Skip to main content
CERT-In Empanelled · iOS + Android · OWASP MASVS-Aligned

Mobile Application
Security Testing

Binary analysis. Mobile-specific logic abuse. Backend-API integration testing. Tested the way an attacker exploits, reviewed the way a regulator audits.

Request a Scoping Call Our Methodology
6,700+
Assessments
OWASP MASVS
Aligned
2006
Founded

Trusted by India's leading enterprises

ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
ICICI Bank
HDFC
NPCI
PhonePe
Swiggy
Asian Paints
Mahindra
L&T
Aditya Birla
Pernod Ricard
Yes Bank
Tata Play
Voltas
DHL Express
Etihad Airways
Amazon Pay
Sephora
Groww
Go Digit
Pharmeasy
BillDesk
Jubilant Foods
UltraTech
Titan
Infosys
Capgemini
STEP 01

Scope

We confirm platforms, build channels, hardening expectations, and assemble a mobile-specialist audit team in Lemon.

STEP 02

Test

6–14 days of binary analysis, manual mobile testing, dynamic instrumentation, and three-layer QA review.

STEP 03

Deliver

Executive + technical reports with platform-specific code fixes, retest rounds, and security certificate.

What Is Mobile Application Security Testing?

Mobile application security testing is a structured assessment of iOS and Android apps where certified experts simulate real-world attacks against the binary, the local data store, the runtime environment, and the backend APIs the app calls. Required by RBI mobile-banking guidelines, IRDAI insurance-app mandates, OWASP MASVS, and DPDP / GDPR for any app handling personal data.

Beyond OWASP Mobile Top 10

Deep manual testing of mobile-specific abuse scenarios that scanners miss — plus complete hardening, binary, and integration coverage.

iOS Hardening

Keychain misuse, ATS bypass, biometric flows, jailbreak detection, App Transport Security

Android Hardening

Keystore misuse, root detection, intent abuse, manifest exposure, NSC bypass

Binary & Reversing

Decompilation, anti-debug bypass, certificate pinning bypass, runtime hooking

OWASP Mobile Top 10

Insecure storage, weak crypto, code tampering, insufficient transport security

Auth, OTP, Biometric

Token replay, OTP relay, biometric bypass, session fixation, MFA mis-implementation

Deep Links & IPC

URL scheme hijack, intent abuse, broadcast manipulation, content-provider exposure

Mobile-API Layer

BOLA, BFLA, mass assignment, replay, rate-limit bypass on the APIs the app actually calls

Hybrid Frameworks

React Native, Flutter, Cordova, Ionic — JS-bridge abuse, exposed bundles, weak obfuscation

Related: API Security Testing → · Related: Secure Code Review →

Methodology

9 steps. Mobile-aware throughout.

Every engagement runs through Lemon, our audit-management platform — informed by 6,700+ prior assessments and consistent across the team that delivers it.

Discovery
01

Scoping & Build Pipeline

Confirm app variants (iOS, Android, tablet, wearable), build channels, OS versions, jailbreak/root expectations. Lemon stages release artifacts and prior-engagement context.

02

Binary Acquisition & Reversing

IPA / APK retrieved, decrypted, decompiled, and analysed for hardening posture — obfuscation, anti-debug, anti-tamper, certificate pinning, and protected storage.

03

Component Mapping

Activities, intents, providers, services, schemes, deep links, NSE / ATS / ATS-bypass exceptions. Build a complete attack surface inventory of the app.

Testing
04

OWASP Mobile Top 10 Coverage

Insecure storage, insecure communication, insufficient cryptography, code tampering, reverse engineering — every Top-10 category exercised manually plus tooling.

05

Mobile-Specific Logic Abuse

Deep-link auth bypass, IPC abuse, broadcast hijack, screen-overlay attacks, biometric replay, OTP relay, payment-flow manipulation in the mobile context.

06

Mobile-API Integration Testing

Backend APIs the app calls — auth tokens, replay, BOLA, BFLA, mass assignment. Mobile is often where API mis-trust shows up first.

07

AI-Augmented Validation

AI cross-references binary findings, network captures, dynamic instrumentation, and prior mobile-engagement patterns to surface what manual review may miss.

Delivery
08

Three-Layer QA Review

L1 mobile auditor → L2 senior consultant → L3 security architect. Every finding validated, every reproduction reviewed, every CVSS scored consistently.

09

Reporting & Re-test

Executive + technical reports with platform-specific code fixes (Swift/Kotlin/Flutter/React Native), retest rounds, and security assessment certificate.

