Mobile App Security Testing Service

Manual Mobile Application Security Testing, performed by CREST certified application testers based on the OWASP methodology.

What is Mobile Application Security Testing

Mobile application penetration testing focuses directly on the mobile app and is typically dynamic, meaning the assessment is conducted while the application is running. However, in some cases the source code can be made available for testing to assist with vulnerability and security issue identification. Mobile app security testing is also commonly referred to as mobile application security testing.

What is Assessed during a mobile app security test?

Aptive’s mobile application testing methodology is based from the OWASP mobile security project and covers all aspects of the OWASP Mobile Top 10 for 2016 (detailed below) and incorporates experience and testing techniques used in other areas of security testing. An overview of our mobile security testing methodology is documented below.

  • OWASP Mobile Top 10 – 2016
  • M1    Improper Platform Usage
  • M2    Insecure Data Storage
  • M3    Insecure Communication
  • M4    Insecure Authentication
  • M5    Insufficient Cryptography
  • M6    Insecure Authorisation
  • M7    Client Code Quality
  • M8    Code Tampering
  • M9    Reverse Engineering
  • M10    Extraneous Functionality

Why perform Mobile Application Penetration Testing?

Help Identify and Secure Against Security Risks

Mobile application security testing provides a complete assessment of your mobile application helping identify security risks within your mobile applications. Clear remediation instructions are provided with consultant assisted remediation guidance, helping you understand and secure your mobile applications.

Identify Security Issues that endanger your Users

Identify Mobile App Security issues that can endanger your users, expose sensitive information and damage company integrity.

Supported Platforms

Aptive provide mobile app security testing for the following mobile platforms:

  • iOS Security Testing
  • Android Security Testing
  • Windows Mobile

Mobile Application Security Testing Methodology

Information Gathering

The first stage of the engagement involves taking time to learn the target applications purpose and assess it’s functionality. This information is then used to correctly scope and assess the level of effort and time required to assess the mobile application.

  • Application Type – Application type (mobile web, native, cross-platform)

  • Application mapping – manually assessing the application assessing functionality, understanding how the application should function
  • Identifying network interfaces the application uses
  • Determining what network protocols are in use
  • Determining if the application performs payments processing / commerce transactions and how these are stored
  • Determine what hardware is in use – GPS, Bluetooth, TouchID / Camera / Microphone etc.
  • Identify any 3rd party library / software / frameworks are in use
  • Determine if the application interacts with any other applications
  • Assessing server side information to determine what hosting platforms (AWS, Azure, Rackspace, Heroku etc) and technologies (Development language, Single Sign On, 2FA, API’s) are in use

Build the Test Environment

Building the test environment to conduct the mobile application security test, based on the scoping specifics and data collected at the information gathering stage.

Static Analysis – SAST (Static Application Security Testing) – SCR (Secure Code Review) – SCA (Static Code Analysis)

Static Analysis or SAST (Static Application Security Testing) – assess the source code, binaries and other app data included with the application, during testing the application in a non running state. If the source code is not available (preferred) for static analysis then compiled binaries will be reverse engineered, decrypted and decompiled (where possible).

Inspection of the source code is required even on engagements that do not have a source code audit scoped. Analysis of the source code saves time mapping the application and understanding it’s functionality, revealing information such as the backend databases, server side information, authentication system, API’s and the application programming languages and frameworks used.

  • Authentication
  • Authorisation
  • Session Management
  • Data Storage
  • Information Disclosure
  • Web Application Security Testing – XSS, CSRF, SQL Injection, Command Injection, XML Injection, Check Cross Domain Policy, Cookies etc
  • Networking – weak / insecure protocol usage
  • Transport Layer Protection – SSL – Encryption-in-transit

Dynamic Analysis – DAST (Dynamic Application Security Testing)

Dynamic Analysis or DAST (Dynamic Application Security Testing) takes place while the mobile application is running, simulating a real world attack. Information from the Static Analysis section of the assessment (depending on client scoping requirements) can be used to assist and confirm findings during dynamic testing.

  • Application Types – Native, Web Services App (SOAP/REST), Mobile Browser based App, Mobile Hybrid App (Native + Web App)
  • Application Mapping – Establishing a baseline for the application, before and after install – file system usage
  • Debugging – Examining the application with a debugger attached
  • Local Testing – Checking for exposed IPC interfaces – fuzzing, sniffing authentication bypass testing
  • Cryptography Testing – Checking for weaknesses with cryptography, brute force key attacks, hard-coded keys / secrets other disclosed information
  • Web Application Security IssuesXSS, CSRF, SQL Injection, Command Injection, XML Injection, Check Cross Domain Policy, Cookies etc
  • Authentication – Testing for broken authentication
  • Authorisation – Weak local filesystem runtime permissions – external configuration manipulation
  • File System Analysis – Weak local filesystem runtime permissions – external configuration manipulation
  • Memory Analysis
  • Remote Application / Server Testing Test discovered backend / hosting / API’s – Authentication – Authorisation – Session Management – Transport Layer Testing – Server Side Attacks

You can request our full Mobile Application Security Testing Methodology


All findings are documented in a severity ordered report with clear and concise recommendation instructions.


Our mobile application security testing service come with free retesting on reported findings, helping reduce the security risk of your mobile application.

Why use Aptive for Mobile Security Testing

CREST Accredited Team

Security assessment performed by CREST certified consultants.

OWASP Members

All our testers are members of OWASP.

OWASP Testing Methodology

Aptive performs assessment testing based on the OWASP testing methodology.

Easy to Understand Reports

Discovered security issues in severity order with remediation instructions.

Fixed Price Proposals

Transparent costs and fixed price proposals, giving you peace of mind.

Free Retesting

Free retesting on report documented mobile security issues.