Will you bypass SSL pinning?

Yes. SSL pinning is a defence layer, not an audit blocker — we bypass it with Frida hooks (Android) or SSL Kill Switch (iOS) to inspect the request/response stream, then assess whether your pinning implementation itself is robust.

Do I need to give you source code?

No. Black-box (binary-only) is supported and matches the real attacker view. Grey-box (binary + obfuscation map / ProGuard rules / TestFlight build) is faster and gets deeper coverage. White-box (source-code review on top of the binary tests) is the most thorough and required for OWASP MASVS-R verification.

Which platforms do you cover?

Android (APK + AAB) and iOS (IPA). Hybrid frameworks — React Native, Flutter, Cordova, Ionic, Xamarin — are first-class; we decompile the JS bundle / dart_snapshot / DLL accordingly. Cross-platform Capacitor / Tauri shells are handled the same way.

How long does a mobile pentest take?

Typical retail app: 8–10 business days for one platform, 12–14 for both. Banking / payment apps with strong RASP and complex backend flows are 3–4 weeks. We share a phase-by-phase progress log so your release planning isn't blind during the window.

Will the test break production?

No. Mobile pentests happen against a build the dev team supplies — staging-pointed or production-pointed but on test accounts you authorise. Backend API testing follows the rules of engagement signed at scoping.

Do you map to RBI Mobile Banking Security guidelines?

Yes. The deliverable explicitly maps each finding to RBI's Master Direction on Mobile Banking, the RBI Cybersecurity Framework for SCBs, and where applicable the UIDAI Aadhaar Authentication API security controls.

What about App Store / Play Store policy review?

We flag policy issues (privacy manifest gaps on iOS 17+, restricted permission overuse on Android 14+, Data Safety form mismatches) as a separate appendix so submission rejections don't blindside a release.

Android · iOS · OWASP MASVS / MSTG

Mobile App Penetration Testing — Android & iOS.

Manual + tooled penetration testing for Android (APK / AAB) and iOS (IPA) apps. We decompile, instrument with Frida, intercept TLS, abuse the backend the app talks to, and prove which findings actually move money or PII — not just which ones the scanner flagged.

Request a quote See OWASP Mobile coverage

Download sample mobile pentest report

OWASP MASVS-aligned attestation

Android

APK · AAB · Smali / DEX

iOS

IPA · Mach-O · Objective-C / Swift

Hybrid

React Native · Flutter · Cordova · Ionic

Backend

Mobile-facing REST / GraphQL APIs

Why mobile is its own discipline

The binary ships with the attack surface.

Unlike a web app, a mobile binary lives on a device you don’t control. Every API key, every business rule, every fallback flow in the source code is one jadx -d away from being read by anyone with the APK. SSL pinning, root detection, RASP — all defence in depth, all bypassable on a rooted Magisk device with a tame Frida script.

A real mobile pentest treats the binary as already-decompiled and the device as already-rooted — then sees what an attacker can still do. That’s the threat model. Anything less is a scanner with a logo.

Hard-coded secrets in resources / Info.plist
SSL pinning + cert-validation bypass
Root / jailbreak detection that holds (or doesn't)
Insecure storage on rooted SQLite / KeyChain
Backend BOLA / IDOR called only from the mobile client

frida · runtime hookdevice: rooted pixel 7

$ frida -U -f com.example.banking -l rootbypass.js

[*] attaching to com.example.banking …

[+] hooked RootBeer.isRooted() → returns false

[+] hooked SafetyNet.attest() → returns valid token

[+] hooked SSLContext.init() → trust-all on attacker CA

[!] app runs on rooted device, talks to api.bank.example over MITM

[x] /api/v3/wallet/transfer accepts JWT with iat > exp + 30d

└─ severity: critical · CWE-613 · OWASP Mobile M3

every defence layer bypassed in a 12-line Frida script

OWASP Mobile Top 10 · 2024

Tap a category. See Android vs iOS impact.

The 2024 refresh of OWASP’s mobile top 10 mapped to per-platform prevalence from Macksofy’s 2025 engagement telemetry. Tap any card to see what we actually find on the apps we test.