Compliance-Ready

Audit-ready reporting for mobile mandates

As a CERT-In empanelled firm, our reports are accepted by Indian regulators and aligned to the mobile-specific frameworks your customers, partners, and acquirers expect.

CERT-In
Empanelled since 2008
RBI
Mobile banking VAPT mandate
IRDAI
Insurance customer apps
PCI DSS v4.0
Mobile payment SDKs
OWASP MASVS
Mobile App Security Verification Standard
ISO 27001
Annex A 8.28 (secure development)
DPDP Act
India personal-data protection
GDPR
EU customer data handling

Common mobile engagement scopes

What clients ask us to test

Across 700+ enterprise customers, the mobile engagements that come back to us tend to fall into a handful of well-defined patterns. Each scope is sized for our 6–14-day delivery window.

BFSI mobile banking iOS + Android, biometric, payment SDK, OTP relay
Wallet / UPI app Tokenisation, transaction abuse, deep-link payment
Healthcare patient app PHI storage, telemedicine, prescription handling
Insurance customer app eKYC, document upload, claims and policy issuance
Logistics crew / courier app Offline data, GPS, delivery confirmation, payments
Retail commerce app Cart and checkout, loyalty, in-app payment SDKs

Deliverables

What you get

Two reports for two audiences — risk picture for leadership, exact code-level fixes for your mobile engineers in their language (Swift, Kotlin, Dart, JavaScript).

Request sample report → Read mobile-related case studies →

Executive Report

Risk overview, critical findings, business impact, remediation priorities. Board-ready.

Technical Report

Step-by-step POCs, screenshots, network captures, CVSS, and platform-specific code-level fixes.

Retesting & Walkthrough

Multiple retest rounds at no extra cost. Live remediation walkthroughs with your mobile dev team.

Security Certificate

Formal certificate for compliance, customer assurance, and vendor / app-store due diligence.

FAQ

Common questions

Can't find what you're looking for? Talk to our mobile-security lead.

Contact us
What is mobile application security testing? +
Mobile application security testing (sometimes called mobile VAPT or MAST) is a structured assessment where certified experts test iOS and Android apps for vulnerabilities. It covers binary hardening, local data storage, certificate pinning, deep-link handling, IPC, biometric flows, and the backend APIs the app talks to. It goes beyond automated scanning to include manual reverse engineering and mobile-specific business-logic abuse.
Do you test iOS and Android, or just one? +
Both. Most engagements cover the iOS and Android variants of the same app together — they share the same backend but have very different attack surfaces (Keychain vs Keystore, ATS vs Network Security Config, intent system vs URL schemes). We assemble platform-specific auditors per engagement.
Do you need a jailbroken iOS device or rooted Android? +
For full-fidelity testing, yes — we use jailbroken iOS devices and rooted Android devices in our lab so we can inspect Keychain entries, attach debuggers, and bypass certificate pinning under controlled conditions. For black-box constraints, we can also exercise the app on stock devices for production-realistic attack scenarios.
Black-box, grey-box, or white-box testing? +
Configurable per engagement. Black-box means production binaries only — closest to a real attacker. Grey-box adds a test account and architecture overview. White-box includes source code review alongside binary testing — recommended when you can share, since it speeds up verification and produces sharper remediation guidance.
How long does a mobile app pen test take? +
A typical single-platform engagement runs 6 to 10 business days end-to-end (kickoff, binary analysis, manual testing, dynamic instrumentation, three-layer QA, reporting). iOS + Android together is usually 10 to 14 business days. Lemon enforces daily progress tracking so you always know where it stands.
Is mobile testing required for RBI / DPDP / DGCA compliance? +
For BFSI: RBI mobile-banking guidelines mandate VAPT for any customer-facing mobile app. Under DPDP, breaches that originate in a mobile app are reportable. CERT-In empanelment is the qualifying standard for both — we have held it since 2008.
What about hybrid frameworks — React Native, Flutter, Cordova? +
Fully supported. Hybrid apps have their own quirks — JS bridges, exposed bundles, weak code obfuscation, frame-injection risks. We test the hybrid layer and the underlying native bridge with auditors specialised in each framework.
Do you provide remediation guidance? +
Yes — reports include platform-specific code examples (Swift, Kotlin, Java, Dart, JavaScript) with the exact lines to change. We also offer remediation walkthroughs with your mobile dev team and re-test rounds at no extra cost.

Test your app the way attackers exploit it.

Whether it's a single-platform spot check, a full iOS + Android engagement, or a payment-app retest ahead of a release window — talk to our mobile-security lead.

Request a Scoping Call View All Services