/ mobile app pentest

Mobile app pentesting, binary to backend.

AI penetration testing for iOS and Android mobile applications, covering binary analysis, runtime exploits, insecure storage, certificate pinning, inter-process communication, and the backend APIs mobile apps depend on.

iOS and Android apps at equal depth. We reverse-engineer the binary, exploit the runtime, test insecure storage and IPC, and chain through to the backend APIs behind the app. A senior pentester reviews every finding.

Request access See the platform
PLATFORMS · iOS + Android, equal depth
DEPTH · Binary · runtime · storage · API
OUTPUT · Signed report + unlimited retests
// TOP FINDINGS · last 30 days
CRITHardcoded API key in iOS binary×2
CRITCert pinning bypass + MITM×3
HIGHInsecure keychain item (no ACL)×5
HIGHExported Android activity · token leak×3
MEDDebuggable production build×4
MEDRoot/jailbreak detection trivial×6
/ why this surface

Mobile is three attack surfaces in one.

A mobile app is a binary on a device, a runtime in hostile hands, and a client to a backend API. Each is its own attack surface. Most pentests only cover one or two.

01 · THE BINARY

Secrets that shouldn't have shipped

Hardcoded keys, endpoints, feature flags, and debug strings. We reverse-engineer IPA and APK files to find what you didn't mean to ship. The AI extracts and classifies; the human tells you which ones actually matter.

02 · THE RUNTIME

Your app runs on the attacker's device

Cert pinning bypass, root/jailbreak detection that doesn't detect anything, insecure keychain items, exported activities on Android. Frida and Objection are our baseline. If it runs on the phone, we can manipulate it.

03 · THE BACKEND

Most mobile bugs live on the server

Your app is a client. The interesting flaws are in the APIs it talks to, often with weak auth because nobody's supposed to see them. We test those too, same engagement.

/ what we test

What we test on mobile apps.

iOS and Android. Binary, runtime, backend. Every engagement, both platforms.

01 · BINARY ANALYSIS

What's in the app

  • Hardcoded secrets / keys
  • Sensitive strings & endpoints
  • Insecure third-party SDKs
  • Symbol / obfuscation review
  • Debug flags in release builds
  • Signing & entitlement issues
02 · RUNTIME

Live on device

  • Certificate pinning bypass
  • Jailbreak / root detection
  • Frida / Objection attacks
  • Anti-debug checks
  • Method swizzling / hooking
  • Screenshot / overlay attacks
03 · STORAGE & IPC

Data on the device

  • Insecure Keychain / Keystore
  • Plaintext in SharedPreferences
  • Exported Android activities
  • Broadcast receiver abuse
  • URL scheme hijacking
  • iOS pasteboard leakage
04 · BACKEND APIS

What the app talks to

  • Unauthenticated endpoints
  • IDOR on user resources
  • Mass assignment
  • Replay & session attacks
  • Push-notification abuse
  • Token-binding flaws
/ what we've found

Example findings from this surface.

Illustrative examples of real vulnerability classes on this attack surface. Anonymized, but every one based on patterns our pentesters encounter repeatedly.

CRIT
Hardcoded production API key in iOS binary
Info.plist + stringsCVSS 9.0confirmed

A production API key was embedded in the iOS binary. Extracted via `strings` in under a minute. The key had full read/write access to the customer database.

A
@arjun · reviewer note: AI dumped strings. I matched to the key format and confirmed scope via a test API call. Rotate the key, move to short-lived tokens per session.
CRIT
TLS pinning bypassed, full MITM
iOS + AndroidCVSS 8.9confirmed

Certificate pinning was implemented only for the main domain, not for the analytics subdomain which handled auth redirects. A proxy on analytics domain MITM'd the login flow and captured tokens.

A
@arjun · reviewer note: AI found the pinning gap. I ran the full attack with mitmproxy. Pinning must cover every domain the app talks to, not just the primary one.
HIGH
Exported Android activity leaks auth token
AndroidManifest.xmlCVSS 7.8confirmed

A deep-link activity was exported without permission checks. A malicious app on the same device could launch it with a crafted intent and read the returned auth token from the result.

A
@arjun · reviewer note: Classic mistake, still common. AI flagged the exported=true. I wrote a 20-line malicious APK to prove the token leak. Fix is signature-level permission on the activity.
HIGH
Keychain items accessible when device locked
iOS / kSecAttrAccessibleCVSS 7.2confirmed

Auth tokens were stored in Keychain with kSecAttrAccessibleAlways, meaning they could be extracted from a physical device without a passcode. A lost phone leaks the user's session.

A
@arjun · reviewer note: Standard but commonly missed. Simple swap to `AfterFirstUnlockThisDeviceOnly` for runtime tokens, or WhenUnlocked for anything sensitive.

// illustrative examples · not real customer engagements

/ invite-only

Ship faster than your pentesters? Let's fix that.

Tell us what you ship and we'll scope a pilot on this surface. The AI and the reviewer take it from there.

Request access