M1OWASP Mobile Top 10 · 2024

Improper Credential Usage

Hard-coded API keys, secrets in resources.arsc / plist, weak credential reuse

Android impact90%

iOS impact85%

Real-world prevalence per Macksofy 2025 mobile engagement telemetry across 10× categories. Higher = more likely to surface as a High/Critical in your app.

Security testing approaches

Three approaches. One engagement.

A Macksofy mobile pentest blends three industry-standard approaches across every engagement — because no single one catches everything. SAST reads the code without running it. DAST watches what happens when it runs. MAST is the human work in between. You get all three; the scanner shops give you one and call it a pentest.

SAST

Phase 2 of the methodology

Static Application Security Testing

Read the binary without running it. Every APK gets jadx + apktool, every IPA gets class-dump plus Hopper or Ghidra. We walk the source-equivalent code, smali listings and Mach-O strings by hand.

What it catches

Hard-coded API keys, AWS / GCP secrets in resources.arsc + Info.plist
Insecure cryptographic primitives + custom-rolled crypto
Debug endpoints and feature flags shipped to production
Vulnerable third-party SDKs + transitive native-lib CVEs

DAST

Phase 3 of the methodology

Dynamic Application Security Testing

Watch the app while it runs. A rooted Android + jailbroken iOS fleet, Frida + Objection instrumentation, Burp Suite interception under cert-pinning bypass, plus live inspection of every on-device data store.

What it catches

TLS pinning gaps + cleartext fallbacks under hostile networks
Insecure data at rest in KeyChain, SharedPreferences, SQLite
Runtime authorisation flaws visible only against a live backend
Background-snapshot + logcat PII leakage during normal use

MAST

Phase 4 of the methodology

Manual Application Security Testing

The human-driven testing scanners can’t model. Bypass RASP. Tamper with the binary. Chain low-severity findings into business-impacting compromises. This is the work that justifies hiring people instead of subscriptions.

What it catches

Multi-step business-logic abuse + payment / KYC bypass chains
Root + SafetyNet + anti-Frida + anti-debug bypass paths
Account takeover via chained low-severity findings
Tampered + repackaged builds that pass integrity checks

We don’t pick one. Every Macksofy mobile engagement applies SAST, DAST and MAST in sequence — chained across the six methodology phases below — so the findings from one approach feed the next.

See the methodology

Testing methodology

Six phases. APK to attestation.

A Macksofy engagement walks the OWASP MASVS + MSTG testing guide from the moment we acquire your build to the moment we hand back a regulator-ready attestation. Each phase applies SAST, DAST or MAST — usually two of the three — with a consultant typing the exploit, not a tool clicking through a YAML config. Findings cross-reference across phases so the deliverable reads like an attacker’s logbook, not a scanner export.

OWASP MASVSMSTG-alignedCERT-In formatRBI · UIDAI · DESC mapping

Phase 01 / 6

17% complete

1 · Scope & threat-model

01
Acquire the build under test — APK, AAB or IPA, version-pinned
02
Map the backend endpoints the app actually calls in production
03
Set the threat-actor profile — opportunistic, targeted, or insider
04
Agree the crown jewels — what would actually hurt if exfiltrated
05
Sign rules of engagement and the authorisation letter

Case studies

What we found in production apps.

Mobile banking app (India, BFSI Tier-1)

Android + iOS retail-banking app + REST APIs

Finding · Root-detection bypass via Frida + transaction-replay through expired-but-accepted JWT

Critical — pre-RBI audit fix prevented six-figure exposure window

Risk severity · Critical

LMHC

Healthcare patient app (UAE)

iOS + backend FHIR APIs

Finding · Biometric-bypass via Touch ID hook + cross-tenant prescription read via API IDOR

Critical — PHI exposure closed before DESC notification window expired

Risk severity · Critical

LMHC

Quick-commerce app (India)

Android app + payment SDK

Finding · Hard-coded payment gateway secret in resources.arsc + deep-link order-status takeover

High — chained to free-order PoC, fixed pre-funding round close

Risk severity · High

LMHC

Why Macksofy for mobile VAPT

The mobile pentest your scanner can’t run.

