EN ID TH
Penetration Testing → Mobile Application

Mobile Application Penetration Testing

CREST-accredited mobile application penetration testing for iOS and Android, aligned with OWASP MASTG and MASVS, the standards Vantage Point originally authored.

Mobile applications carry a disproportionate share of customer trust: banking, healthcare, government identity, payment. They also concentrate risk in a way few other interfaces do, running on uncontrolled devices, accessing sensitive backends, and storing data the user is rarely aware of. Mobile penetration testing is what tells you whether that risk has been managed or merely assumed.

Vantage Point's mobile application testing combines static and dynamic analysis with extensive manual penetration testing across the full mobile attack surface. Engagements are MASTG-driven, meaning every test maps back to a published procedure in the global standard we originally helped author.

Coverage spans both the application and its supporting environment, backend APIs, network communication, platform integrations, certificate pinning and anti-tamper controls, and the resilience of the application against reverse engineering. Findings are reproducible on the device or emulator they were discovered on.

Why it matters

What's at stake.

Mobile sits on uncontrolled devices

Unlike server-side code, a mobile app runs on whatever device the customer owns, potentially rooted, jailbroken, instrumented, or running on an emulator. Threat model has to assume the attacker has full control of the runtime.

Regulatory pressure is intensifying

Singapore's Safe App Standard, MAS expectations on financial mobile apps, and similar moves regionally all push mobile security from "nice to have" to "evidence required".

Backend exposure compounds the risk

Mobile applications are typically the noisiest, most-attacked entry into otherwise well-protected backend APIs. Testing the app without testing what it talks to misses most of the real risk surface.

Scope & Coverage

What we test.

Application controls

On-device controls covering data, authentication, cryptography, and platform integration, the MASVS L1/L2/R requirements.

  • Data storage and privacy
  • Authentication and session management
  • Cryptography implementation
  • Platform interaction (intents, schemes, permissions)
  • Resilience against reverse engineering and tampering

Backend & transport

The surfaces the application talks to. Often where the highest-impact findings live.

  • Backend API security
  • Network communication and certificate pinning
  • WebView and embedded-browser security
  • Inter-process communication
  • Code quality, obfuscation, and anti-tamper
What we typically find

The flaws engagements like this consistently surface.

Drawn from common categories our consultants surface across engagements of this type. Severity and prevalence vary by environment and maturity.

Insecure data storage

PII and tokens cached in shared preferences, sensitive data in WebView storage, keychain misuse, leaking via screenshots or system logs.

Broken cryptography

Hardcoded keys, weak algorithms (DES, ECB), home-grown crypto, missing IV randomisation, predictable session generation.

Insecure communication

Missing or weak certificate pinning, mixed-content channels, vulnerable handshake configurations, insecure WebSocket fallbacks.

Authentication weaknesses

Step-up bypassed, fallback to weaker auth, biometric prompt UX defeating its security purpose, session not bound to device.

Backend authorisation flaws

IDOR exposing other users' data through mobile-API endpoints, missing tenant checks, debug endpoints reachable in production builds.

Reverse-engineering exposure

No root/jailbreak detection, anti-debug controls trivially defeated, sensitive logic in client where it belongs server-side.

Engagement Model

A structured, intelligence-led path through every engagement.

Every engagement follows the same disciplined path through the Velocity platform, so quality, traceability, and reporting are consistent across teams.

Scoping

Define assets, environments, Rules of Engagement, and acceptance criteria with the technical and security stakeholders.

Execution

Manual and tool-assisted testing by CREST-accredited consultants, with evidence captured at each step.

Validation

Every finding is reproduced, risk-rated under CVSS, and confirmed by a second consultant before reporting.

Reporting

Cryptographically signed reports with test-case traceability, severity ratings, reproduction steps, and remediation guidance.

Debrief & Retest

Stakeholder walk-through of findings, prioritisation support, and a retest cycle on remediated issues.

Standards & Frameworks

Mapped to recognised baselines.

OWASP MASTG
OWASP MASVS
Singapore Safe App Standard (where applicable)
NIST mobile guidance
Frequently Asked

Common buyer questions.

Do you need a rooted or jailbroken device? +

Yes, MASTG manual testing requires instrumented test devices. We use our own test devices; client devices are not modified.

How do you test apps that use strong anti-tamper / RASP? +

Resilience testing under MASVS-R is explicitly part of the methodology. We evaluate whether those controls do what they claim, in coordination with the development team, rather than treating bypass as the goal.

Can you test the backend API at the same time? +

Strongly recommended, most high-impact findings live in the API. Combined mobile + API engagements are the common pattern.

What about React Native, Flutter, Xamarin? +

All supported. Cross-platform frameworks have their own peculiarities (bundled JavaScript, asset packaging, native bridges) which we have specific test cases for.

Test Your Defences Against Adversarial Expertise

Talk to a CREST-accredited consultant about your next penetration testing engagement.

Speak to an Expert