage. We can test at whichever level is available and appropriate.
What is binary analysis in the context of mobile testing?
Binary analysis involves examining the compiled application file (.ipa for iOS, .apk for Android) for hardcoded secrets, sensitive strings, debug information, insecure configurations, and exported components. It allows us to find vulnerabilities without running the app and to understand the app's security architecture before dynamic testing begins.
Can you bypass certificate pinning during testing?
Yes. We test for certificate pinning implementation and, where present, attempt to bypass it using standard techniques. Certificate pinning is an important security control but its presence should not be assumed to prevent all network traffic interception.
How long does mobile application penetration testing take?
A standard mobile app penetration test typically takes one to two weeks per platform. Testing both iOS and Android versions of the same app typically takes two to three weeks. Timeline depends on app complexity and the number of features and API endpoints in scope.
Is mobile penetration testing required for compliance?
PCI DSS requires testing of all payment-related mobile applications. HIPAA does not mandate mobile testing but requires risk assessments that should include mobile apps handling PHI. SOC 2 and ISO 27001 include software security requirements that should cover mobile apps handling sensitive data.
What are the most common critical findings in mobile penetration tests?
The most common critical findings are: sensitive data stored insecurely on device (unencrypted databases, logs), API keys hardcoded in the application binary, broken authentication allowing bypass of login requirements, insecure API endpoints accessible only from the mobile app, and missing certificate pinning allowing traffic interception.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
