Security Testing

Mobile Application

Expert security testing of your iOS and Android apps — from on-device data storage to the APIs behind them.

Your mobile app runs on hardware you do not control, on networks you cannot trust, holding credentials and data your customers expect you to protect. Our mobile application penetration testing examines how your iOS and Android apps behave in that hostile environment — and what an attacker with a jailbroken phone and your app binary could do.

Using OWASP methodologies, our CREST-accredited consultants test the areas where mobile apps most often fail: insecure local data storage, weak transport security, flawed authentication and session management, poor input validation and exploitable business logic. Because a mobile app is only as secure as the services behind it, we test the supporting APIs too — the route most real-world mobile breaches actually take.

Mobile application penetration testing for iOS and Android

Both platforms are covered, each with its own attack surface: platform keychains and keystores, inter-process communication, certificate pinning, reverse engineering resistance and platform permission models. Testing is manual and expert-led — automated tools cannot judge whether your app's logic can be abused, or what a chained attack through the app into your backend would yield.

The engagement is delivered through Sentry, like every Blackfoot test: scoped through a tailored questionnaire and call, findings uploaded in real time during testing, immediate alerts for critical and high-severity issues, and your consultant available via Sentry messaging throughout the engagement. Reporting includes a board-ready executive summary and detailed technical findings with evidence, CVSS scores and clear remediation guidance your developers can act on, followed by a debrief session.

Critical and high-severity findings on internet-facing assets — including the APIs your app depends on — qualify for free retesting, requested directly through Sentry when you are ready. Findings remain in Sentry for tracking, and results support PCI DSS, ISO 27001 and Cyber Essentials Plus evidence as well as app store and customer assurance requirements.

What you get

iOS and Android covered

Both platforms tested against their own attack surfaces, from keychains and keystores to inter-process communication.

App and API together

We test the mobile app and the backend APIs it relies on — where most real mobile breaches happen.

OWASP-aligned methodology

Data storage, transport security, authentication, session management and business logic tested by CREST-accredited experts.

Real-time findings in Sentry

Issues appear as they are discovered, with immediate alerts for critical and high-severity findings.

Free retesting included

Critical and high findings on internet-facing assets, including your app's APIs, are retested free once fixed.

How it works

  1. 01

    Scoping and agreement

    Complete a short questionnaire tailored to the test type, then join a scoping call with a consultant. You receive a clear proposal and Statement of Work, and your project is created in Sentry. Typically one to two weeks.

  2. 02

    Pre-engagement preparation

    Your consultant is assigned and logistics are arranged: IP whitelisting, credentials, access and rules of engagement. The testing window is scheduled around your business. Typically one week.

  3. 03

    Testing execution

    Expert-led manual testing begins. Findings appear in Sentry in real time as they are discovered, you are alerted immediately to critical and high-severity issues, and you can message your consultant throughout. From two days for a small web application to fifteen or more for enterprise estates.

  4. 04

    Reporting and delivery

    After quality assurance you receive a board-ready executive summary and detailed technical findings with evidence, CVSS scores and remediation guidance, followed by a debrief session. Findings remain in Sentry for remediation tracking and comparison with future tests.

Frequently asked questions

Straight answers to what prospective clients ask us most.

Do you test both iOS and Android?

Yes. Each platform is tested against its own attack surface and platform-specific protections. If your app ships on both, we test both — the same feature can be secure on one platform and vulnerable on the other.

What do you need from us to test the app?

Typically a release or beta build for each platform, test accounts for each user role, and details of the backend environment we are authorised to test. The scoping questionnaire walks you through it, and we agree everything before testing starts.

Do you test the APIs behind the app?

Yes, and we strongly recommend it. The app on the device is only half the picture — the APIs it calls are where sensitive data actually lives, and testing both together shows how an attacker would chain them.

Will testing affect our production users?

No. We test against the builds and environments you nominate, under agreed rules of engagement, and coordinate anything sensitive with you in advance through Sentry.

Ready to talk about mobile application?

Get a fixed-scope quote, usually the same working day.