Most “mobile VAPT” engagements in India and the GCC ship a MobSF scan, a Drozer audit and a PDF. The findings that actually unblock an RBI submission or close a CISO sign-off don’t come out of a tool — they come from a human on a rooted device with Frida open. Here’s the work that goes into a Macksofy engagement that doesn’t fit in a YAML config.

We bypass your RASP first.

Root detection, SafetyNet attestation, SSL pinning and anti-Frida hooks are defence layers — not audit blockers. Every engagement opens with a hand-tuned Frida bypass for your specific app, then the real testing begins on the attack surface those layers were supposed to protect.

We read the binary the way attackers do.

Every APK gets jadx and apktool. Every IPA gets class-dump plus Hopper or Ghidra. We trawl resources.arsc, Info.plist, smali and Mach-O strings for hard-coded secrets, dev endpoints and shipped-but-disabled feature flags — context the scanner doesn’t have.

Your backend is in scope, too.

The app talks to an API. That API is also a Macksofy engagement. OSWE-trained consultants run BOLA, IDOR, mass-assignment and JWT-replay tradecraft against every endpoint the app calls — because the worst breaches start in the binary and end at the API.

OWASP MASVS attestation, on paper.

The deliverable commits to an explicit verification level — L1, L2 or R — per the official OWASP Mobile Application Security Verification Standard. A number your enterprise customers, app-store reviewers and regulators can map. Not “OWASP-aligned” handwaving.

RBI, UIDAI, DESC, PDPL — same report.

CERT-In empanelled. Every High and Critical finding maps to RBI’s Master Direction on Mobile Banking, UIDAI Aadhaar Auth API controls, PCI DSS v4 and (for UAE work) DESC ISR plus UAE PDPL. India + GCC compliance settled in a single engagement.

Free retest. Closed, not pending.

One free verification cycle within 30 days of developer sign-off. We rerun the affected phases on the patched build, validate each fix on a rooted device and reissue the attestation — so the auditor and the SOC reader both see ‘closed’, never ‘remediation pending’.

Mutual NDA is step zero of every engagement. Builds, exam artefacts and findings live on Macksofy infrastructure for the engagement window plus 90 days, then are securely destroyed against a CERT-In-acceptable retention policy.

Talk to a mobile lead

Toolchain

Frida + Burp + a rooted device fleet.

Mobile testing is hands-on with real hardware. We maintain a fleet of rooted Android (Pixel + OEM Magisk) and jailbroken iOS handsets, plus Corellium for iOS versions we don’t yet own physically. Custom Frida scripts handle pinning + root-detection bypass per app.

Tools we operate

FridaObjectionBurp Suite ProMobSFjadxapktoolHopper / GhidraDrozerclass-dump / otoolMagisk + LSPosedCorellium (iOS)Custom Frida scripts

Regulator & store mapping

One report. Every reviewer.

Every finding maps to the standard each stakeholder will actually read against your app — RBI for banking, PCI for payments, UIDAI for Aadhaar SDK use, plus App Store / Play Store policy appendix so submission rejections don’t blindside a release.

OWASP MASVS L1 / L2 / R

verification level attestation

OWASP MSTG

test-coverage matrix per chapter

RBI Mobile Banking Master Direction

BFSI app sign-off

PCI DSS v4 / SAQ-D

cardholder-data scope reduction

UIDAI Aadhaar Auth API

biometric SDK controls

App Store policy + Privacy Manifest

iOS 17+ submission readiness

Play Console Data Safety

Android 14+ permissions audit

GDPR / DPDP Act

PII residency + retention on device

ISO/IEC 27001 + 27034

ASLC control mapping

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things people ask before signing.

Yes — that's our default. The threat model includes a determined attacker with a compromised device. We also verify your root/jailbreak detection holds up against current Magisk + Frida bypasses, so app-store reviewers and bug-bounty hunters don't beat your team to the finding.

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled

Information Security Auditor · India

CERT-In Empanelled
EC-Council ATC · CompTIA Authorized
20,000+ professionals trained
India + UAE engagements