Security Testing
Expert security testing of your iOS and Android apps — from on-device data storage to the APIs behind them.
Your mobile app runs on hardware you do not control, on networks you cannot trust, holding credentials and data your customers expect you to protect. Our mobile application penetration testing examines how your iOS and Android apps behave in that hostile environment — and what an attacker with a jailbroken phone and your app binary could do.
Using OWASP methodologies, our CREST-accredited consultants test the areas where mobile apps most often fail: insecure local data storage, weak transport security, flawed authentication and session management, poor input validation and exploitable business logic. Because a mobile app is only as secure as the services behind it, we test the supporting APIs too — the route most real-world mobile breaches actually take.
Both platforms are covered, each with its own attack surface: platform keychains and keystores, inter-process communication, certificate pinning, reverse engineering resistance and platform permission models. Testing is manual and expert-led — automated tools cannot judge whether your app's logic can be abused, or what a chained attack through the app into your backend would yield.
The engagement is delivered through Sentry, like every Blackfoot test: scoped through a tailored questionnaire and call, findings uploaded in real time during testing, immediate alerts for critical and high-severity issues, and your consultant available via Sentry messaging throughout the engagement. Reporting includes a board-ready executive summary and detailed technical findings with evidence, CVSS scores and clear remediation guidance your developers can act on, followed by a debrief session.
Critical and high-severity findings on internet-facing assets — including the APIs your app depends on — qualify for free retesting, requested directly through Sentry when you are ready. Findings remain in Sentry for tracking, and results support PCI DSS, ISO 27001 and Cyber Essentials Plus evidence as well as app store and customer assurance requirements.
Both platforms tested against their own attack surfaces, from keychains and keystores to inter-process communication.
We test the mobile app and the backend APIs it relies on — where most real mobile breaches happen.
Data storage, transport security, authentication, session management and business logic tested by CREST-accredited experts.
Issues appear as they are discovered, with immediate alerts for critical and high-severity findings.
Critical and high findings on internet-facing assets, including your app's APIs, are retested free once fixed.
Complete a short questionnaire tailored to the test type, then join a scoping call with a consultant. You receive a clear proposal and Statement of Work, and your project is created in Sentry. Typically one to two weeks.
Your consultant is assigned and logistics are arranged: IP whitelisting, credentials, access and rules of engagement. The testing window is scheduled around your business. Typically one week.
Expert-led manual testing begins. Findings appear in Sentry in real time as they are discovered, you are alerted immediately to critical and high-severity issues, and you can message your consultant throughout. From two days for a small web application to fifteen or more for enterprise estates.
After quality assurance you receive a board-ready executive summary and detailed technical findings with evidence, CVSS scores and remediation guidance, followed by a debrief session. Findings remain in Sentry for remediation tracking and comparison with future tests.
Straight answers to what prospective clients ask us most.
Yes. Each platform is tested against its own attack surface and platform-specific protections. If your app ships on both, we test both — the same feature can be secure on one platform and vulnerable on the other.
Typically a release or beta build for each platform, test accounts for each user role, and details of the backend environment we are authorised to test. The scoping questionnaire walks you through it, and we agree everything before testing starts.
Yes, and we strongly recommend it. The app on the device is only half the picture — the APIs it calls are where sensitive data actually lives, and testing both together shows how an attacker would chain them.
No. We test against the builds and environments you nominate, under agreed rules of engagement, and coordinate anything sensitive with you in advance through Sentry.
Get a fixed-scope quote, usually the same working day.